From 6203c0937afbbed1eee469b9b065c70e4c089747 Mon Sep 17 00:00:00 2001 From: Adam0Brien Date: Wed, 13 Nov 2024 09:20:41 +0000 Subject: [PATCH 1/8] RHCLOUD-35836 - Add Update checks for e2e tests --- .github/workflows/e2e-test.yml | 7 +- test/e2e/inventory_http_test.go | 185 +++++++++++++++++++++++++++++--- 2 files changed, 178 insertions(+), 14 deletions(-) diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index a740fe4c..9a3f0cc1 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -22,7 +22,12 @@ jobs: - name: View Test Pod Logs run: | TEST_POD=$(kubectl get pods --selector=job-name=e2e-inventory-http-tests -o jsonpath='{.items[0].metadata.name}') - kubectl logs $TEST_POD + kubectl logs $TEST_POD | tee test_logs.txt + + if grep -q -E "FAIL" test_logs.txt; then + echo "Test failed. Errors found in logs." + exit 1 + fi - name: Inventory Down - Kind Cluster run: make inventory-down-kind diff --git a/test/e2e/inventory_http_test.go b/test/e2e/inventory_http_test.go index 8fa6c95e..158e4fe2 100644 --- a/test/e2e/inventory_http_test.go +++ b/test/e2e/inventory_http_test.go @@ -156,12 +156,12 @@ func TestInventoryAPIHTTP_CreateRHELHost(t *testing.T) { OrgId: "", }, ReporterData: &resources.ReporterData{ - ReporterInstanceId: "user@example.com", + ReporterInstanceId: "user@email.com", ReporterType: resources.ReporterData_OCM, - ConsoleHref: "www.example.com", - ApiHref: "www.example.com", - LocalResourceId: "1", - ReporterVersion: "0.1", + ConsoleHref: "www.web.com", + ApiHref: "www.wb.com", + LocalResourceId: "0123", + ReporterVersion: "0.2", }, }} opts := getCallOptions() @@ -170,6 +170,71 @@ func TestInventoryAPIHTTP_CreateRHELHost(t *testing.T) { } +func TestInventoryAPIHTTP_UpdateRHELHost(t *testing.T) { + t.Parallel() + c := v1beta1.NewConfig( + v1beta1.WithHTTPUrl(inventoryapi_http_url), + v1beta1.WithTLSInsecure(insecure), + v1beta1.WithHTTPTLSConfig(tlsConfig), + ) + client, err := v1beta1.NewHttpClient(context.Background(), c) + if err != nil { + t.Error(err) + } + + reporterData := &resources.ReporterData{ + ReporterInstanceId: "user@email.com", + ReporterType: resources.ReporterData_OCM, + ConsoleHref: "www.web.com", + ApiHref: "www.wb.com", + LocalResourceId: "0123", + ReporterVersion: "0.2", + } + + request := resources.UpdateRhelHostRequest{RhelHost: &resources.RhelHost{ + Metadata: &resources.Metadata{ + ResourceType: "rhel-host", + WorkspaceId: "workspace0", + OrgId: "", + }, + ReporterData: reporterData, + }} + opts := getCallOptions() + _, err = client.RhelHostServiceClient.UpdateRhelHost(context.Background(), &request, opts...) + assert.NoError(t, err) + +} + +func TestInventoryAPIHTTP_DeleteRHELHost(t *testing.T) { + t.Parallel() + c := v1beta1.NewConfig( + v1beta1.WithHTTPUrl(inventoryapi_http_url), + v1beta1.WithTLSInsecure(insecure), + v1beta1.WithHTTPTLSConfig(tlsConfig), + ) + client, err := v1beta1.NewHttpClient(context.Background(), c) + if err != nil { + t.Error(err) + } + + reporter := &resources.ReporterData{ + ReporterInstanceId: "user@email.com", + ReporterType: resources.ReporterData_OCM, + ConsoleHref: "www.web.com", + ApiHref: "www.wb.com", + LocalResourceId: "0123", + ReporterVersion: "0.2", + } + + request1 := resources.DeleteRhelHostRequest{ + ReporterData: reporter, + } + + opts := getCallOptions() + _, err = client.RhelHostServiceClient.DeleteRhelHost(context.Background(), &request1, opts...) + assert.NoError(t, err) +} + func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { t.Parallel() c := v1beta1.NewConfig( @@ -189,7 +254,7 @@ func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { OrgId: "", }, ResourceData: &resources.K8SClusterDetail{ - ExternalClusterId: "1234", + ExternalClusterId: "01234", ClusterStatus: resources.K8SClusterDetail_READY, KubeVersion: "1.31", KubeVendor: resources.K8SClusterDetail_OPENSHIFT, @@ -197,13 +262,13 @@ func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { CloudPlatform: resources.K8SClusterDetail_AWS_UPI, Nodes: []*resources.K8SClusterDetailNodesInner{ { - Name: "www.example.com", + Name: "www.web.com", Cpu: "7500m", Memory: "30973224Ki", Labels: []*resources.ResourceLabel{ { Key: "has_monster_gpu", - Value: "yes", + Value: "no", }, }, }, @@ -214,7 +279,7 @@ func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { ReporterType: resources.ReporterData_ACM, ConsoleHref: "www.example.com", ApiHref: "www.example.com", - LocalResourceId: "1", + LocalResourceId: "01234", ReporterVersion: "0.1", }, }, @@ -224,6 +289,61 @@ func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { assert.NoError(t, err) } +func TestInventoryAPIHTTP_K8SCluster_UpdateK8SCluster(t *testing.T) { + t.Parallel() + c := v1beta1.NewConfig( + v1beta1.WithHTTPUrl(inventoryapi_http_url), + v1beta1.WithTLSInsecure(insecure), + v1beta1.WithHTTPTLSConfig(tlsConfig), + ) + client, err := v1beta1.NewHttpClient(context.Background(), c) + if err != nil { + t.Error(err) + } + request := resources.UpdateK8SClusterRequest{ + K8SCluster: &resources.K8SCluster{ + Metadata: &resources.Metadata{ + ResourceType: "k8s-cluster", + WorkspaceId: "workspace1", + OrgId: "", + }, + ResourceData: &resources.K8SClusterDetail{ + ExternalClusterId: "01234", + ClusterStatus: resources.K8SClusterDetail_READY, + KubeVersion: "1.31", + KubeVendor: resources.K8SClusterDetail_OPENSHIFT, + VendorVersion: "4.16", + CloudPlatform: resources.K8SClusterDetail_AWS_UPI, + Nodes: []*resources.K8SClusterDetailNodesInner{ + { + Name: "www.web.com", + Cpu: "7500m", + Memory: "30973224Ki", + Labels: []*resources.ResourceLabel{ + { + Key: "has_monster_gpu", + Value: "no", + }, + }, + }, + }, + }, + ReporterData: &resources.ReporterData{ + ReporterInstanceId: "user@example.com", + ReporterType: resources.ReporterData_ACM, + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", + LocalResourceId: "01234", + ReporterVersion: "0.1", + }, + }, + } + opts := getCallOptions() + _, err = client.K8sClusterService.UpdateK8SCluster(context.Background(), &request, opts...) + assert.NoError(t, err) + +} + func TestInventoryAPIHTTP_K8SPolicy_CreateK8SPolicy(t *testing.T) { t.Parallel() c := v1beta1.NewConfig( @@ -244,15 +364,15 @@ func TestInventoryAPIHTTP_K8SPolicy_CreateK8SPolicy(t *testing.T) { OrgId: "", }, ResourceData: &resources.K8SPolicyDetail{ - Disabled: true, - Severity: resources.K8SPolicyDetail_MEDIUM, + Disabled: false, + Severity: resources.K8SPolicyDetail_HIGH, }, ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@example.com", - ReporterType: resources.ReporterData_ACM, + ReporterType: resources.ReporterData_OCM, ConsoleHref: "www.example.com", ApiHref: "www.example.com", - LocalResourceId: "1", + LocalResourceId: "012345", ReporterVersion: "0.1", }, }, @@ -263,6 +383,45 @@ func TestInventoryAPIHTTP_K8SPolicy_CreateK8SPolicy(t *testing.T) { } +func TestInventoryAPIHTTP_K8SPolicy_UpdateK8SPolicy(t *testing.T) { + t.Parallel() + c := v1beta1.NewConfig( + v1beta1.WithHTTPUrl(inventoryapi_http_url), + v1beta1.WithTLSInsecure(insecure), + v1beta1.WithHTTPTLSConfig(tlsConfig), + ) + client, err := v1beta1.NewHttpClient(context.Background(), c) + if err != nil { + t.Error(err) + } + + request := resources.UpdateK8SPolicyRequest{ + K8SPolicy: &resources.K8SPolicy{ + Metadata: &resources.Metadata{ + ResourceType: "k8s-policy", + WorkspaceId: "workspace2", + OrgId: "", + }, + ResourceData: &resources.K8SPolicyDetail{ + Disabled: false, + Severity: resources.K8SPolicyDetail_HIGH, + }, + ReporterData: &resources.ReporterData{ + ReporterInstanceId: "user@example.com", + ReporterType: resources.ReporterData_OCM, + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", + LocalResourceId: "012345", + ReporterVersion: "0.1", + }, + }, + } + opts := getCallOptions() + _, err = client.PolicyServiceClient.UpdateK8SPolicy(context.Background(), &request, opts...) + assert.NoError(t, err) + +} + func getCallOptions() []http.CallOption { var opts []http.CallOption header := nethttp.Header{} From 0c3cf044ad6f32dd7d33a4b2c77b2817ed4ce089 Mon Sep 17 00:00:00 2001 From: Adam0Brien Date: Fri, 15 Nov 2024 10:40:43 +0000 Subject: [PATCH 2/8] combine rhelhost endpoints --- test/e2e/inventory_http_test.go | 118 ++++++++++++-------------------- 1 file changed, 44 insertions(+), 74 deletions(-) diff --git a/test/e2e/inventory_http_test.go b/test/e2e/inventory_http_test.go index 158e4fe2..ce66aca1 100644 --- a/test/e2e/inventory_http_test.go +++ b/test/e2e/inventory_http_test.go @@ -138,7 +138,7 @@ func TestInventoryAPIHTTP_Metrics(t *testing.T) { assert.Equal(t, expectedStatusString, resp.Status) } -func TestInventoryAPIHTTP_CreateRHELHost(t *testing.T) { +func TestInventoryAPIHTTP_RHELHostLifecycle(t *testing.T) { t.Parallel() c := v1beta1.NewConfig( v1beta1.WithHTTPUrl(inventoryapi_http_url), @@ -149,12 +149,49 @@ func TestInventoryAPIHTTP_CreateRHELHost(t *testing.T) { if err != nil { t.Error(err) } - request := resources.CreateRhelHostRequest{RhelHost: &resources.RhelHost{ - Metadata: &resources.Metadata{ - ResourceType: "rhel_host", - WorkspaceId: "workspace1", - OrgId: "", + + createRequest := resources.CreateRhelHostRequest{ + RhelHost: &resources.RhelHost{ + Metadata: &resources.Metadata{ + ResourceType: "rhel_host", + WorkspaceId: "workspace0", + OrgId: "", + }, + ReporterData: &resources.ReporterData{ + ReporterInstanceId: "user@email.com", + ReporterType: resources.ReporterData_OCM, + ConsoleHref: "www.web.com", + ApiHref: "www.wb.com", + LocalResourceId: "0123", + ReporterVersion: "0.2", + }, + }, + } + opts := getCallOptions() + _, err = client.RhelHostServiceClient.CreateRhelHost(context.Background(), &createRequest, opts...) + assert.NoError(t, err) + + updateRequest := resources.UpdateRhelHostRequest{ + RhelHost: &resources.RhelHost{ + Metadata: &resources.Metadata{ + ResourceType: "rhel_host", + WorkspaceId: "workspace0", + OrgId: "", + }, + ReporterData: &resources.ReporterData{ + ReporterInstanceId: "user@email.com", + ReporterType: resources.ReporterData_OCM, + ConsoleHref: "www.web.com", + ApiHref: "www.wb.com", + LocalResourceId: "0123", + ReporterVersion: "0.2", + }, }, + } + _, err = client.RhelHostServiceClient.UpdateRhelHost(context.Background(), &updateRequest, opts...) + assert.NoError(t, err) + + deleteRequest := resources.DeleteRhelHostRequest{ ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@email.com", ReporterType: resources.ReporterData_OCM, @@ -163,75 +200,8 @@ func TestInventoryAPIHTTP_CreateRHELHost(t *testing.T) { LocalResourceId: "0123", ReporterVersion: "0.2", }, - }} - opts := getCallOptions() - _, err = client.RhelHostServiceClient.CreateRhelHost(context.Background(), &request, opts...) - assert.NoError(t, err) - -} - -func TestInventoryAPIHTTP_UpdateRHELHost(t *testing.T) { - t.Parallel() - c := v1beta1.NewConfig( - v1beta1.WithHTTPUrl(inventoryapi_http_url), - v1beta1.WithTLSInsecure(insecure), - v1beta1.WithHTTPTLSConfig(tlsConfig), - ) - client, err := v1beta1.NewHttpClient(context.Background(), c) - if err != nil { - t.Error(err) - } - - reporterData := &resources.ReporterData{ - ReporterInstanceId: "user@email.com", - ReporterType: resources.ReporterData_OCM, - ConsoleHref: "www.web.com", - ApiHref: "www.wb.com", - LocalResourceId: "0123", - ReporterVersion: "0.2", - } - - request := resources.UpdateRhelHostRequest{RhelHost: &resources.RhelHost{ - Metadata: &resources.Metadata{ - ResourceType: "rhel-host", - WorkspaceId: "workspace0", - OrgId: "", - }, - ReporterData: reporterData, - }} - opts := getCallOptions() - _, err = client.RhelHostServiceClient.UpdateRhelHost(context.Background(), &request, opts...) - assert.NoError(t, err) - -} - -func TestInventoryAPIHTTP_DeleteRHELHost(t *testing.T) { - t.Parallel() - c := v1beta1.NewConfig( - v1beta1.WithHTTPUrl(inventoryapi_http_url), - v1beta1.WithTLSInsecure(insecure), - v1beta1.WithHTTPTLSConfig(tlsConfig), - ) - client, err := v1beta1.NewHttpClient(context.Background(), c) - if err != nil { - t.Error(err) - } - - reporter := &resources.ReporterData{ - ReporterInstanceId: "user@email.com", - ReporterType: resources.ReporterData_OCM, - ConsoleHref: "www.web.com", - ApiHref: "www.wb.com", - LocalResourceId: "0123", - ReporterVersion: "0.2", } - - request1 := resources.DeleteRhelHostRequest{ - ReporterData: reporter, - } - - opts := getCallOptions() - _, err = client.RhelHostServiceClient.DeleteRhelHost(context.Background(), &request1, opts...) + _, err = client.RhelHostServiceClient.DeleteRhelHost(context.Background(), &deleteRequest, opts...) assert.NoError(t, err) } From fc17933d1854ae39675cb9bec5082445f9f6617c Mon Sep 17 00:00:00 2001 From: Adam0Brien Date: Fri, 15 Nov 2024 10:48:07 +0000 Subject: [PATCH 3/8] combine k8clster endpoints --- .github/workflows/e2e-test.yml | 22 ++- deploy/kind/inventory/kessel-inventory.yaml | 3 +- test/e2e/inventory_http_test.go | 151 ++++++++------------ 3 files changed, 79 insertions(+), 97 deletions(-) diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 9a3f0cc1..9e0b726a 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -17,17 +17,25 @@ jobs: - name: Monitor Pods in Kind run: | - timeout 90s kubectl get pods -w || exit 0 + for i in {1..50}; do + STATUS=$(kubectl get pods --selector=job-name=e2e-inventory-http-tests -o jsonpath='{.items[0].status.phase}') + if [ "$STATUS" = "Succeeded" ]; then + echo "Test pod completed successfully." + exit 0 + elif [ "$STATUS" = "Failed" ]; then + echo "Test pod failed." + exit 1 + fi + sleep 1 + done + + echo "Timeout reached while waiting for the test pod to complete." + exit 1 - name: View Test Pod Logs run: | TEST_POD=$(kubectl get pods --selector=job-name=e2e-inventory-http-tests -o jsonpath='{.items[0].metadata.name}') - kubectl logs $TEST_POD | tee test_logs.txt - - if grep -q -E "FAIL" test_logs.txt; then - echo "Test failed. Errors found in logs." - exit 1 - fi + kubectl logs $TEST_POD - name: Inventory Down - Kind Cluster run: make inventory-down-kind diff --git a/deploy/kind/inventory/kessel-inventory.yaml b/deploy/kind/inventory/kessel-inventory.yaml index d9fde05f..0c8d34d6 100644 --- a/deploy/kind/inventory/kessel-inventory.yaml +++ b/deploy/kind/inventory/kessel-inventory.yaml @@ -138,8 +138,7 @@ stringData: grpc: address: 0.0.0.0:9081 authn: - psk: - pre-shared-key-file: /psks.yaml + allow-unauthenticated: true authz: impl: allow-all eventing: diff --git a/test/e2e/inventory_http_test.go b/test/e2e/inventory_http_test.go index ce66aca1..3f36e8e5 100644 --- a/test/e2e/inventory_http_test.go +++ b/test/e2e/inventory_http_test.go @@ -5,17 +5,16 @@ import ( "crypto/tls" "crypto/x509" "fmt" - nethttp "net/http" - "os" - "strconv" - "testing" - "github.com/go-kratos/kratos/v2/log" "github.com/go-kratos/kratos/v2/transport/http" v1 "github.com/project-kessel/inventory-api/api/kessel/inventory/v1" "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta1/resources" "github.com/project-kessel/inventory-client-go/v1beta1" "github.com/stretchr/testify/assert" + nethttp "net/http" + "os" + "strconv" + "testing" ) var inventoryapi_http_url string @@ -29,9 +28,7 @@ func TestMain(m *testing.M) { log.Error(err) inventoryapi_http_url = "localhost:8081" } - insecure = true - insecureTLSstr := os.Getenv("INV_TLS_INSECURE") if insecureTLSstr != "" { var err error @@ -40,7 +37,6 @@ func TestMain(m *testing.M) { log.Errorf("faild to parse bool INV_TLS_INSECURE %s", err) } } - certFile := os.Getenv("INV_TLS_CERT_FILE") keyFile := os.Getenv("INV_TLS_KEY_FILE") caFile := os.Getenv("INV_TLS_CA_FILE") @@ -50,18 +46,15 @@ func TestMain(m *testing.M) { if err != nil { log.Errorf("failed to load client certificate: %v", err) } - // Load CA cert caCert, err := os.ReadFile(caFile) if err != nil { log.Errorf("failed to read CA certificate: %v", err) } - caCertPool := x509.NewCertPool() if !caCertPool.AppendCertsFromPEM(caCert) { log.Errorf("failed to append CA certificate") } - tlsConfig = &tls.Config{ Certificates: []tls.Certificate{cert}, RootCAs: caCertPool, @@ -70,11 +63,9 @@ func TestMain(m *testing.M) { insecure = true log.Info("TLS environment variables not set") } - result := m.Run() os.Exit(result) } - func TestInventoryAPIHTTP_Livez(t *testing.T) { t.Parallel() httpClient, err := http.NewClient( @@ -84,20 +75,15 @@ func TestInventoryAPIHTTP_Livez(t *testing.T) { if err != nil { t.Fatal("Failed to create HTTP client: ", err) } - healthClient := v1.NewKesselInventoryHealthServiceHTTPClient(httpClient) resp, err := healthClient.GetLivez(context.Background(), &v1.GetLivezRequest{}) - assert.NoError(t, err) assert.NotNil(t, resp) - expectedStatus := "OK" expectedCode := uint32(200) - assert.Equal(t, expectedStatus, resp.Status) assert.Equal(t, expectedCode, resp.Code) } - func TestInventoryAPIHTTP_Readyz(t *testing.T) { t.Parallel() httpClient, err := http.NewClient( @@ -107,33 +93,25 @@ func TestInventoryAPIHTTP_Readyz(t *testing.T) { if err != nil { t.Fatal("Failed to create HTTP client: ", err) } - healthClient := v1.NewKesselInventoryHealthServiceHTTPClient(httpClient) resp, err := healthClient.GetReadyz(context.Background(), &v1.GetReadyzRequest{}) - assert.NoError(t, err) assert.NotNil(t, resp) - expectedStatus := "Storage type postgres" expectedCode := uint32(200) - assert.Equal(t, expectedStatus, resp.Status) assert.Equal(t, expectedCode, resp.Code) } - func TestInventoryAPIHTTP_Metrics(t *testing.T) { resp, err := nethttp.Get("http://" + inventoryapi_http_url + "/metrics") if err != nil { t.Fatal("Failed to send request: ", err) } defer resp.Body.Close() - assert.NoError(t, err) assert.NotNil(t, resp) - expectedStatusCode := 200 expectedStatusString := "200 OK" - assert.Equal(t, expectedStatusCode, resp.StatusCode) assert.Equal(t, expectedStatusString, resp.Status) } @@ -154,58 +132,58 @@ func TestInventoryAPIHTTP_RHELHostLifecycle(t *testing.T) { RhelHost: &resources.RhelHost{ Metadata: &resources.Metadata{ ResourceType: "rhel_host", - WorkspaceId: "workspace0", + WorkspaceId: "workspace", OrgId: "", }, ReporterData: &resources.ReporterData{ - ReporterInstanceId: "user@email.com", + ReporterInstanceId: "user@example.com", ReporterType: resources.ReporterData_OCM, - ConsoleHref: "www.web.com", - ApiHref: "www.wb.com", + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", LocalResourceId: "0123", - ReporterVersion: "0.2", + ReporterVersion: "0.1", }, }, } opts := getCallOptions() _, err = client.RhelHostServiceClient.CreateRhelHost(context.Background(), &createRequest, opts...) - assert.NoError(t, err) + assert.NoError(t, err, "Failed to create RhelHost") updateRequest := resources.UpdateRhelHostRequest{ RhelHost: &resources.RhelHost{ Metadata: &resources.Metadata{ ResourceType: "rhel_host", - WorkspaceId: "workspace0", + WorkspaceId: "workspace", OrgId: "", }, ReporterData: &resources.ReporterData{ - ReporterInstanceId: "user@email.com", + ReporterInstanceId: "user@example.com", ReporterType: resources.ReporterData_OCM, - ConsoleHref: "www.web.com", - ApiHref: "www.wb.com", + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", LocalResourceId: "0123", - ReporterVersion: "0.2", + ReporterVersion: "0.1", }, }, } _, err = client.RhelHostServiceClient.UpdateRhelHost(context.Background(), &updateRequest, opts...) - assert.NoError(t, err) + assert.NoError(t, err, "Failed to update RhelHost") deleteRequest := resources.DeleteRhelHostRequest{ ReporterData: &resources.ReporterData{ - ReporterInstanceId: "user@email.com", + ReporterInstanceId: "user@example.com", ReporterType: resources.ReporterData_OCM, - ConsoleHref: "www.web.com", - ApiHref: "www.wb.com", + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", LocalResourceId: "0123", - ReporterVersion: "0.2", + ReporterVersion: "0.1", }, } _, err = client.RhelHostServiceClient.DeleteRhelHost(context.Background(), &deleteRequest, opts...) - assert.NoError(t, err) + assert.NoError(t, err, "Failed to delete RhelHost") } -func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { +func TestInventoryAPIHTTP_K8SClusterLifecycle(t *testing.T) { t.Parallel() c := v1beta1.NewConfig( v1beta1.WithHTTPUrl(inventoryapi_http_url), @@ -220,7 +198,7 @@ func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { K8SCluster: &resources.K8SCluster{ Metadata: &resources.Metadata{ ResourceType: "k8s_cluster", - WorkspaceId: "", + WorkspaceId: "workspace1", OrgId: "", }, ResourceData: &resources.K8SClusterDetail{ @@ -256,24 +234,12 @@ func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { } opts := getCallOptions() _, err = client.K8sClusterService.CreateK8SCluster(context.Background(), &request, opts...) - assert.NoError(t, err) -} + assert.NoError(t, err, "Failed to create K8sCluster") -func TestInventoryAPIHTTP_K8SCluster_UpdateK8SCluster(t *testing.T) { - t.Parallel() - c := v1beta1.NewConfig( - v1beta1.WithHTTPUrl(inventoryapi_http_url), - v1beta1.WithTLSInsecure(insecure), - v1beta1.WithHTTPTLSConfig(tlsConfig), - ) - client, err := v1beta1.NewHttpClient(context.Background(), c) - if err != nil { - t.Error(err) - } - request := resources.UpdateK8SClusterRequest{ + updateRequest := resources.UpdateK8SClusterRequest{ K8SCluster: &resources.K8SCluster{ Metadata: &resources.Metadata{ - ResourceType: "k8s-cluster", + ResourceType: "k8s_cluster", WorkspaceId: "workspace1", OrgId: "", }, @@ -308,13 +274,25 @@ func TestInventoryAPIHTTP_K8SCluster_UpdateK8SCluster(t *testing.T) { }, }, } - opts := getCallOptions() - _, err = client.K8sClusterService.UpdateK8SCluster(context.Background(), &request, opts...) - assert.NoError(t, err) + _, err = client.K8sClusterService.UpdateK8SCluster(context.Background(), &updateRequest, opts...) + assert.NoError(t, err, "Failed to update K8sCluster") + + deleteRequest := resources.DeleteK8SClusterRequest{ + ReporterData: &resources.ReporterData{ + ReporterInstanceId: "user@example.com", + ReporterType: resources.ReporterData_ACM, + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", + LocalResourceId: "01234", + ReporterVersion: "0.1", + }, + } + _, err = client.K8sClusterService.DeleteK8SCluster(context.Background(), &deleteRequest, opts...) + assert.NoError(t, err, "Failed to delete K8sCluster") } -func TestInventoryAPIHTTP_K8SPolicy_CreateK8SPolicy(t *testing.T) { +func TestInventoryAPIHTTP_K8SPolicyLifecycle(t *testing.T) { t.Parallel() c := v1beta1.NewConfig( v1beta1.WithHTTPUrl(inventoryapi_http_url), @@ -325,12 +303,11 @@ func TestInventoryAPIHTTP_K8SPolicy_CreateK8SPolicy(t *testing.T) { if err != nil { t.Error(err) } - request := resources.CreateK8SPolicyRequest{ K8SPolicy: &resources.K8SPolicy{ Metadata: &resources.Metadata{ ResourceType: "k8s_policy", - WorkspaceId: "default", + WorkspaceId: "workspace2", OrgId: "", }, ResourceData: &resources.K8SPolicyDetail{ @@ -349,32 +326,18 @@ func TestInventoryAPIHTTP_K8SPolicy_CreateK8SPolicy(t *testing.T) { } opts := getCallOptions() _, err = client.PolicyServiceClient.CreateK8SPolicy(context.Background(), &request, opts...) - assert.NoError(t, err) - -} + assert.NoError(t, err, "Failed to create K8sPolicy") -func TestInventoryAPIHTTP_K8SPolicy_UpdateK8SPolicy(t *testing.T) { - t.Parallel() - c := v1beta1.NewConfig( - v1beta1.WithHTTPUrl(inventoryapi_http_url), - v1beta1.WithTLSInsecure(insecure), - v1beta1.WithHTTPTLSConfig(tlsConfig), - ) - client, err := v1beta1.NewHttpClient(context.Background(), c) - if err != nil { - t.Error(err) - } - - request := resources.UpdateK8SPolicyRequest{ + updateRequest := resources.UpdateK8SPolicyRequest{ K8SPolicy: &resources.K8SPolicy{ Metadata: &resources.Metadata{ - ResourceType: "k8s-policy", + ResourceType: "k8s_policy", WorkspaceId: "workspace2", OrgId: "", }, ResourceData: &resources.K8SPolicyDetail{ - Disabled: false, - Severity: resources.K8SPolicyDetail_HIGH, + Disabled: true, + Severity: resources.K8SPolicyDetail_LOW, }, ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@example.com", @@ -386,10 +349,22 @@ func TestInventoryAPIHTTP_K8SPolicy_UpdateK8SPolicy(t *testing.T) { }, }, } - opts := getCallOptions() - _, err = client.PolicyServiceClient.UpdateK8SPolicy(context.Background(), &request, opts...) - assert.NoError(t, err) + _, err = client.PolicyServiceClient.UpdateK8SPolicy(context.Background(), &updateRequest, opts...) + assert.NoError(t, err, "Failed to update K8sPolicy") + + deleteRequest := resources.DeleteK8SPolicyRequest{ + ReporterData: &resources.ReporterData{ + ReporterInstanceId: "user@example.com", + ReporterType: resources.ReporterData_OCM, + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", + LocalResourceId: "012345", + ReporterVersion: "0.1", + }, + } + _, err = client.PolicyServiceClient.DeleteK8SPolicy(context.Background(), &deleteRequest, opts...) + assert.NoError(t, err, "Failed to delete K8sPolicy") } func getCallOptions() []http.CallOption { From 0282833f8b394d66669429ee7ea70e0a4d2ce757 Mon Sep 17 00:00:00 2001 From: Adam0Brien Date: Fri, 15 Nov 2024 12:19:25 +0000 Subject: [PATCH 4/8] increase pipeline timeout --- .github/workflows/e2e-test.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 9e0b726a..4438e01c 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -17,13 +17,15 @@ jobs: - name: Monitor Pods in Kind run: | - for i in {1..50}; do + for i in {1..300}; do STATUS=$(kubectl get pods --selector=job-name=e2e-inventory-http-tests -o jsonpath='{.items[0].status.phase}') if [ "$STATUS" = "Succeeded" ]; then echo "Test pod completed successfully." exit 0 elif [ "$STATUS" = "Failed" ]; then echo "Test pod failed." + TEST_POD=$(kubectl get pods --selector=job-name=e2e-inventory-http-tests -o jsonpath='{.items[0].metadata.name}') + kubectl logs $TEST_POD exit 1 fi sleep 1 From d61f7562a394a03a2d368e1025a6b4e3fa97a1f3 Mon Sep 17 00:00:00 2001 From: Adam0Brien Date: Fri, 15 Nov 2024 17:16:39 +0000 Subject: [PATCH 5/8] Set to allow-unauthenticated --- deploy/kind/inventory/kessel-inventory.yaml | 2 ++ test/e2e/inventory_http_test.go | 12 ++++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/deploy/kind/inventory/kessel-inventory.yaml b/deploy/kind/inventory/kessel-inventory.yaml index 0c8d34d6..1d319478 100644 --- a/deploy/kind/inventory/kessel-inventory.yaml +++ b/deploy/kind/inventory/kessel-inventory.yaml @@ -139,6 +139,8 @@ stringData: address: 0.0.0.0:9081 authn: allow-unauthenticated: true + #psk: + #pre-shared-key-file: /psks.yaml authz: impl: allow-all eventing: diff --git a/test/e2e/inventory_http_test.go b/test/e2e/inventory_http_test.go index 3f36e8e5..f69e0ca0 100644 --- a/test/e2e/inventory_http_test.go +++ b/test/e2e/inventory_http_test.go @@ -137,7 +137,7 @@ func TestInventoryAPIHTTP_RHELHostLifecycle(t *testing.T) { }, ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@example.com", - ReporterType: resources.ReporterData_OCM, + ReporterType: resources.ReporterData_ACM, ConsoleHref: "www.example.com", ApiHref: "www.example.com", LocalResourceId: "0123", @@ -158,7 +158,7 @@ func TestInventoryAPIHTTP_RHELHostLifecycle(t *testing.T) { }, ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@example.com", - ReporterType: resources.ReporterData_OCM, + ReporterType: resources.ReporterData_ACM, ConsoleHref: "www.example.com", ApiHref: "www.example.com", LocalResourceId: "0123", @@ -172,7 +172,7 @@ func TestInventoryAPIHTTP_RHELHostLifecycle(t *testing.T) { deleteRequest := resources.DeleteRhelHostRequest{ ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@example.com", - ReporterType: resources.ReporterData_OCM, + ReporterType: resources.ReporterData_ACM, ConsoleHref: "www.example.com", ApiHref: "www.example.com", LocalResourceId: "0123", @@ -316,7 +316,7 @@ func TestInventoryAPIHTTP_K8SPolicyLifecycle(t *testing.T) { }, ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@example.com", - ReporterType: resources.ReporterData_OCM, + ReporterType: resources.ReporterData_ACM, ConsoleHref: "www.example.com", ApiHref: "www.example.com", LocalResourceId: "012345", @@ -341,7 +341,7 @@ func TestInventoryAPIHTTP_K8SPolicyLifecycle(t *testing.T) { }, ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@example.com", - ReporterType: resources.ReporterData_OCM, + ReporterType: resources.ReporterData_ACM, ConsoleHref: "www.example.com", ApiHref: "www.example.com", LocalResourceId: "012345", @@ -356,7 +356,7 @@ func TestInventoryAPIHTTP_K8SPolicyLifecycle(t *testing.T) { deleteRequest := resources.DeleteK8SPolicyRequest{ ReporterData: &resources.ReporterData{ ReporterInstanceId: "user@example.com", - ReporterType: resources.ReporterData_OCM, + ReporterType: resources.ReporterData_ACM, ConsoleHref: "www.example.com", ApiHref: "www.example.com", LocalResourceId: "012345", From 2d714282f86ca0cbf577362b31af056520a56e5a Mon Sep 17 00:00:00 2001 From: Adam0Brien Date: Fri, 15 Nov 2024 18:47:57 +0000 Subject: [PATCH 6/8] Add test cases for relationships --- test/e2e/inventory_http_test.go | 139 ++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) diff --git a/test/e2e/inventory_http_test.go b/test/e2e/inventory_http_test.go index f69e0ca0..851871b7 100644 --- a/test/e2e/inventory_http_test.go +++ b/test/e2e/inventory_http_test.go @@ -8,13 +8,16 @@ import ( "github.com/go-kratos/kratos/v2/log" "github.com/go-kratos/kratos/v2/transport/http" v1 "github.com/project-kessel/inventory-api/api/kessel/inventory/v1" + "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta1/relationships" "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta1/resources" "github.com/project-kessel/inventory-client-go/v1beta1" "github.com/stretchr/testify/assert" + "google.golang.org/protobuf/types/known/timestamppb" nethttp "net/http" "os" "strconv" "testing" + "time" ) var inventoryapi_http_url string @@ -367,6 +370,142 @@ func TestInventoryAPIHTTP_K8SPolicyLifecycle(t *testing.T) { assert.NoError(t, err, "Failed to delete K8sPolicy") } +func TestInventoryAPIHTTP_K8SPolicy_is_propagated_to_K8sClusterLifecycle(t *testing.T) { + t.Parallel() + c := v1beta1.NewConfig( + v1beta1.WithHTTPUrl(inventoryapi_http_url), + v1beta1.WithTLSInsecure(insecure), + v1beta1.WithHTTPTLSConfig(tlsConfig), + ) + client, err := v1beta1.NewHttpClient(context.Background(), c) + if err != nil { + t.Error(err) + } + request := resources.CreateK8SPolicyRequest{ + K8SPolicy: &resources.K8SPolicy{ + Metadata: &resources.Metadata{ + ResourceType: "k8s_policy", + WorkspaceId: "workspace2", + OrgId: "", + }, + ResourceData: &resources.K8SPolicyDetail{ + Disabled: false, + Severity: resources.K8SPolicyDetail_HIGH, + }, + ReporterData: &resources.ReporterData{ + ReporterInstanceId: "user@example.com", + ReporterType: resources.ReporterData_ACM, + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", + LocalResourceId: "789", + ReporterVersion: "0.1", + }, + }, + } + opts := getCallOptions() + _, err = client.PolicyServiceClient.CreateK8SPolicy(context.Background(), &request, opts...) + assert.NoError(t, err, "Failed to create K8sPolicy") + + request1 := resources.CreateK8SClusterRequest{ + K8SCluster: &resources.K8SCluster{ + Metadata: &resources.Metadata{ + ResourceType: "k8s_cluster", + WorkspaceId: "workspace2", + OrgId: "", + }, + ResourceData: &resources.K8SClusterDetail{ + ExternalClusterId: "01234", + ClusterStatus: resources.K8SClusterDetail_READY, + KubeVersion: "1.31", + KubeVendor: resources.K8SClusterDetail_OPENSHIFT, + VendorVersion: "4.16", + CloudPlatform: resources.K8SClusterDetail_AWS_UPI, + Nodes: []*resources.K8SClusterDetailNodesInner{ + { + Name: "www.web.com", + Cpu: "7500m", + Memory: "30973224Ki", + Labels: []*resources.ResourceLabel{ + { + Key: "has_a_monster_gpu", + Value: "no", + }, + }, + }, + }, + }, + ReporterData: &resources.ReporterData{ + ReporterInstanceId: "user@example.com", + ReporterType: resources.ReporterData_ACM, + ConsoleHref: "www.example.com", + ApiHref: "www.example.com", + LocalResourceId: "987", + ReporterVersion: "0.1", + }, + }, + } + _, err = client.K8sClusterService.CreateK8SCluster(context.Background(), &request1, opts...) + assert.NoError(t, err, "Failed to create K8sCluster") + + requestRelationship := relationships.CreateK8SPolicyIsPropagatedToK8SClusterRequest{ + K8SpolicyIspropagatedtoK8Scluster: &relationships.K8SPolicyIsPropagatedToK8SCluster{ + Metadata: &relationships.Metadata{ + RelationshipType: "k8spolicy_ispropagatedto_k8scluster", + OrgId: "", + CreatedAt: timestamppb.New(time.Now()), + UpdatedAt: timestamppb.New(time.Now()), + }, + ReporterData: &relationships.ReporterData{ + ReporterType: relationships.ReporterData_ACM, + ReporterVersion: "0.1", + SubjectLocalResourceId: "789", // LocalResourceID of K8SPolicy + ObjectLocalResourceId: "987", // LocalResourceID of K8SCluster + }, + RelationshipData: &relationships.K8SPolicyIsPropagatedToK8SClusterDetail{ + Status: relationships.K8SPolicyIsPropagatedToK8SClusterDetail_NO_VIOLATIONS, + }, + }, + } + + _, err = client.K8SPolicyIsPropagatedToK8SClusterServiceHTTPClient.CreateK8SPolicyIsPropagatedToK8SCluster(context.Background(), &requestRelationship, opts...) + assert.NoError(t, err, "Failed to create relationship between K8sPolicy and K8sCluster") + + updateRequest := relationships.UpdateK8SPolicyIsPropagatedToK8SClusterRequest{ + K8SpolicyIspropagatedtoK8Scluster: &relationships.K8SPolicyIsPropagatedToK8SCluster{ + Metadata: &relationships.Metadata{ + RelationshipType: "k8spolicy_ispropagatedto_k8scluster", + OrgId: "", + CreatedAt: timestamppb.New(time.Now()), + UpdatedAt: timestamppb.New(time.Now()), + }, + ReporterData: &relationships.ReporterData{ + ReporterType: relationships.ReporterData_ACM, + ReporterVersion: "0.1", + SubjectLocalResourceId: "789", // LocalResourceID of K8SPolicy + ObjectLocalResourceId: "987", // LocalResourceID of K8SCluster + }, + RelationshipData: &relationships.K8SPolicyIsPropagatedToK8SClusterDetail{ + Status: relationships.K8SPolicyIsPropagatedToK8SClusterDetail_VIOLATIONS, + }, + }, + } + + _, err = client.K8SPolicyIsPropagatedToK8SClusterServiceHTTPClient.UpdateK8SPolicyIsPropagatedToK8SCluster(context.Background(), &updateRequest, opts...) + assert.NoError(t, err, "Failed to update relationship between K8sPolicy and K8sCluster") + + deleteRequest := relationships.DeleteK8SPolicyIsPropagatedToK8SClusterRequest{ + ReporterData: &relationships.ReporterData{ + ReporterType: relationships.ReporterData_ACM, + ReporterVersion: "0.1", + SubjectLocalResourceId: "789", // LocalResourceID of K8SPolicy + ObjectLocalResourceId: "987", // LocalResourceID of K8SCluster + }, + } + + _, err = client.K8SPolicyIsPropagatedToK8SClusterServiceHTTPClient.DeleteK8SPolicyIsPropagatedToK8SCluster(context.Background(), &deleteRequest, opts...) + assert.NoError(t, err, "Failed to delete relationship between K8sPolicy and K8sCluster") +} + func getCallOptions() []http.CallOption { var opts []http.CallOption header := nethttp.Header{} From cbde528e1cccb778555c4b5b7fb250ccdeb6ded6 Mon Sep 17 00:00:00 2001 From: Adam0Brien Date: Tue, 19 Nov 2024 10:49:23 +0000 Subject: [PATCH 7/8] relations/spicedb/inventory setup for e2e testing --- deploy/kind/inventory/kessel-inventory.yaml | 8 +- .../relations/spicedb-kind-setup/README.md | 13 + .../relations/spicedb-kind-setup/bundle.yaml | 3337 +++++++++++ .../spicedb-kind-setup/install-operator.md | 15 + .../spicedb-kind-setup/kind-kube/README.md | 5 + .../spicedb-kind-setup/kind-kube/contour.yaml | 5252 +++++++++++++++++ .../kind-kube/kind-ingress.config | 18 + .../spicedb-kind-setup/postgres/README.md | 5 + .../postgres/postgresql.yaml | 54 + .../spicedb-kind-setup/postgres/secret.yaml | 9 + .../spicedb-kind-setup/postgres/storage.yaml | 30 + .../relations-api/deployment.yaml | 30 + .../relations-api/secret.yaml | 8 + .../spicedb-kind-setup/relations-api/svc.yaml | 31 + .../relations/spicedb-kind-setup/setup.sh | 72 + .../spicedb-kind-setup/sm-spicedb.yaml | 31 + .../spicedb-kind-setup/spicedb-cr.yaml | 33 + .../spicedb-kind-setup/svc-ingress.yaml | 72 + .../relations/spicedb-kind-setup/teardown.sh | 25 + scripts/start-inventory-kind.sh | 31 +- 20 files changed, 9077 insertions(+), 2 deletions(-) create mode 100644 deploy/kind/relations/spicedb-kind-setup/README.md create mode 100644 deploy/kind/relations/spicedb-kind-setup/bundle.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/install-operator.md create mode 100644 deploy/kind/relations/spicedb-kind-setup/kind-kube/README.md create mode 100644 deploy/kind/relations/spicedb-kind-setup/kind-kube/contour.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/kind-kube/kind-ingress.config create mode 100644 deploy/kind/relations/spicedb-kind-setup/postgres/README.md create mode 100644 deploy/kind/relations/spicedb-kind-setup/postgres/postgresql.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/postgres/secret.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/postgres/storage.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/relations-api/deployment.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/relations-api/secret.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/relations-api/svc.yaml create mode 100755 deploy/kind/relations/spicedb-kind-setup/setup.sh create mode 100644 deploy/kind/relations/spicedb-kind-setup/sm-spicedb.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/spicedb-cr.yaml create mode 100644 deploy/kind/relations/spicedb-kind-setup/svc-ingress.yaml create mode 100755 deploy/kind/relations/spicedb-kind-setup/teardown.sh diff --git a/deploy/kind/inventory/kessel-inventory.yaml b/deploy/kind/inventory/kessel-inventory.yaml index 1d319478..e4a0118d 100644 --- a/deploy/kind/inventory/kessel-inventory.yaml +++ b/deploy/kind/inventory/kessel-inventory.yaml @@ -142,7 +142,13 @@ stringData: #psk: #pre-shared-key-file: /psks.yaml authz: - impl: allow-all + #impl: allow-all + impl: kessel + kessel: + insecure-client: true + url: http://relationships-service.default.svc.cluster.local:8000 + enable-oidc-auth: false + principal-user-domain: 0.0.0.0:8084 eventing: eventer: stdout kafka: diff --git a/deploy/kind/relations/spicedb-kind-setup/README.md b/deploy/kind/relations/spicedb-kind-setup/README.md new file mode 100644 index 00000000..c5e024ce --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/README.md @@ -0,0 +1,13 @@ +# Setup Spicedb-operator with Postgres in local kind kubernetes with monitoring stack + +# Run the setup +`./setup.sh` + +## Testing grpc end-point +`grpcurl -plaintext spicedb-grpc.127.0.0.1.nip.io:80 list` +```# authzed.api.v1.ExperimentalService +# authzed.api.v1.PermissionsService +# authzed.api.v1.SchemaService +# authzed.api.v1.WatchService +# grpc.health.v1.Health +# grpc.reflection.v1alpha.ServerReflection \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/bundle.yaml b/deploy/kind/relations/spicedb-kind-setup/bundle.yaml new file mode 100644 index 00000000..4c80b5da --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/bundle.yaml @@ -0,0 +1,3337 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + kubernetes.io/metadata.name: spicedb-operator + name: spicedb-operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: spicedbclusters.authzed.com +spec: + group: authzed.com + names: + categories: + - authzed + kind: SpiceDBCluster + listKind: SpiceDBClusterList + plural: spicedbclusters + shortNames: + - spicedbs + singular: spicedbcluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.channel + name: Channel + type: string + - jsonPath: .spec.version + name: Desired + type: string + - jsonPath: .status.version.name + name: Current + type: string + - jsonPath: .status.conditions[?(@.type=='ConfigurationWarning')].status + name: Warnings + type: string + - jsonPath: .status.conditions[?(@.type=='Migrating')].status + name: Migrating + type: string + - jsonPath: .status.conditions[?(@.type=='RollingDeployment')].status + name: Updating + type: string + - jsonPath: .status.conditions[?(@.type=='ConditionValidatingFailed')].status + name: Invalid + type: string + - jsonPath: .status.conditions[?