From 41cfa940229ac72422188d71dca80eaa125fb925 Mon Sep 17 00:00:00 2001 From: Abhishek koserwal Date: Mon, 5 Feb 2024 16:44:01 +0530 Subject: [PATCH] feat: adding spicedb setup with docker and with kind --- .gitleaks.toml | 20 + Makefile | 25 + README.md | 17 + spicedb-kind-setup/README.md | 13 + spicedb-kind-setup/install-operator.md | 15 + spicedb-kind-setup/kind-kube/README.md | 5 + spicedb-kind-setup/kind-kube/contour.yaml | 5252 +++++++++++++++++ .../kind-kube/kind-ingress.config | 18 + spicedb-kind-setup/postgres/README.md | 5 + spicedb-kind-setup/postgres/postgresql.yaml | 56 + spicedb-kind-setup/postgres/secret.yaml | 10 + spicedb-kind-setup/postgres/storage.yaml | 32 + spicedb-kind-setup/setup.sh | 55 + spicedb-kind-setup/sm-spicedb.yaml | 21 + spicedb-kind-setup/spicedb-cr.yaml | 34 + spicedb-kind-setup/svc-ingress.yaml | 72 + spicedb/.env | 4 + spicedb/README.md | 42 + spicedb/check_docker_podman.sh | 30 + spicedb/docker-compose.yaml | 62 + spicedb/secrets/db.name | 1 + spicedb/secrets/db.password | 1 + spicedb/secrets/db.user | 1 + spicedb/start-insights-rebac.sh | 1 + spicedb/start-postgresql.sh | 15 + spicedb/start-spicedb.sh | 1 + spicedb/teardown.sh | 15 + spicedb/teardownrebac.sh | 1 + 28 files changed, 5824 insertions(+) create mode 100644 .gitleaks.toml create mode 100644 spicedb-kind-setup/README.md create mode 100644 spicedb-kind-setup/install-operator.md create mode 100644 spicedb-kind-setup/kind-kube/README.md create mode 100644 spicedb-kind-setup/kind-kube/contour.yaml create mode 100644 spicedb-kind-setup/kind-kube/kind-ingress.config create mode 100644 spicedb-kind-setup/postgres/README.md create mode 100644 spicedb-kind-setup/postgres/postgresql.yaml create mode 100644 spicedb-kind-setup/postgres/secret.yaml create mode 100644 spicedb-kind-setup/postgres/storage.yaml create mode 100755 spicedb-kind-setup/setup.sh create mode 100644 spicedb-kind-setup/sm-spicedb.yaml create mode 100644 spicedb-kind-setup/spicedb-cr.yaml create mode 100644 spicedb-kind-setup/svc-ingress.yaml create mode 100644 spicedb/.env create mode 100644 spicedb/README.md create mode 100755 spicedb/check_docker_podman.sh create mode 100644 spicedb/docker-compose.yaml create mode 100644 spicedb/secrets/db.name create mode 100644 spicedb/secrets/db.password create mode 100644 spicedb/secrets/db.user create mode 100755 spicedb/start-insights-rebac.sh create mode 100755 spicedb/start-postgresql.sh create mode 100755 spicedb/start-spicedb.sh create mode 100755 spicedb/teardown.sh create mode 100755 spicedb/teardownrebac.sh diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..0e2440f --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,20 @@ +[allowlist] + description = "Global Allowlist" + + # Ignore based on any subset of the file path + paths = [ + # Ignore all example certs + '''\/example.*\.pem$''', + + # Ignore anything with the word funkymonkey anywhere in the path + '''foobar''','''yPsw5e6ab4bvAGe5H''', + + # Ignore some long path + '''examples\/some\/long\/path\/server.key$''', + ] + + # Ignore based on any subset of the line + regexes = [ + # Ignore lines containing pickles + '''yPsw5e6ab4bvAGe5H''', + ] \ No newline at end of file diff --git a/Makefile b/Makefile index 3de9f8a..befde07 100644 --- a/Makefile +++ b/Makefile @@ -63,6 +63,31 @@ all: make config; make generate; + +db: + ./spicedb/start-postgresql.sh +.PHONY: db + +spicedb: + ./spicedb/start-spicedb.sh +.PHONY: spicedb + +rebac: + ./spicedb/start-insights-rebac.sh +.PHONY: rebac + +rebac/teardown: + ./spicedb/teardownrebac.sh +.PHONY: rebac/teardown + +spicedb/teardown: + ./spicedb/teardown.sh +.PHONY: spicedb/teardown + +kind/spicedb: + ./spicedb-kind-setup/setup.sh +.PHONY: kind/spicedb + # show help help: @echo '' diff --git a/README.md b/README.md index 8fd6153..8b7f27b 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,23 @@ cd cmd/server wire ``` +## Spicedb using docker/podman + +# Run the postgresql db +`make db` + +## Run the spicedb +`make spicedb` + +## Run the insights-rebac with docker compose +`make rebac` + +## teardown spicedb and postgresql db +`make spicedb/teardown` + +## Spicedb using kind/kubernetes +`make kind/spicedb` + ## Docker ```bash # build diff --git a/spicedb-kind-setup/README.md b/spicedb-kind-setup/README.md new file mode 100644 index 0000000..c5e024c --- /dev/null +++ b/spicedb-kind-setup/README.md @@ -0,0 +1,13 @@ +# Setup Spicedb-operator with Postgres in local kind kubernetes with monitoring stack + +# Run the setup +`./setup.sh` + +## Testing grpc end-point +`grpcurl -plaintext spicedb-grpc.127.0.0.1.nip.io:80 list` +```# authzed.api.v1.ExperimentalService +# authzed.api.v1.PermissionsService +# authzed.api.v1.SchemaService +# authzed.api.v1.WatchService +# grpc.health.v1.Health +# grpc.reflection.v1alpha.ServerReflection \ No newline at end of file diff --git a/spicedb-kind-setup/install-operator.md b/spicedb-kind-setup/install-operator.md new file mode 100644 index 0000000..c084eed --- /dev/null +++ b/spicedb-kind-setup/install-operator.md @@ -0,0 +1,15 @@ +# Install Spicedb-operator + +# Create Spicedb namespace +```kubectl create namespace spicedb-operator``` + +# Deploy the Spicedb operator +``` +kubectl apply --server-side -f https://github.com/authzed/spicedb-operator/releases/latest/download/bundle.yaml -n spicedb +``` + +# Create namespace spicedb + +```kubectl create namespace spicedb``` + + diff --git a/spicedb-kind-setup/kind-kube/README.md b/spicedb-kind-setup/kind-kube/README.md new file mode 100644 index 0000000..c165d58 --- /dev/null +++ b/spicedb-kind-setup/kind-kube/README.md @@ -0,0 +1,5 @@ +# Create a Kubernetes cluster +`kind create cluster --config kind-ingress.config` + +# Configure Conture +kubectl apply -f contour.yaml \ No newline at end of file diff --git a/spicedb-kind-setup/kind-kube/contour.yaml b/spicedb-kind-setup/kind-kube/contour.yaml new file mode 100644 index 0000000..61d3008 --- /dev/null +++ b/spicedb-kind-setup/kind-kube/contour.yaml @@ -0,0 +1,5252 @@ +# This file is generated from the individual YAML files by generate-deployment.sh. Do not +# edit this file directly but instead edit the source files and re-render. +# +# Generated from: +# examples/contour/00-common.yaml +# examples/contour/01-contour-config.yaml +# examples/contour/01-crds.yaml +# examples/contour/02-job-certgen.yaml +# examples/contour/02-rbac.yaml +# examples/contour/02-role-contour.yaml +# examples/contour/02-service-contour.yaml +# examples/contour/02-service-envoy.yaml +# examples/contour/03-contour.yaml +# examples/contour/03-envoy.yaml + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour + namespace: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy + namespace: projectcontour + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: contour + namespace: projectcontour +data: + contour.yaml: | + # + # server: + # determine which XDS Server implementation to utilize in Contour. + # xds-server-type: contour + # + # Specify the Gateway API configuration. + # gateway: + # controllerName: projectcontour.io/projectcontour/contour + # + # should contour expect to be running inside a k8s cluster + # incluster: true + # + # path to kubeconfig (if not running inside a k8s cluster) + # kubeconfig: /path/to/.kube/config + # + # Disable RFC-compliant behavior to strip "Content-Length" header if + # "Tranfer-Encoding: chunked" is also set. + # disableAllowChunkedLength: false + # + # Disable Envoy's non-standard merge_slashes path transformation option + # that strips duplicate slashes from request URLs. + # disableMergeSlashes: false + # + # Disable HTTPProxy permitInsecure field + disablePermitInsecure: false + tls: + # minimum TLS version that Contour will negotiate + # minimum-protocol-version: "1.2" + # TLS ciphers to be supported by Envoy TLS listeners when negotiating + # TLS 1.2. + # cipher-suites: + # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + # - 'ECDHE-ECDSA-AES256-GCM-SHA384' + # - 'ECDHE-RSA-AES256-GCM-SHA384' + # Defines the Kubernetes name/namespace matching a secret to use + # as the fallback certificate when requests which don't match the + # SNI defined for a vhost. + fallback-certificate: + # name: fallback-secret-name + # namespace: projectcontour + envoy-client-certificate: + # name: envoy-client-cert-secret-name + # namespace: projectcontour + #### + # ExternalName Services are disabled by default due to CVE-2021-XXXXX + # You can re-enable them by setting this setting to `true`. + # This is not recommended without understanding the security implications. + # Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details. + # enableExternalNameService: false + ## + # Address to be placed in status.loadbalancer field of Ingress objects. + # May be either a literal IP address or a host name. + # The value will be placed directly into the relevant field inside the status.loadBalancer struct. + # ingress-status-address: local.projectcontour.io + ### Logging options + # Default setting + accesslog-format: envoy + # The default access log format is defined by Envoy but it can be customized by setting following variable. + # accesslog-format-string: "...\n" + # To enable JSON logging in Envoy + # accesslog-format: json + # accesslog-level: info + # The default fields that will be logged are specified below. + # To customise this list, just add or remove entries. + # The canonical list is available at + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields + # json-fields: + # - "@timestamp" + # - "authority" + # - "bytes_received" + # - "bytes_sent" + # - "downstream_local_address" + # - "downstream_remote_address" + # - "duration" + # - "method" + # - "path" + # - "protocol" + # - "request_id" + # - "requested_server_name" + # - "response_code" + # - "response_flags" + # - "uber_trace_id" + # - "upstream_cluster" + # - "upstream_host" + # - "upstream_local_address" + # - "upstream_service_time" + # - "user_agent" + # - "x_forwarded_for" + # - "grpc_status" + # + # default-http-versions: + # - "HTTP/2" + # - "HTTP/1.1" + # + # The following shows the default proxy timeout settings. + # timeouts: + # request-timeout: infinity + # connection-idle-timeout: 60s + # stream-idle-timeout: 5m + # max-connection-duration: infinity + # delayed-close-timeout: 1s + # connection-shutdown-grace-period: 5s + # connect-timeout: 2s + # + # Envoy cluster settings. + # cluster: + # configure the cluster dns lookup family + # valid options are: auto (default), v4, v6 + # dns-lookup-family: auto + # + # Envoy network settings. + # network: + # Configure the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + # num-trusted-hops: 0 + # Configure the port used to access the Envoy Admin interface. + # admin-port: 9001 + # + # Configure an optional global rate limit service. + # rateLimitService: + # Identifies the extension service defining the rate limit service, + # formatted as /. + # extensionService: projectcontour/ratelimit + # Defines the rate limit domain to pass to the rate limit service. + # Acts as a container for a set of rate limit definitions within + # the RLS. + # domain: contour + # Defines whether to allow requests to proceed when the rate limit + # service fails to respond with a valid rate limit decision within + # the timeout defined on the extension service. + # failOpen: false + # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, + # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF + # Internet-Draft linked below), on responses to clients when the Rate + # Limit Service is consulted for a request. + # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + # enableXRateLimitHeaders: false + # + # Global Policy settings. + # policy: + # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) + # request-headers: + # set: + # # example: the hostname of the Envoy instance that proxied the request + # X-Envoy-Hostname: %HOSTNAME% + # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for + # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% + # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) + # response-headers: + # set: + # # example: Envoy flags that provide additional details about the response or connection + # X-Envoy-Response-Flags: %RESPONSE_FLAGS% + # + # metrics: + # contour: + # address: 0.0.0.0 + # port: 8000 + # server-certificate-path: /path/to/server-cert.pem + # server-key-path: /path/to/server-private-key.pem + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem + # envoy: + # address: 0.0.0.0 + # port: 8002 + # server-certificate-path: /path/to/server-cert.pem + # server-key-path: /path/to/server-private-key.pem + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: contourconfigurations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourConfiguration + listKind: ContourConfigurationList + plural: contourconfigurations + shortNames: + - contourconfig + singular: contourconfiguration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourConfiguration is the schema for a Contour instance. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ContourConfigurationSpec represents a configuration of a + Contour controller. It contains most of all the options that can be + customized, the other remaining options being command line flags. + properties: + debug: + description: Debug contains parameters to enable debug logging and + debug interfaces inside Contour. + properties: + address: + description: "Defines the Contour debug address interface. \n + Contour's default is \"127.0.0.1\"." + type: string + port: + description: "Defines the Contour debug address port. \n Contour's + default is 6060." + type: integer + type: object + enableExternalNameService: + description: "EnableExternalNameService allows processing of ExternalNameServices + \n Contour's default is false for security reasons." + type: boolean + envoy: + description: Envoy contains parameters for Envoy as well as how to + optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: ClientCertificate defines the namespace/name of the + Kubernetes secret containing the client certificate and private + key to be used when establishing TLS connection to upstream + cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: Cluster holds various configurable Envoy cluster + values that can be set in the config file. + properties: + dnsLookupFamily: + description: "DNSLookupFamily defines how external names are + looked up When configured as V4, the DNS resolver will only + perform a lookup for addresses in the IPv4 family. If V6 + is configured, the DNS resolver will only perform a lookup + for addresses in the IPv6 family. If AUTO is configured, + the DNS resolver will first perform a lookup for addresses + in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. Note: This only applies to externalName + clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. \n Values: `auto` (default), `v4`, + `v6`. \n Other values will produce an error." + type: string + type: object + defaultHTTPVersions: + description: "DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are strings + of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\" + and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both). + \n Other values will produce an error." + items: + description: HTTPVersionType is the name of a supported HTTP + version. + type: string + type: array + health: + description: "Health defines the endpoint Envoy uses to serve + health checks. \n Contour's default is { address: \"0.0.0.0\", + port: 8002 }." + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + http: + description: "Defines the HTTP Listener for Envoy. \n Contour's + default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" + }." + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + https: + description: "Defines the HTTPS Listener for Envoy. \n Contour's + default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" + }." + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: "ConnectionBalancer. If the value is exact, the + listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. \n Values: (empty string): use the + default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + \n Other values will produce an error." + type: string + disableAllowChunkedLength: + description: "DisableAllowChunkedLength disables the RFC-compliant + Envoy behavior to strip the \"Content-Length\" header if + \"Transfer-Encoding: chunked\" is also set. This is an emergency + off-switch to revert back to Envoy's default behavior in + case of failures. Please file an issue if failures are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + \n Contour's default is false." + type: boolean + disableMergeSlashes: + description: "DisableMergeSlashes disables Envoy's non-standard + merge_slashes path transformation option which strips duplicate + slashes from request URL paths. \n Contour's default is + false." + type: boolean + tls: + description: TLS holds various configurable Envoy TLS listener + values. + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to + be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should only + be used by advanced users. Note that these will be ignored + when TLS 1.3 is in use. \n This field is optional; when + it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + \ - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + \ - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + \ - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + \ - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + \ - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + \ - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" + \ - \"AES256-SHA\" \n Contour recommends leaving this + undefined unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock + Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS + version this vhost should negotiate. \n Values: `1.2` + (default), `1.3`. \n Other values will produce an error." + type: string + type: object + useProxyProtocol: + description: "Use PROXY protocol for all listeners. \n Contour's + default is false." + type: boolean + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: "AccessLogFormat sets the global access log format. + \n Values: `envoy` (default), `json`. \n Other values will + produce an error." + type: string + accessLogFormatString: + description: AccessLogFormatString sets the access log format + when format is set to `envoy`. When empty, Envoy's default + format is used. + type: string + accessLogJSONFields: + description: AccessLogJSONFields sets the fields that JSON + logging will output when AccessLogFormat is json. + items: + type: string + type: array + accessLogLevel: + description: "AccessLogLevel sets the verbosity level of the + access log. \n Values: `info` (default, meaning all requests + are logged), `error` and `disabled`. \n Other values will + produce an error." + type: string + type: object + metrics: + description: "Metrics defines the endpoint Envoy uses to serve + metrics. \n Contour's default is { address: \"0.0.0.0\", port: + 8002 }." + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: TLS holds TLS file config details. Metrics and + health endpoints cannot have same port number when metrics + is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + description: "Configure the port used to access the Envoy + Admin interface. If configured to port \"0\" then the admin + interface is disabled. \n Contour's default is 9001." + type: integer + numTrustedHops: + description: "XffNumTrustedHops defines the number of additional + ingress proxy hops from the right side of the x-forwarded-for + HTTP header to trust when determining the origin client’s + IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. \n Contour's default is 0." + format: int32 + type: integer + type: object + service: + description: "Service holds Envoy service parameters for setting + Ingress status. \n Contour's default is { namespace: \"projectcontour\", + name: \"envoy\" }." + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: Timeouts holds various configurable timeouts that + can be set in the config file. + properties: + connectTimeout: + description: "ConnectTimeout defines how long the proxy should + wait when establishing connection to upstream service. If + not set, a default value of 2 seconds will be used. \n See + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information." + type: string + connectionIdleTimeout: + description: "ConnectionIdleTimeout defines how long the proxy + should wait while there are no active requests (for HTTP/1.1) + or streams (for HTTP/2) before terminating an HTTP connection. + Set to \"infinity\" to disable the timeout entirely. \n + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information." + type: string + connectionShutdownGracePeriod: + description: "ConnectionShutdownGracePeriod defines how long + the proxy will wait between sending an initial GOAWAY frame + and a second, final GOAWAY frame when terminating an HTTP/2 + connection. During this grace period, the proxy will continue + to respond to new streams. After the final GOAWAY frame + has been sent, the proxy will refuse new streams. \n See + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information." + type: string + delayedCloseTimeout: + description: "DelayedCloseTimeout defines how long envoy will + wait, once connection close processing has been initiated, + for the downstream peer to close the connection before Envoy + closes the socket associated with the connection. \n Setting + this timeout to 'infinity' will disable it, equivalent to + setting it to '0' in Envoy. Leaving it unset will result + in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information." + type: string + maxConnectionDuration: + description: "MaxConnectionDuration defines the maximum period + of time after an HTTP connection has been established from + the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit + or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information." + type: string + requestTimeout: + description: "RequestTimeout sets the client request timeout + globally for Contour. Note that this is a timeout for the + entire request, not an idle timeout. Omit or set to \"infinity\" + to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information." + type: string + streamIdleTimeout: + description: "StreamIdleTimeout defines how long the proxy + should wait while there is no request activity (for HTTP/1.1) + or stream activity (for HTTP/2) before terminating the HTTP + request or stream. Set to \"infinity\" to disable the timeout + entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information." + type: string + type: object + type: object + gateway: + description: Gateway contains parameters for the gateway-api Gateway + that Contour is configured to serve traffic. + properties: + controllerName: + description: ControllerName is used to determine whether Contour + should reconcile a GatewayClass. The string takes the form of + "projectcontour.io//contour". If unset, the gatewayclass + controller will not be started. Exactly one of ControllerName + or GatewayRef must be set. + type: string + gatewayRef: + description: GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile only + this gateway, and will not reconcile any gateway classes. Exactly + one of ControllerName or GatewayRef must be set. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + health: + description: "Health defines the endpoints Contour uses to serve health + checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 + }." + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: "DisablePermitInsecure disables the use of the permitInsecure + field in HTTPProxy. \n Contour's default is false." + type: boolean + fallbackCertificate: + description: FallbackCertificate defines the namespace/name of + the Kubernetes secret to use as fallback when a non-SNI request + is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces for + root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: "Metrics defines the endpoint Contour uses to serve metrics. + \n Contour's default is { address: \"0.0.0.0\", port: 8000 }." + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: TLS holds TLS file config details. Metrics and health + endpoints cannot have same port number when metrics is served + over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: "ApplyToIngress determines if the Policies will apply + to ingress objects \n Contour's default is false." + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: RateLimitService optionally holds properties of the Rate + Limit Service to be used for global rate limiting. + properties: + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableXRateLimitHeaders: + description: "EnableXRateLimitHeaders defines whether to include + the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, + and X-RateLimit-Reset (as defined by the IETF Internet-Draft + linked below), on responses to clients when the Rate Limit Service + is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: FailOpen defines whether to allow requests to proceed + when the Rate Limit Service fails to respond with a valid rate + limit decision within the timeout defined on the extension service. + type: boolean + required: + - extensionService + type: object + xdsServer: + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: "Defines the xDS gRPC API address which Contour will + serve. \n Contour's default is \"0.0.0.0\"." + minLength: 1 + type: string + port: + description: "Defines the xDS gRPC API port which Contour will + serve. \n Contour's default is 8001." + type: integer + tls: + description: "TLS holds TLS file config details. \n Contour's + default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", + keyFile: \"/certs/tls.key\", insecure: false }." + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + type: object + type: + description: "Defines the XDSServer to use for `contour serve`. + \n Values: `contour` (default), `envoy`. \n Other values will + produce an error." + type: string + type: object + type: object + status: + description: ContourConfigurationStatus defines the observed state of + a ContourConfiguration resource. + properties: + conditions: + description: "Conditions contains the current status of the Contour + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: contourdeployments.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourDeployment + listKind: ContourDeploymentList + plural: contourdeployments + shortNames: + - contourdeploy + singular: contourdeployment + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourDeployment is the schema for a Contour Deployment. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ContourDeploymentSpec specifies options for how a Contour + instance should be provisioned. + properties: + contour: + description: Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane and + associated resources, including things like replica count for the + Deployment, and node placement constraints for the pods. + properties: + nodePlacement: + description: NodePlacement describes node scheduling configuration + of Contour pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: "NodeSelector is the simplest recommended form + of node selection constraint and specifies a map of key-value + pairs. For the pod to be eligible to run on a node, the + node must have each of the indicated key-value pairs as + labels (it can have additional labels as well). \n If unset, + the pod(s) will be scheduled to any available node." + type: object + tolerations: + description: "Tolerations work with taints to ensure that + pods are not scheduled onto inappropriate nodes. One or + more taints are applied to a node; this marks that the node + should not accept any pods that do not tolerate the taints. + \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details." + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + description: Replicas is the desired number of Contour replicas. + If unset, defaults to 2. + format: int32 + minimum: 0 + type: integer + type: object + envoy: + description: Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane and associated + resources, including things like the workload type to use (DaemonSet + or Deployment), node placement constraints for the pods, and various + options for the Envoy service. + properties: + networkPublishing: + description: NetworkPublishing defines how to expose Envoy to + a network. + properties: + serviceAnnotations: + additionalProperties: + type: string + description: ServiceAnnotations is the annotations to add + to the provisioned Envoy service. + type: object + type: + description: "NetworkPublishingType is the type of publishing + strategy to use. Valid values are: \n * LoadBalancerService + \n In this configuration, network endpoints for Envoy use + container networking. A Kubernetes LoadBalancer Service + is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + \n * NodePortService \n Publishes Envoy network endpoints + using a Kubernetes NodePort Service. \n In this configuration, + Envoy network endpoints use container networking. A Kubernetes + NodePort Service is created to publish the network endpoints. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + \n * ClusterIPService \n Publishes Envoy network endpoints + using a Kubernetes ClusterIP Service. \n In this configuration, + Envoy network endpoints use container networking. A Kubernetes + ClusterIP Service is created to publish the network endpoints. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + \n If unset, defaults to LoadBalancerService." + type: string + type: object + nodePlacement: + description: NodePlacement describes node scheduling configuration + of Envoy pods. + properties: + nodeSelector: + additionalProperties: + type: string + description: "NodeSelector is the simplest recommended form + of node selection constraint and specifies a map of key-value + pairs. For the pod to be eligible to run on a node, the + node must have each of the indicated key-value pairs as + labels (it can have additional labels as well). \n If unset, + the pod(s) will be scheduled to any available node." + type: object + tolerations: + description: "Tolerations work with taints to ensure that + pods are not scheduled onto inappropriate nodes. One or + more taints are applied to a node; this marks that the node + should not accept any pods that do not tolerate the taints. + \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details." + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + description: Replicas is the desired number of Envoy replicas. + If WorkloadType is not "Deployment", this field is ignored. + Otherwise, if unset, defaults to 2. + format: int32 + minimum: 0 + type: integer + workloadType: + description: WorkloadType is the type of workload to install Envoy + as. Choices are DaemonSet and Deployment. If unset, defaults + to DaemonSet. + type: string + type: object + runtimeSettings: + description: RuntimeSettings is a ContourConfiguration spec to be + used when provisioning a Contour instance that will influence aspects + of the Contour instance's runtime behavior. + properties: + debug: + description: Debug contains parameters to enable debug logging + and debug interfaces inside Contour. + properties: + address: + description: "Defines the Contour debug address interface. + \n Contour's default is \"127.0.0.1\"." + type: string + port: + description: "Defines the Contour debug address port. \n Contour's + default is 6060." + type: integer + type: object + enableExternalNameService: + description: "EnableExternalNameService allows processing of ExternalNameServices + \n Contour's default is false for security reasons." + type: boolean + envoy: + description: Envoy contains parameters for Envoy as well as how + to optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: ClientCertificate defines the namespace/name + of the Kubernetes secret containing the client certificate + and private key to be used when establishing TLS connection + to upstream cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: Cluster holds various configurable Envoy cluster + values that can be set in the config file. + properties: + dnsLookupFamily: + description: "DNSLookupFamily defines how external names + are looked up When configured as V4, the DNS resolver + will only perform a lookup for addresses in the IPv4 + family. If V6 is configured, the DNS resolver will only + perform a lookup for addresses in the IPv6 family. If + AUTO is configured, the DNS resolver will first perform + a lookup for addresses in the IPv6 family and fallback + to a lookup for addresses in the IPv4 family. Note: + This only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. \n Values: `auto` (default), `v4`, + `v6`. \n Other values will produce an error." + type: string + type: object + defaultHTTPVersions: + description: "DefaultHTTPVersions defines the default set + of HTTPS versions the proxy should accept. HTTP versions + are strings of the form \"HTTP/xx\". Supported versions + are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`, + `HTTP/2` (default: both). \n Other values will produce an + error." + items: + description: HTTPVersionType is the name of a supported + HTTP version. + type: string + type: array + health: + description: "Health defines the endpoint Envoy uses to serve + health checks. \n Contour's default is { address: \"0.0.0.0\", + port: 8002 }." + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + http: + description: "Defines the HTTP Listener for Envoy. \n Contour's + default is { address: \"0.0.0.0\", port: 8080, accessLog: + \"/dev/stdout\" }." + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + https: + description: "Defines the HTTPS Listener for Envoy. \n Contour's + default is { address: \"0.0.0.0\", port: 8443, accessLog: + \"/dev/stdout\" }." + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: "ConnectionBalancer. If the value is exact, + the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. \n Values: (empty string): use + the default ConnectionBalancer, `exact`: use the Exact + ConnectionBalancer. \n Other values will produce an + error." + type: string + disableAllowChunkedLength: + description: "DisableAllowChunkedLength disables the RFC-compliant + Envoy behavior to strip the \"Content-Length\" header + if \"Transfer-Encoding: chunked\" is also set. This + is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an + issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221 + \n Contour's default is false." + type: boolean + disableMergeSlashes: + description: "DisableMergeSlashes disables Envoy's non-standard + merge_slashes path transformation option which strips + duplicate slashes from request URL paths. \n Contour's + default is false." + type: boolean + tls: + description: TLS holds various configurable Envoy TLS + listener values. + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers + to be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should + only be used by advanced users. Note that these + will be ignored when TLS 1.3 is in use. \n This + field is optional; when it is undefined, a Contour-managed + ciphersuite list will be used, which may be updated + to keep it secure. \n Contour's default list is: + \ - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + \ - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + \ - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + \ - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + \ - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + \ - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - + \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \ - \"ECDHE-ECDSA-AES256-SHA\" - \"ECDHE-RSA-AES256-SHA\" + \ - \"AES256-GCM-SHA384\" - \"AES256-SHA\" \n + Contour recommends leaving this undefined unless + you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for + stock Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum + TLS version this vhost should negotiate. \n Values: + `1.2` (default), `1.3`. \n Other values will produce + an error." + type: string + type: object + useProxyProtocol: + description: "Use PROXY protocol for all listeners. \n + Contour's default is false." + type: boolean + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: "AccessLogFormat sets the global access log + format. \n Values: `envoy` (default), `json`. \n Other + values will produce an error." + type: string + accessLogFormatString: + description: AccessLogFormatString sets the access log + format when format is set to `envoy`. When empty, Envoy's + default format is used. + type: string + accessLogJSONFields: + description: AccessLogJSONFields sets the fields that + JSON logging will output when AccessLogFormat is json. + items: + type: string + type: array + accessLogLevel: + description: "AccessLogLevel sets the verbosity level + of the access log. \n Values: `info` (default, meaning + all requests are logged), `error` and `disabled`. \n + Other values will produce an error." + type: string + type: object + metrics: + description: "Metrics defines the endpoint Envoy uses to serve + metrics. \n Contour's default is { address: \"0.0.0.0\", + port: 8002 }." + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: TLS holds TLS file config details. Metrics + and health endpoints cannot have same port number when + metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + description: "Configure the port used to access the Envoy + Admin interface. If configured to port \"0\" then the + admin interface is disabled. \n Contour's default is + 9001." + type: integer + numTrustedHops: + description: "XffNumTrustedHops defines the number of + additional ingress proxy hops from the right side of + the x-forwarded-for HTTP header to trust when determining + the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. \n Contour's default is 0." + format: int32 + type: integer + type: object + service: + description: "Service holds Envoy service parameters for setting + Ingress status. \n Contour's default is { namespace: \"projectcontour\", + name: \"envoy\" }." + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: Timeouts holds various configurable timeouts + that can be set in the config file. + properties: + connectTimeout: + description: "ConnectTimeout defines how long the proxy + should wait when establishing connection to upstream + service. If not set, a default value of 2 seconds will + be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information." + type: string + connectionIdleTimeout: + description: "ConnectionIdleTimeout defines how long the + proxy should wait while there are no active requests + (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to \"infinity\" to disable the + timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information." + type: string + connectionShutdownGracePeriod: + description: "ConnectionShutdownGracePeriod defines how + long the proxy will wait between sending an initial + GOAWAY frame and a second, final GOAWAY frame when terminating + an HTTP/2 connection. During this grace period, the + proxy will continue to respond to new streams. After + the final GOAWAY frame has been sent, the proxy will + refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information." + type: string + delayedCloseTimeout: + description: "DelayedCloseTimeout defines how long envoy + will wait, once connection close processing has been + initiated, for the downstream peer to close the connection + before Envoy closes the socket associated with the connection. + \n Setting this timeout to 'infinity' will disable it, + equivalent to setting it to '0' in Envoy. Leaving it + unset will result in the Envoy default value being used. + \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information." + type: string + maxConnectionDuration: + description: "MaxConnectionDuration defines the maximum + period of time after an HTTP connection has been established + from the client to the proxy before it is closed by + the proxy, regardless of whether there has been activity + or not. Omit or set to \"infinity\" for no max duration. + \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information." + type: string + requestTimeout: + description: "RequestTimeout sets the client request timeout + globally for Contour. Note that this is a timeout for + the entire request, not an idle timeout. Omit or set + to \"infinity\" to disable the timeout entirely. \n + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information." + type: string + streamIdleTimeout: + description: "StreamIdleTimeout defines how long the proxy + should wait while there is no request activity (for + HTTP/1.1) or stream activity (for HTTP/2) before terminating + the HTTP request or stream. Set to \"infinity\" to disable + the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information." + type: string + type: object + type: object + gateway: + description: Gateway contains parameters for the gateway-api Gateway + that Contour is configured to serve traffic. + properties: + controllerName: + description: ControllerName is used to determine whether Contour + should reconcile a GatewayClass. The string takes the form + of "projectcontour.io//contour". If unset, the + gatewayclass controller will not be started. Exactly one + of ControllerName or GatewayRef must be set. + type: string + gatewayRef: + description: GatewayRef defines a specific Gateway that this + Contour instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway classes. + Exactly one of ControllerName or GatewayRef must be set. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: object + health: + description: "Health defines the endpoints Contour uses to serve + health checks. \n Contour's default is { address: \"0.0.0.0\", + port: 8000 }." + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: "DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. \n Contour's default + is false." + type: boolean + fallbackCertificate: + description: FallbackCertificate defines the namespace/name + of the Kubernetes secret to use as fallback when a non-SNI + request is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: "Metrics defines the endpoint Contour uses to serve + metrics. \n Contour's default is { address: \"0.0.0.0\", port: + 8000 }." + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: TLS holds TLS file config details. Metrics and + health endpoints cannot have same port number when metrics + is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: "ApplyToIngress determines if the Policies will + apply to ingress objects \n Contour's default is false." + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: RateLimitService optionally holds properties of the + Rate Limit Service to be used for global rate limiting. + properties: + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableXRateLimitHeaders: + description: "EnableXRateLimitHeaders defines whether to include + the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, + and X-RateLimit-Reset (as defined by the IETF Internet-Draft + linked below), on responses to clients when the Rate Limit + Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: FailOpen defines whether to allow requests to + proceed when the Rate Limit Service fails to respond with + a valid rate limit decision within the timeout defined on + the extension service. + type: boolean + required: + - extensionService + type: object + xdsServer: + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: "Defines the xDS gRPC API address which Contour + will serve. \n Contour's default is \"0.0.0.0\"." + minLength: 1 + type: string + port: + description: "Defines the xDS gRPC API port which Contour + will serve. \n Contour's default is 8001." + type: integer + tls: + description: "TLS holds TLS file config details. \n Contour's + default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", + keyFile: \"/certs/tls.key\", insecure: false }." + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + type: object + type: + description: "Defines the XDSServer to use for `contour serve`. + \n Values: `contour` (default), `envoy`. \n Other values + will produce an error." + type: string + type: object + type: object + type: object + status: + description: ContourDeploymentStatus defines the observed state of a ContourDeployment + resource. + properties: + conditions: + description: Conditions describe the current conditions of the ContourDeployment + resource. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: extensionservices.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ExtensionService + listKind: ExtensionServiceList + plural: extensionservices + shortNames: + - extensionservice + - extensionservices + singular: extensionservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExtensionService is the schema for the Contour extension services + API. An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating components. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExtensionServiceSpec defines the desired state of an ExtensionService + resource. + properties: + loadBalancerPolicy: + description: The policy for load balancing GRPC service requests. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy is chosen. + If an element of the supplied list of hash policies is invalid, + it will be ignored. If the list of hash policies is empty after + validation, the load balancing strategy will fall back the the + default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for an + individual hash policy on a request attribute. + properties: + hashSourceIP: + description: HashSourceIP should be set to true when request + source IP hash based load balancing is desired. It must + be the only hash option field set, otherwise this request + hash policy object will be ignored. + type: boolean + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must be + the only hash option field set, otherwise this request + hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP request + header that will be used to calculate the hash key. + If the header specified is not present on a request, + no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: QueryParameterHashOptions should be set when + request query parameter hash based load balancing is desired. + It must be the only hash option field set, otherwise this + request hash policy object will be ignored. + properties: + parameterName: + description: ParameterName is the name of the HTTP request + query parameter that will be used to calculate the + hash key. If the query parameter specified is not + present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to true, + and the request attribute specified in the attribute hash + options is present, no further hash policies will be used + to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are `Random`, + `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. + If an unknown strategy name is specified or no policy is supplied, + the default `RoundRobin` policy is used. + type: string + type: object + protocol: + description: Protocol may be used to specify (or override) the protocol + used to reach this Service. Values may be h2 or h2c. If omitted, + protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + type: string + protocolVersion: + description: This field sets the version of the GRPC protocol that + Envoy uses to send requests to the extension service. Since Contour + always uses the v3 Envoy API, this is