(@.type=='Paused')].status + name: Paused + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: SpiceDBCluster defines all options for a full SpiceDB cluster + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterSpec holds the desired state of the cluster. + properties: + channel: + description: |- + Channel is a defined series of updates that operator should follow. + The operator is configured with a datasource that configures available + channels and update paths. + If `version` is not specified, then the operator will keep SpiceDB + up-to-date with the current head of the channel. + If `version` is specified, then the operator will write available updates + in the status. + type: string + config: + description: Config values to be passed to the cluster + type: object + x-kubernetes-preserve-unknown-fields: true + patches: + description: |- + Patches is a list of patches to apply to generated resources. + If multiple patches apply to the same object and field, later patches + in the list take precedence over earlier ones. + items: + description: Patch represents a single change to apply to generated + manifests + properties: + kind: + description: Kind targets an object by its kubernetes Kind name. + type: string + patch: + description: |- + Patch is an inlined representation of a structured merge patch (one that + just specifies the structure and fields to be modified) or a an explicit + JSON6902 patch operation. + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - patch + type: object + type: array + secretName: + description: |- + SecretName points to a secret (in the same namespace) that holds secret + config for the cluster like passwords, credentials, etc. + If the secret is omitted, one will be generated + type: string + version: + description: |- + Version is the name of the version of SpiceDB that will be run. + The version is usually a simple version string like `v1.13.0`, but the + operator is configured with a data source that tells it what versions + are allowed, and they may have other names. + If omitted, the newest version in the head of the channel will be used. + Note that the `config.image` field will take precedence over + version/channel, if it is specified + type: string + type: object + status: + description: ClusterStatus communicates the observed state of the cluster. + properties: + availableVersions: + description: |- + AvailableVersions is a list of versions that the currently running + version can be updated to. Only applies if using an update channel. + items: + properties: + attributes: + description: |- + Attributes is an optional set of descriptors for the update, which + carry additional information like whether there will be a migration + if this version is selected. + items: + type: string + type: array + channel: + description: Channel is the name of the channel this version + is in + type: string + description: + description: Description a human-readable description of the + update. + type: string + name: + description: Name is the identifier for this version + type: string + required: + - channel + - name + type: object + type: array + conditions: + description: Conditions for the current state of the Stack. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + currentMigrationHash: + description: |- + CurrentMigrationHash is a hash of the currently running migration target and config. + If this is equal to TargetMigrationHash (and there are no conditions) then the datastore + is fully migrated. + type: string + image: + description: Image is the image that is or will be used for this cluster + type: string + migration: + description: Migration is the name of the last migration applied + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that has been + seen by the controller. + format: int64 + minimum: 0 + type: integer + phase: + description: Phase is the currently running phase (used for phased + migrations) + type: string + secretHash: + description: SecretHash is a digest of the last applied secret + type: string + targetMigrationHash: + description: TargetMigrationHash is a hash of the desired migration + target and config + type: string + version: + description: |- + CurrentVersion is a description of the currently selected version from + the channel, if an update channel is being used. + properties: + attributes: + description: |- + Attributes is an optional set of descriptors for the update, which + carry additional information like whether there will be a migration + if this version is selected. + items: + type: string + type: array + channel: + description: Channel is the name of the channel this version is + in + type: string + description: + description: Description a human-readable description of the update. + type: string + name: + description: Name is the identifier for this version + type: string + required: + - channel + - name + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spicedb-operator + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spicedb-operator +rules: + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authzed.com + resources: + - spicedbclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authzed.com + resources: + - spicedbclusters/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: spicedb-operator-edit +rules: + - apiGroups: + - authzed.com + resources: + - spicedbclusters + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - authzed.com + resources: + - spicedbclusters/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: spicedb-operator-view +rules: + - apiGroups: + - authzed.com + resources: + - spicedbclusters + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spicedb-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spicedb-operator +subjects: + - kind: ServiceAccount + name: spicedb-operator + namespace: default +--- +apiVersion: v1 +data: + update-graph.yaml: | + channels: + - edges: + v1.2.0: + - v1.3.0 + - v1.4.0 + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.3.0: + - v1.4.0 + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.4.0: + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.5.0: + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.6.0: + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.7.0: + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.7.1: + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.8.0: + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.9.0: + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.10.0: + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.11.0: + - v1.12.0 + - v1.13.0 + - v1.14.0-phase1 + v1.12.0: + - v1.13.0 + - v1.14.0-phase1 + v1.13.0: + - v1.14.0-phase1 + v1.14.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.14.0-phase1: + - v1.14.0-phase2 + v1.14.0-phase2: + - v1.14.0 + v1.14.1: + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.15.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.16.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.16.1: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.16.2: + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.17.0: + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.18.0: + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.19.1: + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.21.0: + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.22.2: + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.23.1: + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.24.0: + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.25.0: + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.26.0: + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.29.5: + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.30.0: + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.31.0: + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.32.0: + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.33.1: + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.34.0: + - v1.35.3 + - v1.36.2 + v1.35.3: + - v1.36.2 + v1.36.2: + - v1.37.1 + - v1.38.0 + v1.37.1: + - v1.38.0 + metadata: + datastore: postgres + default: "true" + name: stable + nodes: + - id: v1.38.0 + migration: add-metadata-to-transaction-table + tag: v1.38.0 + - id: v1.37.1 + migration: create-relationships-counters-table + tag: v1.37.1 + - id: v1.36.2 + migration: create-relationships-counters-table + tag: v1.36.2 + - id: v1.35.3 + migration: create-relationships-counters-table + tag: v1.35.3 + - id: v1.34.0 + migration: create-relationships-counters-table + tag: v1.34.0 + - id: v1.33.1 + migration: add-rel-by-alive-resource-relation-subject + tag: v1.33.1 + - id: v1.32.0 + migration: add-rel-by-alive-resource-relation-subject + tag: v1.32.0 + - id: v1.31.0 + migration: add-rel-by-alive-resource-relation-subject + tag: v1.31.0 + - id: v1.30.0 + migration: add-rel-by-alive-resource-relation-subject + tag: v1.30.0 + - id: v1.29.5 + migration: add-rel-by-alive-resource-relation-subject + tag: v1.29.5 + - id: v1.26.0 + migration: add-rel-by-alive-resource-relation-subject + tag: v1.26.0 + - id: v1.25.0 + migration: add-gc-covering-index + tag: v1.25.0 + - id: v1.24.0 + migration: add-gc-covering-index + tag: v1.24.0 + - id: v1.23.1 + migration: add-gc-covering-index + tag: v1.23.1 + - id: v1.22.2 + migration: add-gc-covering-index + tag: v1.22.2 + - id: v1.21.0 + migration: add-gc-covering-index + tag: v1.21.0 + - id: v1.19.1 + migration: add-gc-covering-index + tag: v1.19.1 + - id: v1.18.0 + migration: drop-bigserial-ids + tag: v1.18.0 + - id: v1.17.0 + migration: drop-bigserial-ids + tag: v1.17.0 + - id: v1.16.2 + migration: drop-bigserial-ids + tag: v1.16.2 + - id: v1.16.1 + migration: drop-bigserial-ids + tag: v1.16.1 + - id: v1.16.0 + migration: drop-bigserial-ids + tag: v1.16.0 + - id: v1.15.0 + migration: drop-bigserial-ids + tag: v1.15.0 + - id: v1.14.1 + migration: drop-bigserial-ids + tag: v1.14.1 + - id: v1.14.0 + migration: drop-bigserial-ids + tag: v1.14.0 + - id: v1.14.0-phase2 + migration: add-xid-constraints + phase: write-both-read-new + tag: v1.14.0 + - id: v1.14.0-phase1 + migration: add-xid-columns + phase: write-both-read-old + tag: v1.14.0 + - id: v1.13.0 + migration: add-ns-config-id + tag: v1.13.0 + - id: v1.12.0 + migration: add-ns-config-id + tag: v1.12.0 + - id: v1.11.0 + migration: add-ns-config-id + tag: v1.11.0 + - id: v1.10.0 + migration: add-ns-config-id + tag: v1.10.0 + - id: v1.9.0 + migration: add-unique-datastore-id + tag: v1.9.0 + - id: v1.8.0 + migration: add-unique-datastore-id + tag: v1.8.0 + - id: v1.7.1 + migration: add-unique-datastore-id + tag: v1.7.1 + - id: v1.7.0 + migration: add-unique-datastore-id + tag: v1.7.0 + - id: v1.6.0 + migration: add-unique-datastore-id + tag: v1.6.0 + - id: v1.5.0 + migration: add-transaction-timestamp-index + tag: v1.5.0 + - id: v1.4.0 + migration: add-transaction-timestamp-index + tag: v1.4.0 + - id: v1.3.0 + migration: add-transaction-timestamp-index + tag: v1.3.0 + - id: v1.2.0 + migration: add-transaction-timestamp-index + tag: v1.2.0 + - edges: + v1.2.0: + - v1.3.0 + - v1.4.0 + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.3.0: + - v1.4.0 + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.4.0: + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.5.0: + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.6.0: + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.7.0: + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.7.1: + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.8.0: + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.9.0: + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.10.0: + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.11.0: + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.12.0: + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.13.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.14.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.14.1: + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.15.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.16.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.16.1: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.16.2: + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.17.0: + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.18.0: + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.19.1: + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.21.0: + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.22.2: + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.23.1: + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.24.0: + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.25.0: + - v1.26.0 + - v1.29.5 + - v1.30.0-phase1 + v1.26.0: + - v1.29.5 + - v1.30.0-phase1 + v1.29.5: + - v1.30.0-phase1 + v1.30.0: + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.30.0-phase1: + - v1.30.0 + v1.31.0: + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.32.0: + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.33.1: + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.34.0: + - v1.35.3 + - v1.36.2 + v1.35.3: + - v1.36.2 + v1.36.2: + - v1.37.1 + - v1.38.0 + v1.37.1: + - v1.38.0 + metadata: + datastore: cockroachdb + default: "true" + name: stable + nodes: + - id: v1.38.0 + migration: add-transaction-metadata-table + tag: v1.38.0 + - id: v1.37.1 + migration: add-integrity-relationtuple-table + tag: v1.37.1 + - id: v1.36.2 + migration: add-integrity-relationtuple-table + tag: v1.36.2 + - id: v1.35.3 + migration: add-relationship-counters-table + tag: v1.35.3 + - id: v1.34.0 + migration: add-relationship-counters-table + tag: v1.34.0 + - id: v1.33.1 + migration: remove-stats-table + tag: v1.33.1 + - id: v1.32.0 + migration: remove-stats-table + tag: v1.32.0 + - id: v1.31.0 + migration: remove-stats-table + tag: v1.31.0 + - id: v1.30.0 + migration: remove-stats-table + tag: v1.30.0 + - id: v1.30.0-phase1 + migration: add-caveats + tag: v1.30.0 + - id: v1.29.5 + migration: add-caveats + tag: v1.29.5 + - id: v1.26.0 + migration: add-caveats + tag: v1.26.0 + - id: v1.25.0 + migration: add-caveats + tag: v1.25.0 + - id: v1.24.0 + migration: add-caveats + tag: v1.24.0 + - id: v1.23.1 + migration: add-caveats + tag: v1.23.1 + - id: v1.22.2 + migration: add-caveats + tag: v1.22.2 + - id: v1.21.0 + migration: add-caveats + tag: v1.21.0 + - id: v1.19.1 + migration: add-caveats + tag: v1.19.1 + - id: v1.18.0 + migration: add-caveats + tag: v1.18.0 + - id: v1.17.0 + migration: add-caveats + tag: v1.17.0 + - id: v1.16.2 + migration: add-caveats + tag: v1.16.2 + - id: v1.16.1 + migration: add-caveats + tag: v1.16.1 + - id: v1.16.0 + migration: add-caveats + tag: v1.16.0 + - id: v1.15.0 + migration: add-caveats + tag: v1.15.0 + - id: v1.14.1 + migration: add-caveats + tag: v1.14.1 + - id: v1.14.0 + migration: add-caveats + tag: v1.14.0 + - id: v1.13.0 + migration: add-metadata-and-counters + tag: v1.13.0 + - id: v1.12.0 + migration: add-metadata-and-counters + tag: v1.12.0 + - id: v1.11.0 + migration: add-metadata-and-counters + tag: v1.11.0 + - id: v1.10.0 + migration: add-metadata-and-counters + tag: v1.10.0 + - id: v1.9.0 + migration: add-metadata-and-counters + tag: v1.9.0 + - id: v1.8.0 + migration: add-metadata-and-counters + tag: v1.8.0 + - id: v1.7.1 + migration: add-metadata-and-counters + tag: v1.7.1 + - id: v1.7.0 + migration: add-metadata-and-counters + tag: v1.7.0 + - id: v1.6.0 + migration: add-metadata-and-counters + tag: v1.6.0 + - id: v1.5.0 + migration: add-transactions-table + tag: v1.5.0 + - id: v1.4.0 + migration: add-transactions-table + tag: v1.4.0 + - id: v1.3.0 + migration: add-transactions-table + tag: v1.3.0 + - id: v1.2.0 + migration: add-transactions-table + tag: v1.2.0 + - edges: + v1.7.0: + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.7.1: + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.8.0: + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.9.0: + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.10.0: + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.11.0: + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.12.0: + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.13.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.14.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.14.1: + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.15.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.16.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.16.1: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.16.2: + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.17.0: + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.18.0: + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.19.1: + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.21.0: + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.22.2: + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.23.1: + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.24.0: + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.25.0: + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.26.0: + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.29.5: + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.30.0: + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.31.0: + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.32.0: + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.33.1: + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.34.0: + - v1.35.3 + - v1.36.2 + v1.35.3: + - v1.36.2 + v1.36.2: + - v1.37.1 + - v1.38.0 + v1.37.1: + - v1.38.0 + metadata: + datastore: mysql + default: "true" + name: stable + nodes: + - id: v1.38.0 + migration: add_metadata_to_transaction_table + tag: v1.38.0 + - id: v1.37.1 + migration: add_relationship_counters_table + tag: v1.37.1 + - id: v1.36.2 + migration: add_relationship_counters_table + tag: v1.36.2 + - id: v1.35.3 + migration: add_relationship_counters_table + tag: v1.35.3 + - id: v1.34.0 + migration: add_relationship_counters_table + tag: v1.34.0 + - id: v1.33.1 + migration: watch_api_relation_tuple_index + tag: v1.33.1 + - id: v1.32.0 + migration: watch_api_relation_tuple_index + tag: v1.32.0 + - id: v1.31.0 + migration: watch_api_relation_tuple_index + tag: v1.31.0 + - id: v1.30.0 + migration: watch_api_relation_tuple_index + tag: v1.30.0 + - id: v1.29.5 + migration: watch_api_relation_tuple_index + tag: v1.29.5 + - id: v1.26.0 + migration: longblob_definitions + tag: v1.26.0 + - id: v1.25.0 + migration: longblob_definitions + tag: v1.25.0 + - id: v1.24.0 + migration: extend_object_id + tag: v1.24.0 + - id: v1.23.1 + migration: extend_object_id + tag: v1.23.1 + - id: v1.22.2 + migration: extend_object_id + tag: v1.22.2 + - id: v1.21.0 + migration: extend_object_id + tag: v1.21.0 + - id: v1.19.1 + migration: add_caveat + tag: v1.19.1 + - id: v1.18.0 + migration: add_caveat + tag: v1.18.0 + - id: v1.17.0 + migration: add_caveat + tag: v1.17.0 + - id: v1.16.2 + migration: add_caveat + tag: v1.16.2 + - id: v1.16.1 + migration: add_caveat + tag: v1.16.1 + - id: v1.16.0 + migration: add_caveat + tag: v1.16.0 + - id: v1.15.0 + migration: add_caveat + tag: v1.15.0 + - id: v1.14.1 + migration: add_caveat + tag: v1.14.1 + - id: v1.14.0 + migration: add_caveat + tag: v1.14.0 + - id: v1.13.0 + migration: add_ns_config_id + tag: v1.13.0 + - id: v1.12.0 + migration: add_ns_config_id + tag: v1.12.0 + - id: v1.11.0 + migration: add_ns_config_id + tag: v1.11.0 + - id: v1.10.0 + migration: add_ns_config_id + tag: v1.10.0 + - id: v1.9.0 + migration: add_unique_datastore_id + tag: v1.9.0 + - id: v1.8.0 + migration: add_unique_datastore_id + tag: v1.8.0 + - id: v1.7.1 + migration: add_unique_datastore_id + tag: v1.7.1 + - id: v1.7.0 + migration: add_unique_datastore_id + tag: v1.7.0 + - edges: + v1.8.0: + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.9.0: + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.10.0: + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.11.0: + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.12.0: + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.13.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.14.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.14.1: + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.15.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.16.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.16.1: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.16.2: + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.17.0: + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.18.0: + - v1.19.1 + - v1.21.0 + - v1.22.2-phase1 + v1.19.1: + - v1.21.0 + - v1.22.2-phase1 + v1.21.0: + - v1.22.2-phase1 + v1.22.2: + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5-phase1 + v1.22.2-phase1: + - v1.22.2-phase2 + v1.22.2-phase2: + - v1.22.2 + v1.23.1: + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5-phase1 + v1.24.0: + - v1.25.0 + - v1.26.0 + - v1.29.5-phase1 + v1.25.0: + - v1.26.0 + - v1.29.5-phase1 + v1.26.0: + - v1.29.5-phase1 + v1.29.5: + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.29.5-phase1: + - v1.29.5 + v1.30.0: + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.31.0: + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.32.0: + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.33.1: + - v1.34.0 + - v1.35.3 + - v1.36.2 + v1.34.0: + - v1.35.3 + - v1.36.2 + v1.35.3: + - v1.36.2 + v1.36.2: + - v1.37.1 + - v1.38.0 + v1.37.1: + - v1.38.0 + metadata: + datastore: spanner + default: "true" + name: stable + nodes: + - id: v1.38.0 + migration: add-transaction-metadata-table + tag: v1.38.0 + - id: v1.37.1 + migration: add-relationship-counter-table + tag: v1.37.1 + - id: v1.36.2 + migration: add-relationship-counter-table + tag: v1.36.2 + - id: v1.35.3 + migration: add-relationship-counter-table + tag: v1.35.3 + - id: v1.34.0 + migration: add-relationship-counter-table + tag: v1.34.0 + - id: v1.33.1 + migration: delete-older-changestreams + tag: v1.33.1 + - id: v1.32.0 + migration: delete-older-changestreams + tag: v1.32.0 + - id: v1.31.0 + migration: delete-older-changestreams + tag: v1.31.0 + - id: v1.30.0 + migration: delete-older-changestreams + tag: v1.30.0 + - id: v1.29.5 + migration: delete-older-changestreams + tag: v1.29.5 + - id: v1.29.5-phase1 + migration: register-combined-change-stream + tag: v1.29.5 + - id: v1.26.0 + migration: drop-changelog-table + tag: v1.26.0 + - id: v1.25.0 + migration: drop-changelog-table + tag: v1.25.0 + - id: v1.24.0 + migration: drop-changelog-table + tag: v1.24.0 + - id: v1.23.1 + migration: drop-changelog-table + tag: v1.23.1 + - id: v1.22.2 + migration: drop-changelog-table + tag: v1.22.2 + - id: v1.22.2-phase2 + migration: register-tuple-change-stream + phase: write-changelog-read-stream + tag: v1.22.2 + - id: v1.22.2-phase1 + migration: register-tuple-change-stream + phase: write-changelog-read-changelog + tag: v1.22.2 + - id: v1.21.0 + migration: add-caveats + tag: v1.21.0 + - id: v1.19.1 + migration: add-caveats + tag: v1.19.1 + - id: v1.18.0 + migration: add-caveats + tag: v1.18.0 + - id: v1.17.0 + migration: add-caveats + tag: v1.17.0 + - id: v1.16.2 + migration: add-caveats + tag: v1.16.2 + - id: v1.16.1 + migration: add-caveats + tag: v1.16.1 + - id: v1.16.0 + migration: add-caveats + tag: v1.16.0 + - id: v1.15.0 + migration: add-caveats + tag: v1.15.0 + - id: v1.14.1 + migration: add-caveats + tag: v1.14.1 + - id: v1.14.0 + migration: add-caveats + tag: v1.14.0 + - id: v1.13.0 + migration: add-metadata-and-counters + tag: v1.13.0 + - id: v1.12.0 + migration: add-metadata-and-counters + tag: v1.12.0 + - id: v1.11.0 + migration: add-metadata-and-counters + tag: v1.11.0 + - id: v1.10.0 + migration: add-metadata-and-counters + tag: v1.10.0 + - id: v1.9.0 + migration: add-metadata-and-counters + tag: v1.9.0 + - id: v1.8.0 + migration: add-metadata-and-counters + tag: v1.8.0 + - edges: + v1.2.0: + - v1.3.0 + - v1.4.0 + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.3.0: + - v1.4.0 + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.4.0: + - v1.5.0 + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.5.0: + - v1.6.0 + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.6.0: + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.7.0: + - v1.7.1 + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.7.1: + - v1.8.0 + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.8.0: + - v1.9.0 + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.9.0: + - v1.10.0 + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.10.0: + - v1.11.0 + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.11.0: + - v1.12.0 + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.12.0: + - v1.13.0 + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.13.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.14.0: + - v1.14.1 + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.14.1: + - v1.15.0 + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.15.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.16.0: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.16.1: + - v1.16.2 + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.16.2: + - v1.17.0 + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.17.0: + - v1.18.0 + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.18.0: + - v1.19.1 + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.19.1: + - v1.21.0 + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.21.0: + - v1.22.2 + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.22.2: + - v1.23.1 + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.23.1: + - v1.24.0 + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.24.0: + - v1.25.0 + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.25.0: + - v1.26.0 + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.26.0: + - v1.29.5 + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.29.5: + - v1.30.0 + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.30.0: + - v1.31.0 + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.31.0: + - v1.32.0 + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.32.0: + - v1.33.1 + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.33.1: + - v1.34.0 + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.34.0: + - v1.35.3 + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.35.3: + - v1.36.2 + - v1.37.1 + - v1.38.0 + v1.36.2: + - v1.37.1 + - v1.38.0 + v1.37.1: + - v1.38.0 + metadata: + datastore: memory + default: "true" + name: stable + nodes: + - id: v1.38.0 + tag: v1.38.0 + - id: v1.37.1 + tag: v1.37.1 + - id: v1.36.2 + tag: v1.36.2 + - id: v1.35.3 + tag: v1.35.3 + - id: v1.34.0 + tag: v1.34.0 + - id: v1.33.1 + tag: v1.33.1 + - id: v1.32.0 + tag: v1.32.0 + - id: v1.31.0 + tag: v1.31.0 + - id: v1.30.0 + tag: v1.30.0 + - id: v1.29.5 + tag: v1.29.5 + - id: v1.26.0 + tag: v1.26.0 + - id: v1.25.0 + tag: v1.25.0 + - id: v1.24.0 + tag: v1.24.0 + - id: v1.23.1 + tag: v1.23.1 + - id: v1.22.2 + tag: v1.22.2 + - id: v1.21.0 + tag: v1.21.0 + - id: v1.19.1 + tag: v1.19.1 + - id: v1.18.0 + tag: v1.18.0 + - id: v1.17.0 + tag: v1.17.0 + - id: v1.16.2 + tag: v1.16.2 + - id: v1.16.1 + tag: v1.16.1 + - id: v1.16.0 + tag: v1.16.0 + - id: v1.15.0 + tag: v1.15.0 + - id: v1.14.1 + tag: v1.14.1 + - id: v1.14.0 + tag: v1.14.0 + - id: v1.13.0 + tag: v1.13.0 + - id: v1.12.0 + tag: v1.12.0 + - id: v1.11.0 + tag: v1.11.0 + - id: v1.10.0 + tag: v1.10.0 + - id: v1.9.0 + tag: v1.9.0 + - id: v1.8.0 + tag: v1.8.0 + - id: v1.7.1 + tag: v1.7.1 + - id: v1.7.0 + tag: v1.7.0 + - id: v1.6.0 + tag: v1.6.0 + - id: v1.5.0 + tag: v1.5.0 + - id: v1.4.0 + tag: v1.4.0 + - id: v1.3.0 + tag: v1.3.0 + - id: v1.2.0 + tag: v1.2.0 + imageName: ghcr.io/authzed/spicedb +kind: ConfigMap +metadata: + name: update-graph + namespace: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: spicedb-operator + app.kubernetes.io/instance: spicedb-operator + name: spicedb-operator +spec: + replicas: 1 + selector: + matchLabels: + app: spicedb-operator + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + labels: + app: spicedb-operator + app.kubernetes.io/instance: spicedb-operator + spec: + containers: + - args: + - run + - -v=4 + - --crd=false + - --config + - /opt/operator/update-graph.yaml + image: ghcr.io/authzed/spicedb-operator:v1.17.0 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 15 + name: spicedb-operator + ports: + - containerPort: 8080 + name: prometheus + protocol: TCP + readinessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 15 + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /opt/operator + name: config + readOnly: true + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + serviceAccountName: spicedb-operator + volumes: + - configMap: + defaultMode: 420 + name: update-graph + name: config \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/install-operator.md b/deploy/kind/relations/spicedb-kind-setup/install-operator.md new file mode 100644 index 00000000..c084eeda --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/install-operator.md @@ -0,0 +1,15 @@ +# Install Spicedb-operator + +# Create Spicedb namespace +```kubectl create namespace spicedb-operator``` + +# Deploy the Spicedb operator +``` +kubectl apply --server-side -f https://github.com/authzed/spicedb-operator/releases/latest/download/bundle.yaml -n spicedb +``` + +# Create namespace spicedb + +```kubectl create namespace spicedb``` + + diff --git a/deploy/kind/relations/spicedb-kind-setup/kind-kube/README.md b/deploy/kind/relations/spicedb-kind-setup/kind-kube/README.md new file mode 100644 index 00000000..c165d588 --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/kind-kube/README.md @@ -0,0 +1,5 @@ +# Create a Kubernetes cluster +`kind create cluster --config kind-ingress.config` + +# Configure Conture +kubectl apply -f contour.yaml \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/kind-kube/contour.yaml b/deploy/kind/relations/spicedb-kind-setup/kind-kube/contour.yaml new file mode 100644 index 00000000..61d3008d --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/kind-kube/contour.yaml @@ -0,0 +1,5252 @@ +# This file is generated from the individual YAML files by generate-deployment.sh. Do not +# edit this file directly but instead edit the source files and re-render. +# +# Generated from: +# examples/contour/00-common.yaml +# examples/contour/01-contour-config.yaml +# examples/contour/01-crds.yaml +# examples/contour/02-job-certgen.yaml +# examples/contour/02-rbac.yaml +# examples/contour/02-role-contour.yaml +# examples/contour/02-service-contour.yaml +# examples/contour/02-service-envoy.yaml +# examples/contour/03-contour.yaml +# examples/contour/03-envoy.yaml + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour + namespace: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy + namespace: projectcontour + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: contour + namespace: projectcontour +data: + contour.yaml: | + # + # server: + # determine which XDS Server implementation to utilize in Contour. + # xds-server-type: contour + # + # Specify the Gateway API configuration. + # gateway: + # controllerName: projectcontour.io/projectcontour/contour + # + # should contour expect to be running inside a k8s cluster + # incluster: true + # + # path to kubeconfig (if not running inside a k8s cluster) + # kubeconfig: /path/to/.kube/config + # + # Disable RFC-compliant behavior to strip "Content-Length" header if + # "Tranfer-Encoding: chunked" is also set. + # disableAllowChunkedLength: false + # + # Disable Envoy's non-standard merge_slashes path transformation option + # that strips duplicate slashes from request URLs. + # disableMergeSlashes: false + # + # Disable HTTPProxy permitInsecure field + disablePermitInsecure: false + tls: + # minimum TLS version that Contour will negotiate + # minimum-protocol-version: "1.2" + # TLS ciphers to be supported by Envoy TLS listeners when negotiating + # TLS 1.2. + # cipher-suites: + # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + # - 'ECDHE-ECDSA-AES256-GCM-SHA384' + # - 'ECDHE-RSA-AES256-GCM-SHA384' + # Defines the Kubernetes name/namespace matching a secret to use + # as the fallback certificate when requests which don't match the + # SNI defined for a vhost. + fallback-certificate: + # name: fallback-secret-name + # namespace: projectcontour + envoy-client-certificate: + # name: envoy-client-cert-secret-name + # namespace: projectcontour + #### + # ExternalName Services are disabled by default due to CVE-2021-XXXXX + # You can re-enable them by setting this setting to `true`. + # This is not recommended without understanding the security implications. + # Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details. + # enableExternalNameService: false + ## + # Address to be placed in status.loadbalancer field of Ingress objects. + # May be either a literal IP address or a host name. + # The value will be placed directly into the relevant field inside the status.loadBalancer struct. + # ingress-status-address: local.projectcontour.io + ### Logging options + # Default setting + accesslog-format: envoy + # The default access log format is defined by Envoy but it can be customized by setting following variable. + # accesslog-format-string: "...\n" + # To enable JSON logging in Envoy + # accesslog-format: json + # accesslog-level: info + # The default fields that will be logged are specified below. + # To customise this list, just add or remove entries. + # The canonical list is available at + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields + # json-fields: + # - "@timestamp" + # - "authority" + # - "bytes_received" + # - "bytes_sent" + # - "downstream_local_address" + # - "downstream_remote_address" + # - "duration" + # - "method" + # - "path" + # - "protocol" + # - "request_id" + # - "requested_server_name" + # - "response_code" + # - "response_flags" + # - "uber_trace_id" + # - "upstream_cluster" + # - "upstream_host" + # - "upstream_local_address" + # - "upstream_service_time" + # - "user_agent" + # - "x_forwarded_for" + # - "grpc_status" + # + # default-http-versions: + # - "HTTP/2" + # - "HTTP/1.1" + # + # The following shows the default proxy timeout settings. + # timeouts: + # request-timeout: infinity + # connection-idle-timeout: 60s + # stream-idle-timeout: 5m + # max-connection-duration: infinity + # delayed-close-timeout: 1s + # connection-shutdown-grace-period: 5s + # connect-timeout: 2s + # + # Envoy cluster settings. + # cluster: + # configure the cluster dns lookup family + # valid options are: auto (default), v4, v6 + # dns-lookup-family: auto + # + # Envoy network settings. + # network: + # Configure the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + # num-trusted-hops: 0 + # Configure the port used to access the Envoy Admin interface. + # admin-port: 9001 + # + # Configure an optional global rate limit service. + # rateLimitService: + # Identifies the extension service defining the rate limit service, + # formatted as /. + # extensionService: projectcontour/ratelimit + # Defines the rate limit domain to pass to the rate limit service. + # Acts as a container for a set of rate limit definitions within + # the RLS. + # domain: contour + # Defines whether to allow requests to proceed when the rate limit + # service fails to respond with a valid rate limit decision within + # the timeout defined on the extension service. + # failOpen: false + # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, + # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF + # Internet-Draft linked below), on responses to clients when the Rate + # Limit Service is consulted for a request. + # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + # enableXRateLimitHeaders: false + # + # Global Policy settings. + # policy: + # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) + # request-headers: + # set: + # # example: the hostname of the Envoy instance that proxied the request + # X-Envoy-Hostname: %HOSTNAME% + # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for + # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% + # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) + # response-headers: + # set: + # # example: Envoy flags that provide additional details about the response or connection + # X-Envoy-Response-Flags: %RESPONSE_FLAGS% + # + # metrics: + # contour: + # address: 0.0.0.0 + # port: 8000 + # server-certificate-path: /path/to/server-cert.pem + # server-key-path: /path/to/server-private-key.pem + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem + # envoy: + # address: 0.0.0.0 + # port: 8002 + # server-certificate-path: /path/to/server-cert.pem + # server-key-path: /path/to/server-private-key.pem + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: contourconfigurations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourConfiguration + listKind: ContourConfigurationList + plural: contourconfigurations + shortNames: + - contourconfig + singular: contourconfiguration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourConfiguration is the schema for a Contour instance. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ContourConfigurationSpec represents a configuration of a + Contour controller. It contains most of all the options that can be + customized, the other remaining options being command line flags. + properties: + debug: + description: Debug contains parameters to enable debug logging and + debug interfaces inside Contour. + properties: + address: + description: "Defines the Contour debug address interface. \n + Contour's default is \"127.0.0.1\"." + type: string + port: + description: "Defines the Contour debug address port. \n Contour's + default is 6060." + type: integer + type: object + enableExternalNameService: + description: "EnableExternalNameService allows processing of ExternalNameServices + \n Contour's default is false for security reasons." + type: boolean + envoy: + description: Envoy contains parameters for Envoy as well as how to + optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: ClientCertificate defines the namespace/name of the + Kubernetes secret containing the client certificate and private + key to be used when establishing TLS connection to upstream + cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: Cluster holds various configurable Envoy cluster + values that can be set in the config file. + properties: + dnsLookupFamily: + description: "DNSLookupFamily defines how external names are + looked up When configured as V4, the DNS resolver will only + perform a lookup for addresses in the IPv4 family. If V6 + is configured, the DNS resolver will only perform a lookup + for addresses in the IPv6 family. If AUTO is configured, + the DNS resolver will first perform a lookup for addresses + in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. Note: This only applies to externalName + clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. \n Values: `auto` (default), `v4`, + `v6`. \n Other values will produce an error." + type: string + type: object + defaultHTTPVersions: + description: "DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are strings + of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\" + and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both). + \n Other values will produce an error." + items: + description: HTTPVersionType is the name of a supported HTTP + version. + type: string + type: array + health: + description: "Health defines the endpoint Envoy uses to serve + health checks. \n Contour's default is { address: \"0.0.0.0\", + port: 8002 }." + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + http: + description: "Defines the HTTP Listener for Envoy. \n Contour's + default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" + }." + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + https: + description: "Defines the HTTPS Listener for Envoy. \n Contour's + default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" + }." + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: "ConnectionBalancer. If the value is exact, the + listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. \n Values: (empty string): use the + default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + \n Other values will produce an error." + type: string + disableAllowChunkedLength: + description: "DisableAllowChunkedLength disables the RFC-compliant + Envoy behavior to strip the \"Content-Length\" header if + \"Transfer-Encoding: chunked\" is also set. This is an emergency + off-switch to revert back to Envoy's default behavior in + case of failures. Please file an issue if failures are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + \n Contour's default is false." + type: boolean + disableMergeSlashes: + description: "DisableMergeSlashes disables Envoy's non-standard + merge_slashes path transformation option which strips duplicate + slashes from request URL paths. \n Contour's default is + false." + type: boolean + tls: + description: TLS holds various configurable Envoy TLS listener + values. + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to + be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should only + be used by advanced users. Note that these will be ignored + when TLS 1.3 is in use. \n This field is optional; when + it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + \ - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + \ - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + \ - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + \ - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + \ - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + \ - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" + \ - \"AES256-SHA\" \n Contour recommends leaving this + undefined unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock + Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS + version this vhost should negotiate. \n Values: `1.2` + (default), `1.3`. \n Other values will produce an error." + type: string + type: object + useProxyProtocol: + description: "Use PROXY protocol for all listeners. \n Contour's + default is false." + type: boolean + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: "AccessLogFormat sets the global access log format. + \n Values: `envoy` (default), `json`. \n Other values will + produce an error." + type: string + accessLogFormatString: + description: AccessLogFormatString sets the access log format + when format is set to `envoy`. When empty, Envoy's default + format is used. + type: string + accessLogJSONFields: + description: AccessLogJSONFields sets the fields that JSON + logging will output when AccessLogFormat is json. + items: + type: string + type: array + accessLogLevel: + description: "AccessLogLevel sets the verbosity level of the + access log. \n Values: `info` (default, meaning all requests + are logged), `error` and `disabled`. \n Other values will + produce an error." + type: string + type: object + metrics: + description: "Metrics defines the endpoint Envoy uses to serve + metrics. \n Contour's default is { address: \"0.0.0.0\", port: + 8002 }." + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: TLS holds TLS file config details. Metrics and + health endpoints cannot have same port number when metrics + is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + description: "Configure the port used to access the Envoy + Admin interface. If configured to port \"0\" then the admin + interface is disabled. \n Contour's default is 9001." + type: integer + numTrustedHops: + description: "XffNumTrustedHops defines the number of additional + ingress proxy hops from the right side of the x-forwarded-for + HTTP header to trust when determining the origin client’s + IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. \n Contour's default is 0." + format: int32 + type: integer + type: object + service: + description: "Service holds Envoy service parameters for setting + Ingress status. \n Contour's default is { namespace: \"projectcontour\", + name: \"envoy\" }." + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: Timeouts holds various configurable timeouts that + can be set in the config file. + properties: + connectTimeout: + description: "ConnectTimeout defines how long the proxy should + wait when establishing connection to upstream service. If + not set, a default value of 2 seconds will be used. \n See + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information." + type: string + connectionIdleTimeout: + description: "ConnectionIdleTimeout defines how long the proxy + should wait while there are no active requests (for HTTP/1.1) + or streams (for HTTP/2) before terminating an HTTP connection. + Set to \"infinity\" to disable the timeout entirely. \n + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information." + type: string + connectionShutdownGracePeriod: + description: "ConnectionShutdownGracePeriod defines how long + the proxy will wait between sending an initial GOAWAY frame + and a second, final GOAWAY frame when terminating an HTTP/2 + connection. During this grace period, the proxy will continue + to respond to new streams. After the final GOAWAY frame + has been sent, the proxy will refuse new streams. \n See + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information." + type: string + delayedCloseTimeout: + description: "DelayedCloseTimeout defines how long envoy will + wait, once connection close processing has been initiated, + for the downstream peer to close the connection before Envoy + closes the socket associated with the connection. \n Setting + this timeout to 'infinity' will disable it, equivalent to + setting it to '0' in Envoy. Leaving it unset will result + in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information." + type: string + maxConnectionDuration: + description: "MaxConnectionDuration defines the maximum period + of time after an HTTP connection has been established from + the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit + or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information." + type: string + requestTimeout: + description: "RequestTimeout sets the client request timeout + globally for Contour. Note that this is a timeout for the + entire request, not an idle timeout. Omit or set to \"infinity\" + to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information." + type: string + streamIdleTimeout: + description: "StreamIdleTimeout defines how long the proxy + should wait while there is no request activity (for HTTP/1.1) + or stream activity (for HTTP/2) before terminating the HTTP + request or stream. Set to \"infinity\" to disable the timeout + entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information." + type: string + type: object + type: object + gateway: + description: Gateway contains parameters for the gateway-api Gateway + that Contour is configured to serve traffic. + properties: + controllerName: + description: ControllerName is used to determine whether Contour + should reconcile a GatewayClass. The string takes the form of + "projectcontour.io//contour". If unset, the gatewayclass + controller will not be started. Exactly one of ControllerName + or GatewayRef must be set. + type: string + gatewayRef: + description: GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile only + this gateway, and will not reconcile any gateway classes. Exactly + one of ControllerName or GatewayRef must be set. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + health: + description: "Health defines the endpoints Contour uses to serve health + checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 + }." + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: "DisablePermitInsecure disables the use of the permitInsecure + field in HTTPProxy. \n Contour's default is false." + type: boolean + fallbackCertificate: + description: FallbackCertificate defines the namespace/name of + the Kubernetes secret to use as fallback when a non-SNI request + is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces for + root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: "Metrics defines the endpoint Contour uses to serve metrics. + \n Contour's default is { address: \"0.0.0.0\", port: 8000 }." + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: TLS holds TLS file config details. Metrics and health + endpoints cannot have same port number when metrics is served + over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: "ApplyToIngress determines if the Policies will apply + to ingress objects \n Contour's default is false." + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: RateLimitService optionally holds properties of the Rate + Limit Service to be used for global rate limiting. + properties: + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableXRateLimitHeaders: + description: "EnableXRateLimitHeaders defines whether to include + the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, + and X-RateLimit-Reset (as defined by the IETF Internet-Draft + linked below), on responses to clients when the Rate Limit Service + is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: FailOpen defines whether to allow requests to proceed + when the Rate Limit Service fails to respond with a valid rate + limit decision within the timeout defined on the extension service. + type: boolean + required: + - extensionService + type: object + xdsServer: + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: "Defines the xDS gRPC API address which Contour will + serve. \n Contour's default is \"0.0.0.0\"." + minLength: 1 + type: string + port: + description: "Defines the xDS gRPC API port which Contour will + serve. \n Contour's default is 8001." + type: integer + tls: + description: "TLS holds TLS file config details. \n Contour's + default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", + keyFile: \"/certs/tls.key\", insecure: false }." + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + type: object + type: + description: "Defines the XDSServer to use for `contour serve`. + \n Values: `contour` (default), `envoy`. \n Other values will + produce an error." + type: string + type: object + type: object + status: + description: ContourConfigurationStatus defines the observed state of + a ContourConfiguration resource. + properties: + conditions: + description: "Conditions contains the current status of the Contour + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: contourdeployments.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourDeployment + listKind: ContourDeploymentList + plural: contourdeployments + shortNames: + - contourdeploy + singular: contourdeployment + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourDeployment is the schema for a Contour Deployment. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ContourDeploymentSpec specifies options for how a Contour + instance should be provisioned. + properties: + contour: + description: Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane and + associated resources, including things like replica count for the + Deployment, and node placement constraints for the pods. + properties: + nodePlacement: + description: NodePlacement describes node scheduling configuration + of Contour pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: "NodeSelector is the simplest recommended form + of node selection constraint and specifies a map of key-value + pairs. For the pod to be eligible to run on a node, the + node must have each of the indicated key-value pairs as + labels (it can have additional labels as well). \n If unset, + the pod(s) will be scheduled to any available node." + type: object + tolerations: + description: "Tolerations work with taints to ensure that + pods are not scheduled onto inappropriate nodes. One or + more taints are applied to a node; this marks that the node + should not accept any pods that do not tolerate the taints. + \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details." + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + description: Replicas is the desired number of Contour replicas. + If unset, defaults to 2. + format: int32 + minimum: 0 + type: integer + type: object + envoy: + description: Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane and associated + resources, including things like the workload type to use (DaemonSet + or Deployment), node placement constraints for the pods, and various + options for the Envoy service. + properties: + networkPublishing: + description: NetworkPublishing defines how to expose Envoy to + a network. + properties: + serviceAnnotations: + additionalProperties: + type: string + description: ServiceAnnotations is the annotations to add + to the provisioned Envoy service. + type: object + type: + description: "NetworkPublishingType is the type of publishing + strategy to use. Valid values are: \n * LoadBalancerService + \n In this configuration, network endpoints for Envoy use + container networking. A Kubernetes LoadBalancer Service + is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + \n * NodePortService \n Publishes Envoy network endpoints + using a Kubernetes NodePort Service. \n In this configuration, + Envoy network endpoints use container networking. A Kubernetes + NodePort Service is created to publish the network endpoints. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + \n * ClusterIPService \n Publishes Envoy network endpoints + using a Kubernetes ClusterIP Service. \n In this configuration, + Envoy network endpoints use container networking. A Kubernetes + ClusterIP Service is created to publish the network endpoints. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + \n If unset, defaults to LoadBalancerService." + type: string + type: object + nodePlacement: + description: NodePlacement describes node scheduling configuration + of Envoy pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: "NodeSelector is the simplest recommended form + of node selection constraint and specifies a map of key-value + pairs. For the pod to be eligible to run on a node, the + node must have each of the indicated key-value pairs as + labels (it can have additional labels as well). \n If unset, + the pod(s) will be scheduled to any available node." + type: object + tolerations: + description: "Tolerations work with taints to ensure that + pods are not scheduled onto inappropriate nodes. One or + more taints are applied to a node; this marks that the node + should not accept any pods that do not tolerate the taints. + \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details." + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + description: Replicas is the desired number of Envoy replicas. + If WorkloadType is not "Deployment", this field is ignored. + Otherwise, if unset, defaults to 2. + format: int32 + minimum: 0 + type: integer + workloadType: + description: WorkloadType is the type of workload to install Envoy + as. Choices are DaemonSet and Deployment. If unset, defaults + to DaemonSet. + type: string + type: object + runtimeSettings: + description: RuntimeSettings is a ContourConfiguration spec to be + used when provisioning a Contour instance that will influence aspects + of the Contour instance's runtime behavior. + properties: + debug: + description: Debug contains parameters to enable debug logging + and debug interfaces inside Contour. + properties: + address: + description: "Defines the Contour debug address interface. + \n Contour's default is \"127.0.0.1\"." + type: string + port: + description: "Defines the Contour debug address port. \n Contour's + default is 6060." + type: integer + type: object + enableExternalNameService: + description: "EnableExternalNameService allows processing of ExternalNameServices + \n Contour's default is false for security reasons." + type: boolean + envoy: + description: Envoy contains parameters for Envoy as well as how + to optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: ClientCertificate defines the namespace/name + of the Kubernetes secret containing the client certificate + and private key to be used when establishing TLS connection + to upstream cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: Cluster holds various configurable Envoy cluster + values that can be set in the config file. + properties: + dnsLookupFamily: + description: "DNSLookupFamily defines how external names + are looked up When configured as V4, the DNS resolver + will only perform a lookup for addresses in the IPv4 + family. If V6 is configured, the DNS resolver will only + perform a lookup for addresses in the IPv6 family. If + AUTO is configured, the DNS resolver will first perform + a lookup for addresses in the IPv6 family and fallback + to a lookup for addresses in the IPv4 family. Note: + This only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. \n Values: `auto` (default), `v4`, + `v6`. \n Other values will produce an error." + type: string + type: object + defaultHTTPVersions: + description: "DefaultHTTPVersions defines the default set + of HTTPS versions the proxy should accept. HTTP versions + are strings of the form \"HTTP/xx\". Supported versions + are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`, + `HTTP/2` (default: both). \n Other values will produce an + error." + items: + description: HTTPVersionType is the name of a supported + HTTP version. + type: string + type: array + health: + description: "Health defines the endpoint Envoy uses to serve + health checks. \n Contour's default is { address: \"0.0.0.0\", + port: 8002 }." + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + http: + description: "Defines the HTTP Listener for Envoy. \n Contour's + default is { address: \"0.0.0.0\", port: 8080, accessLog: + \"/dev/stdout\" }." + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + https: + description: "Defines the HTTPS Listener for Envoy. \n Contour's + default is { address: \"0.0.0.0\", port: 8443, accessLog: + \"/dev/stdout\" }." + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: "ConnectionBalancer. If the value is exact, + the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. \n Values: (empty string): use + the default ConnectionBalancer, `exact`: use the Exact + ConnectionBalancer. \n Other values will produce an + error." + type: string + disableAllowChunkedLength: + description: "DisableAllowChunkedLength disables the RFC-compliant + Envoy behavior to strip the \"Content-Length\" header + if \"Transfer-Encoding: chunked\" is also set. This + is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an + issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221 + \n Contour's default is false." + type: boolean + disableMergeSlashes: + description: "DisableMergeSlashes disables Envoy's non-standard + merge_slashes path transformation option which strips + duplicate slashes from request URL paths. \n Contour's + default is false." + type: boolean + tls: + description: TLS holds various configurable Envoy TLS + listener values. + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers + to be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should + only be used by advanced users. Note that these + will be ignored when TLS 1.3 is in use. \n This + field is optional; when it is undefined, a Contour-managed + ciphersuite list will be used, which may be updated + to keep it secure. \n Contour's default list is: + \ - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + \ - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + \ - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + \ - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + \ - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - + \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \ - \"ECDHE-ECDSA-AES256-SHA\" - \"ECDHE-RSA-AES256-SHA\" + \ - \"AES256-GCM-SHA384\" - \"AES256-SHA\" \n + Contour recommends leaving this undefined unless + you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for + stock Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum + TLS version this vhost should negotiate. \n Values: + `1.2` (default), `1.3`. \n Other values will produce + an error." + type: string + type: object + useProxyProtocol: + description: "Use PROXY protocol for all listeners. \n + Contour's default is false." + type: boolean + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: "AccessLogFormat sets the global access log + format. \n Values: `envoy` (default), `json`. \n Other + values will produce an error." + type: string + accessLogFormatString: + description: AccessLogFormatString sets the access log + format when format is set to `envoy`. When empty, Envoy's + default format is used. + type: string + accessLogJSONFields: + description: AccessLogJSONFields sets the fields that + JSON logging will output when AccessLogFormat is json. + items: + type: string + type: array + accessLogLevel: + description: "AccessLogLevel sets the verbosity level + of the access log. \n Values: `info` (default, meaning + all requests are logged), `error` and `disabled`. \n + Other values will produce an error." + type: string + type: object + metrics: + description: "Metrics defines the endpoint Envoy uses to serve + metrics. \n Contour's default is { address: \"0.0.0.0\", + port: 8002 }." + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: TLS holds TLS file config details. Metrics + and health endpoints cannot have same port number when + metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + description: "Configure the port used to access the Envoy + Admin interface. If configured to port \"0\" then the + admin interface is disabled. \n Contour's default is + 9001." + type: integer + numTrustedHops: + description: "XffNumTrustedHops defines the number of + additional ingress proxy hops from the right side of + the x-forwarded-for HTTP header to trust when determining + the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. \n Contour's default is 0." + format: int32 + type: integer + type: object + service: + description: "Service holds Envoy service parameters for setting + Ingress status. \n Contour's default is { namespace: \"projectcontour\", + name: \"envoy\" }." + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: Timeouts holds various configurable timeouts + that can be set in the config file. + properties: + connectTimeout: + description: "ConnectTimeout defines how long the proxy + should wait when establishing connection to upstream + service. If not set, a default value of 2 seconds will + be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information." + type: string + connectionIdleTimeout: + description: "ConnectionIdleTimeout defines how long the + proxy should wait while there are no active requests + (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to \"infinity\" to disable the + timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information." + type: string + connectionShutdownGracePeriod: + description: "ConnectionShutdownGracePeriod defines how + long the proxy will wait between sending an initial + GOAWAY frame and a second, final GOAWAY frame when terminating + an HTTP/2 connection. During this grace period, the + proxy will continue to respond to new streams. After + the final GOAWAY frame has been sent, the proxy will + refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information." + type: string + delayedCloseTimeout: + description: "DelayedCloseTimeout defines how long envoy + will wait, once connection close processing has been + initiated, for the downstream peer to close the connection + before Envoy closes the socket associated with the connection. + \n Setting this timeout to 'infinity' will disable it, + equivalent to setting it to '0' in Envoy. Leaving it + unset will result in the Envoy default value being used. + \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information." + type: string + maxConnectionDuration: + description: "MaxConnectionDuration defines the maximum + period of time after an HTTP connection has been established + from the client to the proxy before it is closed by + the proxy, regardless of whether there has been activity + or not. Omit or set to \"infinity\" for no max duration. + \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information." + type: string + requestTimeout: + description: "RequestTimeout sets the client request timeout + globally for Contour. Note that this is a timeout for + the entire request, not an idle timeout. Omit or set + to \"infinity\" to disable the timeout entirely. \n + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information." + type: string + streamIdleTimeout: + description: "StreamIdleTimeout defines how long the proxy + should wait while there is no request activity (for + HTTP/1.1) or stream activity (for HTTP/2) before terminating + the HTTP request or stream. Set to \"infinity\" to disable + the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information." + type: string + type: object + type: object + gateway: + description: Gateway contains parameters for the gateway-api Gateway + that Contour is configured to serve traffic. + properties: + controllerName: + description: ControllerName is used to determine whether Contour + should reconcile a GatewayClass. The string takes the form + of "projectcontour.io//contour". If unset, the + gatewayclass controller will not be started. Exactly one + of ControllerName or GatewayRef must be set. + type: string + gatewayRef: + description: GatewayRef defines a specific Gateway that this + Contour instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway classes. + Exactly one of ControllerName or GatewayRef must be set. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + health: + description: "Health defines the endpoints Contour uses to serve + health checks. \n Contour's default is { address: \"0.0.0.0\", + port: 8000 }." + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: "DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. \n Contour's default + is false." + type: boolean + fallbackCertificate: + description: FallbackCertificate defines the namespace/name + of the Kubernetes secret to use as fallback when a non-SNI + request is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: "Metrics defines the endpoint Contour uses to serve + metrics. \n Contour's default is { address: \"0.0.0.0\", port: + 8000 }." + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: TLS holds TLS file config details. Metrics and + health endpoints cannot have same port number when metrics + is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: "ApplyToIngress determines if the Policies will + apply to ingress objects \n Contour's default is false." + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: RateLimitService optionally holds properties of the + Rate Limit Service to be used for global rate limiting. + properties: + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableXRateLimitHeaders: + description: "EnableXRateLimitHeaders defines whether to include + the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, + and X-RateLimit-Reset (as defined by the IETF Internet-Draft + linked below), on responses to clients when the Rate Limit + Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: FailOpen defines whether to allow requests to + proceed when the Rate Limit Service fails to respond with + a valid rate limit decision within the timeout defined on + the extension service. + type: boolean + required: + - extensionService + type: object + xdsServer: + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: "Defines the xDS gRPC API address which Contour + will serve. \n Contour's default is \"0.0.0.0\"." + minLength: 1 + type: string + port: + description: "Defines the xDS gRPC API port which Contour + will serve. \n Contour's default is 8001." + type: integer + tls: + description: "TLS holds TLS file config details. \n Contour's + default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", + keyFile: \"/certs/tls.key\", insecure: false }." + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + type: object + type: + description: "Defines the XDSServer to use for `contour serve`. + \n Values: `contour` (default), `envoy`. \n Other values + will produce an error." + type: string + type: object + type: object + type: object + status: + description: ContourDeploymentStatus defines the observed state of a ContourDeployment + resource. + properties: + conditions: + description: Conditions describe the current conditions of the ContourDeployment + resource. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: extensionservices.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ExtensionService + listKind: ExtensionServiceList + plural: extensionservices + shortNames: + - extensionservice + - extensionservices + singular: extensionservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExtensionService is the schema for the Contour extension services + API. An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating components. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExtensionServiceSpec defines the desired state of an ExtensionService + resource. + properties: + loadBalancerPolicy: + description: The policy for load balancing GRPC service requests. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy is chosen. + If an element of the supplied list of hash policies is invalid, + it will be ignored. If the list of hash policies is empty after + validation, the load balancing strategy will fall back the the + default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for an + individual hash policy on a request attribute. + properties: + hashSourceIP: + description: HashSourceIP should be set to true when request + source IP hash based load balancing is desired. It must + be the only hash option field set, otherwise this request + hash policy object will be ignored. + type: boolean + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must be + the only hash option field set, otherwise this request + hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP request + header that will be used to calculate the hash key. + If the header specified is not present on a request, + no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: QueryParameterHashOptions should be set when + request query parameter hash based load balancing is desired. + It must be the only hash option field set, otherwise this + request hash policy object will be ignored. + properties: + parameterName: + description: ParameterName is the name of the HTTP request + query parameter that will be used to calculate the + hash key. If the query parameter specified is not + present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to true, + and the request attribute specified in the attribute hash + options is present, no further hash policies will be used + to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are `Random`, + `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. + If an unknown strategy name is specified or no policy is supplied, + the default `RoundRobin` policy is used. + type: string + type: object + protocol: + description: Protocol may be used to specify (or override) the protocol + used to reach this Service. Values may be h2 or h2c. If omitted, + protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + type: string + protocolVersion: + description: This field sets the version of the GRPC protocol that + Envoy uses to send requests to the extension service. Since Contour + always uses the v3 Envoy API, this is currently fixed at "v3". However, + other protocol options will be available in future. + enum: + - v3 + type: string + services: + description: Services specifies the set of Kubernetes Service resources + that receive GRPC extension API requests. If no weights are specified + for any of the entries in this array, traffic will be spread evenly + across all the services. Otherwise, traffic is balanced proportionally + to the Weight field in each entry. + items: + description: ExtensionServiceTarget defines an Kubernetes Service + to target with extension service traffic. + properties: + name: + description: Name is the name of Kubernetes service that will + accept service traffic. + type: string + port: + description: Port (defined as Integer) to proxy traffic to since + a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + weight: + description: Weight defines proportion of traffic to balance + to the Kubernetes Service. + format: int32 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for requests to the services. + properties: + idle: + description: Timeout for how long the proxy should wait while + there is no activity during single request/response (for HTTP/1.1) + or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 + connection is idle between two consecutive requests. If not + specified, there is no per-route idle timeout, though a connection + manager-wide stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + idleConnection: + description: Timeout for how long connection from the proxy to + the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, Envoy's + default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + validation: + description: UpstreamValidation defines how to verify the backend + service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes secret + used to validate the certificate presented by the backend. The + secret must contain key named ca.crt. + type: string + subjectName: + description: Key which is expected to be present in the 'subjectAltName' + of the presented certificate. + type: string + required: + - caSecret + - subjectName + type: object + required: + - services + type: object + status: + description: ExtensionServiceStatus defines the observed state of an ExtensionService + resource. + properties: + conditions: + description: "Conditions contains the current status of the ExtensionService + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: httpproxies.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1 + schema: + openAPIV3Schema: + description: HTTPProxy is an Ingress CRD specification. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HTTPProxySpec defines the spec of the CRD. + properties: + includes: + description: Includes allow for specific routing configuration to + be included from another HTTPProxy, possibly in another namespace. + items: + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. + properties: + conditions: + description: 'Conditions are a set of rules that are applied + to included HTTPProxies. In effect, they are added onto the + Conditions of included HTTPProxy Route structs. When applied, + they are merged using AND, with one exception: There can be + only one Prefix MatchCondition per Conditions slice. More + than one Prefix, or contradictory Conditions, will make the + include invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + type: array + ingressClassName: + description: IngressClassName optionally specifies the ingress class + to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is + set, it is given precedence over this field. + type: string + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + authPolicy: + description: AuthPolicy updates the authorization policy that + was set on the root HTTPProxy object for client requests that + match this route. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that are + sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the entries + are merged such that the inner scope overrides matching + keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + conditions: + description: 'Conditions are a set of rules that are applied + to a Route. When applied, they are merged using AND, with + one exception: There can be only one Prefix MatchCondition + per Conditions slice. More than one Prefix, or contradictory + Conditions, will make the route invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header attributes. + Note that rewritten cookie names must be unique in this list. + Order rewrite policies are specified in does not matter. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the Set-Cookie + Domain element. If not set, Domain will not be rewritten. + properties: + value: + description: Value is the value to rewrite the Domain + attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the Path + attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute will + not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie Secure + element. If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + directResponsePolicy: + description: DirectResponsePolicy returns an arbitrary HTTP + response directly. + properties: + body: + description: "Body is the content of the response body. + If this setting is omitted, no body is included in the + generated response. \n Note: Body is not recommended to + set too long otherwise it can have significant resource + usage impacts." + type: string + statusCode: + description: StatusCode is the HTTP response status to be + returned. + maximum: 599 + minimum: 200 + type: integer + required: + - statusCode + type: object + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP health + check request. If left empty (default value), the name + "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash + policies to apply when the `RequestHash` load balancing + strategy is chosen. If an element of the supplied list + of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load + balancing strategy will fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration + for an individual hash policy on a request attribute. + properties: + hashSourceIP: + description: HashSourceIP should be set to true when + request source IP hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: HeaderHashOptions should be set when + request header hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not + present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: QueryParameterHashOptions should be set + when request query parameter hash based load balancing + is desired. It must be the only hash option field + set, otherwise this request hash policy object will + be ignored. + properties: + parameterName: + description: ParameterName is the name of the + HTTP request query parameter that will be used + to calculate the hash key. If the query parameter + specified is not present on a request, no hash + will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set + to true, and the request attribute specified in + the attribute hash options is present, no further + hash policies will be used to calculate a hash for + the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy + names are `Random`, `RoundRobin`, `WeightedLeastRequest`, + `Cookie`, and `RequestHash`. If an unknown strategy name + is specified or no policy is supplied, the default `RoundRobin` + policy is used. + type: string + type: object + pathRewritePolicy: + description: The policy for rewriting the path of the request + URL after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix + should be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. + properties: + prefix: + description: "Prefix specifies the URL path prefix + to be replaced. \n If Prefix is specified, it must + exactly match the MatchCondition prefix that is + rendered by the chain of including HTTPProxies and + only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through + multiple roots to only replace specific path prefixes, + leaving others unmodified. \n If Prefix is not specified, + all routing prefixes rendered by the include chain + will be replaced." + minLength: 1 + type: string + replacement: + description: Replacement is the string that the routing + path prefix will be replaced with. This must not + be empty. + minLength: 1 + type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: Allow this path to respond to insecure requests + over HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + rateLimitPolicy: + description: The policy for rate limiting on the route. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to + an external rate limit service (RLS) for a rate limit + decision on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit + service. Each descriptor contains 1+ key-value pair + entries. + items: + description: RateLimitDescriptor defines a list of + key-value pair generators. + properties: + entries: + description: Entries is the list of key-value + pair generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this + struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of + the descriptor entry. If not set, + the key is set to "generic_key". + type: string + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given + header is present on the request. The + descriptor key is static, and the descriptor + value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the + name of the header to look for on + the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if + the request's headers match a set of 1+ + match criteria. The descriptor key is + "header_match", and the descriptor value + is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match + the match criteria in order to generate + a descriptor entry (i.e. true), or + not match the match criteria in order + to generate a descriptor entry (i.e. + false). The default is true. + type: boolean + headers: + description: Headers is a list of 1+ + match criteria to apply against the + request to determine whether to populate + the descriptor entry or not. + items: + description: HeaderMatchCondition + specifies how to conditionally match + against HTTP headers. The Name field + is required, but only one of the + remaining fields should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a + string that the header value + must be equal to. + type: string + name: + description: Name is the name + of the header to match against. + Name is required. Header names + are case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be + present in the header value. + type: string + notexact: + description: NoExact specifies + a string that the header value + must not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when + the named header is not present. + Note that setting NotPresent + to false does not make the condition + true if the named header is + present. + type: boolean + present: + description: Present specifies + that condition is true when + the named header is present, + regardless of its value. Note + that setting Present to false + does not make the condition + true if the named header is + absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per + unit of time should be allowed before rate limiting + occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within + which requests over the limit will be rate limited. + Valid values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + requestRedirectPolicy: + description: RequestRedirectPolicy defines an HTTP redirection. + properties: + hostname: + description: Hostname is the precise hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. No wildcards + are allowed. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path allows for redirection to a different + path from the original on the request. The path must start + with a leading slash. \n Note: Only one of Path or Prefix + can be defined." + pattern: ^\/.*$ + type: string + port: + description: Port is the port to be used in the value of + the `Location` header in the response. When empty, port + (if specified) of the request is used. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + prefix: + description: "Prefix defines the value to swap the matched + prefix or path with. The prefix must start with a leading + slash. \n Note: Only one of Path or Prefix can be defined." + pattern: ^\/.*$ + type: string + scheme: + description: Scheme is the scheme to be used in the value + of the `Location` header in the response. When empty, + the scheme of the request is used. + enum: + - http + - https + type: string + statusCode: + default: 302 + description: StatusCode is the HTTP status code to be used + in response. + enum: + - 301 + - 302 + type: integer + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + retryPolicy: + description: The retry policy for this route. + properties: + count: + default: 1 + description: NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. If set to 0 or + not supplied, the value is set to the Envoy default of + 1. + format: int64 + minimum: -1 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + retriableStatusCodes: + description: "RetriableStatusCodes specifies the HTTP status + codes that should be retried. \n This field is only respected + when you include `retriable-status-codes` in the `RetryOn` + field." + items: + format: int32 + type: integer + type: array + retryOn: + description: "RetryOn specifies the conditions on which + to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + \n - `5xx` - `gateway-error` - `reset` - `connect-failure` + - `retriable-4xx` - `refused-stream` - `retriable-status-codes` + - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + \n - `cancelled` - `deadline-exceeded` - `internal` - + `resource-exhausted` - `unavailable`" + items: + description: RetryOn is a string type alias with validation + to ensure that the value is valid. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - retriable-headers + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the + Set-Cookie Domain element. If not set, Domain + will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Domain attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for + which attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Path attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute + will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie + Secure element. If not set, Secure attribute will + not be rewritten. + type: boolean + required: + - name + type: object + type: array + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to + proxy traffic. Names defined here will be used to look + up corresponding endpoints which contain the ips to + route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may + be tls, h2, h2c. If omitted, protocol-selection falls + back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers + during proxying. Rewriting the 'Host' header is not + supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes + secret used to validate the certificate presented + by the backend. The secret must contain key named + ca.crt. + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate. + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: Timeout for how long the proxy should wait + while there is no activity during single request/response + (for HTTP/1.1) or stream (for HTTP/2). Timeout will not + trigger while HTTP/1.1 connection is idle between two + consecutive requests. If not specified, there is no per-route + idle timeout, though a connection manager-wide stream_idle_timeout + default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + idleConnection: + description: Timeout for how long connection from the proxy + to the upstream service is kept when there are no active + requests. If not supplied, Envoy's default value of 1h + applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, + Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: "IncludesDeprecated allow for specific routing configuration + to be appended to another HTTPProxy in another namespace. \n + Exists due to a mistake when developing HTTPProxy and the field + was marked plural when it should have been singular. This field + should stay to not break backwards compatibility to v1 users." + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: The load balancing policy for the backend services. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy + is chosen. If an element of the supplied list of hash policies + is invalid, it will be ignored. If the list of hash policies + is empty after validation, the load balancing strategy will + fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for + an individual hash policy on a request attribute. + properties: + hashSourceIP: + description: HashSourceIP should be set to true when + request source IP hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must + be the only hash option field set, otherwise this + request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not present + on a request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: QueryParameterHashOptions should be set + when request query parameter hash based load balancing + is desired. It must be the only hash option field + set, otherwise this request hash policy object will + be ignored. + properties: + parameterName: + description: ParameterName is the name of the HTTP + request query parameter that will be used to calculate + the hash key. If the query parameter specified + is not present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to + true, and the request attribute specified in the attribute + hash options is present, no further hash policies + will be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy names + are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the Set-Cookie + Domain element. If not set, Domain will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Domain attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Path attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute + will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie + Secure element. If not set, Secure attribute will + not be rewritten. + type: boolean + required: + - name + type: object + type: array + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may be + tls, h2, h2c. If omitted, protocol-selection falls back + on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes + secret used to validate the certificate presented + by the backend. The secret must contain key named + ca.crt. + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate. + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root" HTTPProxy. + properties: + authorization: + description: This field configures an extension service to perform + authorization for this virtual host. Authorization can only + be configured on virtual hosts that have TLS enabled. If the + TLS configuration requires client certificate validation, the + client certificate is always included in the authentication + check request. + properties: + authPolicy: + description: AuthPolicy sets a default authorization policy + for client requests. This policy will be used unless overridden + by individual routes. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that + are sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the + entries are merged such that the inner scope overrides + matching keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this field + is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this field + is not specifies, the namespace of the resource that + targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request is forwarded + to the upstream service even if the authorization server + fails to respond. This field should not be set in most cases. + It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time to wait + for a check response from the authorization server. Timeout + durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". The string "infinity" is also a valid input and specifies + no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy + will buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of + message body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to + Authorization Server is in raw bytes. + type: boolean + type: object + required: + - extensionRef + type: object + corsPolicy: + description: Specifies the cross-origin policy to apply to the + VirtualHost. + properties: + allowCredentials: + description: Specifies whether the resource allows credentials. + type: boolean + allowHeaders: + description: AllowHeaders specifies the content for the *access-control-allow-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowMethods: + description: AllowMethods specifies the content for the *access-control-allow-methods* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowOrigin: + description: AllowOrigin specifies the origins that will be + allowed to do CORS requests. "*" means allow any origin. + items: + type: string + type: array + exposeHeaders: + description: ExposeHeaders Specifies the content for the *access-control-expose-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + maxAge: + description: MaxAge indicates for how long the results of + a preflight request can be cached. MaxAge durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". Only positive values are allowed while 0 disables the + cache requiring a preflight OPTIONS check for all cross-origin + requests. + type: string + required: + - allowMethods + - allowOrigin + type: object + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn. + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + rateLimitPolicy: + description: The policy for rate limiting on the virtual host. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to an + external rate limit service (RLS) for a rate limit decision + on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit service. + Each descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this struct + must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of the + descriptor entry. If not set, the key + is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given header + is present on the request. The descriptor + key is static, and the descriptor value + is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if the + request's headers match a set of 1+ match + criteria. The descriptor key is "header_match", + and the descriptor value is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match the + match criteria in order to generate + a descriptor entry (i.e. true), or not + match the match criteria in order to + generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: Headers is a list of 1+ match + criteria to apply against the request + to determine whether to populate the + descriptor entry or not. + items: + description: HeaderMatchCondition specifies + how to conditionally match against + HTTP headers. The Name field is required, + but only one of the remaining fields + should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + name: + description: Name is the name of + the header to match against. Name + is required. Header names are + case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be present + in the header value. + type: string + notexact: + description: NoExact specifies a + string that the header value must + not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when the + named header is not present. Note + that setting NotPresent to false + does not make the condition true + if the named header is present. + type: boolean + present: + description: Present specifies that + condition is true when the named + header is present, regardless + of its value. Note that setting + Present to false does not make + the condition true if the named + header is absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per unit + of time should be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within which + requests over the limit will be rate limited. Valid + values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + tls: + description: If present the fields describes TLS properties of + the virtual host. The SNI names that will be matched on are + described in fqdn, the tls.secretName secret must contain a + certificate that itself contains a name that matches the FQDN. + properties: + clientValidation: + description: "ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. \n This setting: \n 1. Enables TLS client certificate + validation. 2. Specifies how the client certificate will + be validated (i.e. validation required or skipped). \n + Note: Setting client certificate validation to be skipped + should be only used in conjunction with an external authorization + server that performs client validation as Contour will ensure + client certificates are passed along." + properties: + caSecret: + description: Name of a Kubernetes secret that contains + a CA certificate bundle. The secret must contain key + named ca.crt. The client certificate must validate against + the certificates in the bundle. If specified and SkipClientCertValidation + is true, client certificates will be required on requests. + minLength: 1 + type: string + crlOnlyVerifyLeafCert: + description: If this option is set to true, only the certificate + at the end of the certificate chain will be subject + to validation by CRL. + type: boolean + crlSecret: + description: Name of a Kubernetes opaque secret that contains + a concatenated list of PEM encoded CRLs. The secret + must contain key named crl.pem. This field will be used + to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert + is true. Large CRL lists are not supported since individual + secrets are limited to 1MiB in size. + minLength: 1 + type: string + skipClientCertValidation: + description: SkipClientCertValidation disables downstream + client certificate validation. Defaults to false. This + field is intended to be used in conjunction with external + authorization in order to enable the external authorization + server to validate client certificates. When this field + is set to true, client certificates are requested but + not verified by Envoy. If CACertificate is specified, + client certificates are required on requests, but not + verified. If external authorization is in use, they + are presented to the external authorization server. + type: boolean + type: object + enableFallbackCertificate: + description: EnableFallbackCertificate defines if the vhost + should allow a default certificate to be applied which handles + all requests which don't match the SNI defined in this vhost. + type: boolean + minimumProtocolVersion: + description: MinimumProtocolVersion is the minimum TLS version + this vhost should negotiate. Valid options are `1.2` (default) + and `1.3`. Any other value defaults to TLS 1.2. + type: string + passthrough: + description: Passthrough defines whether the encrypted TLS + handshake will be passed through to the backing cluster. + Either Passthrough or SecretName must be specified, but + not both. + type: boolean + secretName: + description: SecretName is the name of a TLS secret in the + current namespace. Either SecretName or Passthrough must + be specified, but not both. If specified, the named secret + must contain a matching certificate for the virtual host's + FQDN. + type: string + type: object + required: + - fqdn + type: object + type: object + status: + default: + currentStatus: NotReconciled + description: Waiting for controller + description: Status is a container for computed information about the + HTTPProxy. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com/ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentStatus: + type: string + description: + type: string + loadBalancer: + description: LoadBalancer contains the current status of the load + balancer. + properties: + ingress: + description: Ingress is a list containing ingress points for the + load-balancer. Traffic intended for the service should be sent + to these ingress points. + items: + description: 'LoadBalancerIngress represents the status of a + load-balancer ingress point: traffic intended for the service + should be sent to an ingress point.' + properties: + hostname: + description: Hostname is set for load-balancer ingress points + that are DNS based (typically AWS load-balancers) + type: string + ip: + description: IP is set for load-balancer ingress points + that are IP based (typically GCE or OpenStack load-balancers) + type: string + ports: + description: Ports is a list of records of service ports + If used, every port defined in the service should have + an entry in it + items: + properties: + error: + description: 'Error is to record the problem with + the service port The format of the error shall comply + with the following rules: - built-in error values + shall be specified in this file and those shall + use CamelCase names - cloud provider specific + error values must have names that comply with the format + foo.example.com/CamelCase. --- The regex it matches + is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + default: TCP + description: 'Protocol is the protocol of the service + port of which status is recorded here The supported + values are: "TCP", "UDP", "SCTP"' + type: string + required: + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: tlscertificatedelegations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD + specification. See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + status: + description: TLSCertificateDelegationStatus allows for the status of the + delegation to be presented to the user. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com\\ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour-certgen + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen-v1.22.0 + namespace: projectcontour +spec: + template: + metadata: + labels: + app: "contour-certgen" + spec: + containers: + - name: contour + image: ghcr.io/projectcontour/contour:v1.22.0 + imagePullPolicy: IfNotPresent + command: + - contour + - certgen + - --kube + - --incluster + - --overwrite + - --secrets-format=compact + - --namespace=$(CONTOUR_NAMESPACE) + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + serviceAccountName: contour-certgen + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + parallelism: 1 + completions: 1 + backoffLimit: 1 + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour-rolebinding + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour + +# The following ClusterRole and Role are generated from kubebuilder RBAC tags by +# generate-rbac.sh. Do not edit this file directly but instead edit the source +# files and re-render. + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: contour +rules: +- apiGroups: + - "" + resources: + - endpoints + - namespaces + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - referencegrants + - referencepolicies + - tlsroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tlsroutes/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations + - extensionservices + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations/status + - extensionservices/status + - httpproxies/status + verbs: + - create + - get + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: contour + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + +--- +apiVersion: v1 +kind: Service +metadata: + name: contour + namespace: projectcontour +spec: + ports: + - port: 8001 + name: xds + protocol: TCP + targetPort: 8001 + selector: + app: contour + type: ClusterIP + +--- +apiVersion: v1 +kind: Service +metadata: + name: envoy + namespace: projectcontour + annotations: + # This annotation puts the AWS ELB into "TCP" mode so that it does not + # do HTTP negotiation for HTTPS connections at the ELB edge. + # The downside of this is the remote IP address of all connections will + # appear to be the internal address of the ELB. See docs/proxy-proto.md + # for information about enabling the PROXY protocol on the ELB to recover + # the original remote IP address. + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp +spec: + externalTrafficPolicy: Local + ports: + - port: 80 + name: http + protocol: TCP + targetPort: 8080 + - port: 443 + name: https + protocol: TCP + targetPort: 8443 + selector: + app: envoy + type: LoadBalancer + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: contour + name: contour + namespace: projectcontour +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 50% + selector: + matchLabels: + app: contour + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + labels: + app: contour + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: contour + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - args: + - serve + - --incluster + - --xds-address=0.0.0.0 + - --xds-port=8001 + - --contour-cafile=/certs/ca.crt + - --contour-cert-file=/certs/tls.crt + - --contour-key-file=/certs/tls.key + - --config-path=/config/contour.yaml + command: ["contour"] + image: ghcr.io/projectcontour/contour:v1.22.0 + imagePullPolicy: IfNotPresent + name: contour + ports: + - containerPort: 8001 + name: xds + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + - containerPort: 6060 + name: debug + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8000 + readinessProbe: + tcpSocket: + port: 8001 + initialDelaySeconds: 15 + periodSeconds: 10 + volumeMounts: + - name: contourcert + mountPath: /certs + readOnly: true + - name: contour-config + mountPath: /config + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + dnsPolicy: ClusterFirst + serviceAccountName: contour + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumes: + - name: contourcert + secret: + secretName: contourcert + - name: contour-config + configMap: + name: contour + defaultMode: 0644 + items: + - key: contour.yaml + path: contour.yaml + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: envoy + name: envoy + namespace: projectcontour +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 10% + selector: + matchLabels: + app: envoy + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8002" + prometheus.io/path: "/stats/prometheus" + labels: + app: envoy + spec: + containers: + - command: + - /bin/contour + args: + - envoy + - shutdown-manager + image: ghcr.io/projectcontour/contour:v1.22.0 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/contour + - envoy + - shutdown + livenessProbe: + httpGet: + path: /healthz + port: 8090 + initialDelaySeconds: 3 + periodSeconds: 10 + name: shutdown-manager + volumeMounts: + - name: envoy-admin + mountPath: /admin + - args: + - -c + - /config/envoy.json + - --service-cluster $(CONTOUR_NAMESPACE) + - --service-node $(ENVOY_POD_NAME) + - --log-level info + command: + - envoy + image: docker.io/envoyproxy/envoy:v1.22-latest + imagePullPolicy: IfNotPresent + name: envoy + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 8080 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8002 + initialDelaySeconds: 3 + periodSeconds: 4 + volumeMounts: + - name: envoy-config + mountPath: /config + readOnly: true + - name: envoycert + mountPath: /certs + readOnly: true + - name: envoy-admin + mountPath: /admin + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + initContainers: + - args: + - bootstrap + - /config/envoy.json + - --xds-address=contour + - --xds-port=8001 + - --xds-resource-version=v3 + - --resources-dir=/config/resources + - --envoy-cafile=/certs/ca.crt + - --envoy-cert-file=/certs/tls.crt + - --envoy-key-file=/certs/tls.key + command: + - contour + image: ghcr.io/projectcontour/contour:v1.22.0 + imagePullPolicy: IfNotPresent + name: envoy-initconfig + volumeMounts: + - name: envoy-config + mountPath: /config + - name: envoycert + mountPath: /certs + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + automountServiceAccountToken: false + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - name: envoy-admin + emptyDir: {} + - name: envoy-config + emptyDir: {} + - name: envoycert + secret: + secretName: envoycert + restartPolicy: Always + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Equal + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Equal + effect: NoSchedule diff --git a/deploy/kind/relations/spicedb-kind-setup/kind-kube/kind-ingress.config b/deploy/kind/relations/spicedb-kind-setup/kind-kube/kind-ingress.config new file mode 100644 index 00000000..7a496fb1 --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/kind-kube/kind-ingress.config @@ -0,0 +1,18 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +name: kessel-relations-cluster +nodes: + - role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 8000 + listenAddress: "0.0.0.0" + - containerPort: 443 + hostPort: 8443 + listenAddress: "0.0.0.0" diff --git a/deploy/kind/relations/spicedb-kind-setup/postgres/README.md b/deploy/kind/relations/spicedb-kind-setup/postgres/README.md new file mode 100644 index 00000000..00c58837 --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/postgres/README.md @@ -0,0 +1,5 @@ +`kubectl create namespace spicedb` + +`kubectl apply -f secret.yaml -n spicedb` +`kubectl apply -f storage.yaml -n spicedb` +`kubectl apply -f postgresql.yaml -n spicedb` \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/postgres/postgresql.yaml b/deploy/kind/relations/spicedb-kind-setup/postgres/postgresql.yaml new file mode 100644 index 00000000..96d60bdf --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/postgres/postgresql.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgres + labels: + app: postgres +spec: + ports: + - port: 5432 + name: postgres + selector: + app: postgres + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres +spec: + selector: + matchLabels: + app: postgres + strategy: + type: Recreate + template: + metadata: + labels: + app: postgres + spec: + containers: + - image: postgres:latest + name: postgres + envFrom: + - secretRef: + name: postgres-credentials + ports: + - containerPort: 5432 + name: postgres + securityContext: + privileged: false + volumeMounts: + - name: postgres-storage + mountPath: /var/lib/postgresql/data + resources: + limits: + memory: 512Mi + cpu: "1" + requests: + memory: 256Mi + cpu: "0.2" + volumes: + - name: postgres-storage + persistentVolumeClaim: + claimName: postgres-pvc \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/postgres/secret.yaml b/deploy/kind/relations/spicedb-kind-setup/postgres/secret.yaml new file mode 100644 index 00000000..55fc5836 --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/postgres/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: postgres-credentials +type: Opaque +stringData: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: yPsw5e6ab4bvAGe5H + POSTGRES_DB: spicedb diff --git a/deploy/kind/relations/spicedb-kind-setup/postgres/storage.yaml b/deploy/kind/relations/spicedb-kind-setup/postgres/storage.yaml new file mode 100644 index 00000000..5e9954aa --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/postgres/storage.yaml @@ -0,0 +1,30 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: postgres-pv + labels: + type: local + app: postgres +spec: + storageClassName: "standard" + capacity: + storage: 1Gi + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/mnt/data" +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgres-pvc + labels: + app: postgres +spec: + storageClassName: "standard" + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/relations-api/deployment.yaml b/deploy/kind/relations/spicedb-kind-setup/relations-api/deployment.yaml new file mode 100644 index 00000000..b1c6bc8d --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/relations-api/deployment.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: relationships + labels: + app: relationships +spec: + replicas: 1 + selector: + matchLabels: + app: relationships + template: + metadata: + labels: + app: relationships + spec: + containers: + - name: relationships + image: quay.io/cloudservices/kessel-relations:latest + ports: + - containerPort: 8000 + - containerPort: 9000 + env: + - name: SPICEDB_PRESHARED + valueFrom: + secretKeyRef: + key: preshared_key + name: dev-spicedb-config + - name: SPICEDB_ENDPOINT + value: spicedb-cr:50051 \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/relations-api/secret.yaml b/deploy/kind/relations/spicedb-kind-setup/relations-api/secret.yaml new file mode 100644 index 00000000..f9eaecce --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/relations-api/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: dev-spicedb-config +type: Opaque +stringData: + preshared_key: foobar + diff --git a/deploy/kind/relations/spicedb-kind-setup/relations-api/svc.yaml b/deploy/kind/relations/spicedb-kind-setup/relations-api/svc.yaml new file mode 100644 index 00000000..21eb97bd --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/relations-api/svc.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + name: relationships-service + labels: + app: relationships +spec: + type: ClusterIP + ports: + - port: 8000 + selector: + app: relationships +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: relationships-http + labels: + app: relationships +spec: + rules: + - host: relationships.127.0.0.1.nip.io + http: + paths: + - backend: + service: + name: relationships-service + port: + number: 8000 + path: / + pathType: Prefix \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/setup.sh b/deploy/kind/relations/spicedb-kind-setup/setup.sh new file mode 100755 index 00000000..a1474294 --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/setup.sh @@ -0,0 +1,72 @@ +#!/bin/bash +set -oe errexit + +if ! command -v kind &> /dev/null +then + echo "kind could not be found" + exit +fi + +if ! command -v helm &> /dev/null +then + echo "helm could not be found" + exit +fi + +if ! command -v kubectl &> /dev/null +then + echo "kubectl could not be found" + exit +fi + +# desired cluster name; default is "kind" +echo "creating kind cluster" + +kind create cluster --config deploy/kind/relations/spicedb-kind-setup/kind-kube/kind-ingress.config + +echo "> waiting for kubernetes node(s) become ready" +kubectl wait --for=condition=ready node --all --timeout=60s + +echo "deploy contour" +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/kind-kube/contour.yaml + + +echo "Install spicedb-operator" +kubectl create namespace spicedb-operator +kubectl apply --server-side -f https://github.com/authzed/spicedb-operator/releases/latest/download/bundle.yaml -n spicedb-operator + +echo "create spicedb namespace" +kubectl create namespace spicedb +echo "deploy postgres" +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/postgres/secret.yaml -n spicedb +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/postgres/storage.yaml -n spicedb +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/postgres/postgresql.yaml -n spicedb + +echo "deploy spicedb" +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/spicedb-cr.yaml -n spicedb +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/svc-ingress.yaml -n spicedb + +while [[ -z $(kubectl get deployments.apps -n spicedb spicedb-cr-spicedb -o jsonpath="{.status.readyReplicas}" 2>/dev/null) ]]; do + echo "still waiting for spicedb" + sleep 1 +done +echo "spicedb is ready" +kubectl get ingresses.networking.k8s.io -n spicedb + +echo "Deploying relations-api service" +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/relations-api/secret.yaml -n spicedb +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/relations-api/deployment.yaml -n spicedb +kubectl apply -f ./deploy/kind/relations/spicedb-kind-setup/relations-api/svc.yaml -n spicedb + +while [[ -z $(kubectl get deployments.apps -n spicedb relationships -o jsonpath="{.status.readyReplicas}" 2>/dev/null) ]]; do + echo "still waiting for relationships" + sleep 1 +done + +echo "Route" +kubectl get ingresses.networking.k8s.io -n spicedb + +echo "Relations - Write(POST) - Sample CURL request" +echo "" +JSON_DATA='{ "tuples": [{"resource": {"type": {"type": "group"},"id": "bob_club2"},"relation": "member","subject": {"subject": {"type": {"type": "user"},"id": "bob2"}}}]}' +echo "curl -v http://relationships.127.0.0.1.nip.io:8000/api/authz/v1beta1/tuples -H 'Content-Type: application/json' -d '$JSON_DATA'" diff --git a/deploy/kind/relations/spicedb-kind-setup/sm-spicedb.yaml b/deploy/kind/relations/spicedb-kind-setup/sm-spicedb.yaml new file mode 100644 index 00000000..b39d61b0 --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/sm-spicedb.yaml @@ -0,0 +1,31 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: spicedb-cr-service-monitor + # Change this to the namespace the Prometheus instance is running in + # namespace: default + labels: + app: kube-prometheus-stack + release: kube-prometheus-stack +spec: + jobLabel: job + namespaceSelector: + matchNames: + - spicedb + selector: + matchLabels: + authzed.com/cluster: spicedb-cr + endpoints: + - port: metrics + path: /metrics + interval: 15s + + + + + + + + + + diff --git a/deploy/kind/relations/spicedb-kind-setup/spicedb-cr.yaml b/deploy/kind/relations/spicedb-kind-setup/spicedb-cr.yaml new file mode 100644 index 00000000..78ab227b --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/spicedb-cr.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: authzed.com/v1alpha1 +kind: SpiceDBCluster +metadata: + name: spicedb-cr +spec: + config: + logLevel: debug + datastoreEngine: postgres + #datastoreTLSSecretName: datastore-tls + replicas: 2 + secretName: spicedb-config + +--- +apiVersion: v1 +kind: Secret +metadata: + name: spicedb-config +stringData: + datastore_uri: "postgres://postgres:yPsw5e6ab4bvAGe5H@postgres:5432/spicedb?sslmode=disable" + preshared_key: "foobar" +--- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: datastore-tls +# namespace: spicedb +# stringData: +# ca.crt: | +# -----BEGIN CERTIFICATE----- +# --- example aws rds ca cert +# -----END CERTIFICATE----- +# --- \ No newline at end of file diff --git a/deploy/kind/relations/spicedb-kind-setup/svc-ingress.yaml b/deploy/kind/relations/spicedb-kind-setup/svc-ingress.yaml new file mode 100644 index 00000000..68c5e7e4 --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/svc-ingress.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: spicedb-https + labels: + app: spicedb-cr +spec: + rules: + - host: spicedb-http.127.0.0.1.nip.io + http: + paths: + - backend: + service: + name: spicedb-cr + port: + number: 8443 + path: / + pathType: Prefix +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: spicedb-prometheus + labels: + app: spicedb-cr +spec: + rules: + - host: spicedb-metric.127.0.0.1.nip.io + http: + paths: + - backend: + service: + name: spicedb-cr + port: + number: 9090 + path: / + pathType: Prefix +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: spicedb-grpc + labels: + app: spicedb-cr +spec: + rules: + - host: spicedb-grpc.127.0.0.1.nip.io + http: + paths: + - backend: + service: + name: spicedb-cr + port: + number: 50051 + path: / + pathType: Prefix +--- +apiVersion: projectcontour.io/v1 +kind: HTTPProxy +metadata: + name: kessel +spec: + virtualhost: + fqdn: spicedb-grpc.127.0.0.1.nip.io + routes: + - conditions: + - prefix: / + services: + - name: spicedb-cr + port: 50051 + protocol: h2c diff --git a/deploy/kind/relations/spicedb-kind-setup/teardown.sh b/deploy/kind/relations/spicedb-kind-setup/teardown.sh new file mode 100755 index 00000000..42610cd7 --- /dev/null +++ b/deploy/kind/relations/spicedb-kind-setup/teardown.sh @@ -0,0 +1,25 @@ +#!/bin/bash +set -oe errexit + +if ! command -v kind &> /dev/null +then + echo "kind could not be found" + exit +fi + +if ! command -v helm &> /dev/null +then + echo "helm could not be found" + exit +fi + +if ! command -v kubectl &> /dev/null +then + echo "kubectl could not be found" + exit +fi + +# desired cluster name; default is "kind" +echo "Deleting kind cluster -- \"kessel-relations-cluster\"" + +kind delete cluster --name kessel-relations-cluster diff --git a/scripts/start-inventory-kind.sh b/scripts/start-inventory-kind.sh index 6bdd2e0c..fc8b3a4f 100755 --- a/scripts/start-inventory-kind.sh +++ b/scripts/start-inventory-kind.sh @@ -21,10 +21,39 @@ ${DOCKER} save -o inventory-e2e-tests.tar localhost/inventory-e2e-tests:e2e-test kind load image-archive inventory-api.tar --name inventory-cluster kind load image-archive inventory-e2e-tests.tar --name inventory-cluster +#kubectl create configmap inventory-api-psks --from-file=config/psks.yaml +# +#kubectl apply -f https://strimzi.io/install/latest\?namespace\=default +#kubectl apply -f deploy/kind/inventory/kessel-inventory.yaml +#kubectl apply -f deploy/kind/inventory/invdatabase.yaml +#kubectl apply -f deploy/kind/e2e/e2e-batch.yaml +#kubectl apply -f deploy/kind/inventory/strimzi.yaml + +# Create the kessel namespace +kubectl create namespace kessel + +# Deploy ConfigMap for inventory-api kubectl create configmap inventory-api-psks --from-file=config/psks.yaml +# Deploy Inventory dependencies kubectl apply -f https://strimzi.io/install/latest\?namespace\=default kubectl apply -f deploy/kind/inventory/kessel-inventory.yaml kubectl apply -f deploy/kind/inventory/invdatabase.yaml -kubectl apply -f deploy/kind/e2e/e2e-batch.yaml kubectl apply -f deploy/kind/inventory/strimzi.yaml + +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/bundle.yaml + +kubectl apply -f https://projectcontour.io/quickstart/contour.yaml +kubectl get crd httpproxies.projectcontour.io + +# Deploy SpiceDB and Relations-API in the kessel namespace +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/postgres/secret.yaml +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/postgres/postgresql.yaml +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/postgres/storage.yaml +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/spicedb-cr.yaml +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/svc-ingress.yaml +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/relations-api/secret.yaml +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/relations-api/deployment.yaml +kubectl apply -f deploy/kind/relations/spicedb-kind-setup/relations-api/svc.yaml + +echo "Setup complete. Inventory API, Relations-API, and SpiceDB are running!" \ No newline at end of file From 9fec98a7e761a0be011d29d5be8edb3bbe99df82 Mon Sep 17 00:00:00 2001 From: Adam0Brien Date: Tue, 19 Nov 2024 13:15:31 +0000 Subject: [PATCH 8/8] set authz to allow-all --- deploy/kind/inventory/kessel-inventory.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/deploy/kind/inventory/kessel-inventory.yaml b/deploy/kind/inventory/kessel-inventory.yaml index e4a0118d..e4fd1074 100644 --- a/deploy/kind/inventory/kessel-inventory.yaml +++ b/deploy/kind/inventory/kessel-inventory.yaml @@ -142,17 +142,18 @@ stringData: #psk: #pre-shared-key-file: /psks.yaml authz: - #impl: allow-all - impl: kessel - kessel: - insecure-client: true - url: http://relationships-service.default.svc.cluster.local:8000 - enable-oidc-auth: false - principal-user-domain: 0.0.0.0:8084 + impl: allow-all + #impl: kessel + #kessel: + #insecure-client: true + #url: http://relationships-service.default.svc.cluster.local:8000 + #enable-oidc-auth: false + #principal-user-domain: http://relationships-service.default.svc.cluster.local:8000 eventing: eventer: stdout kafka: storage: + disable-persistence: true database: postgres sqlite3: dsn: inventory.db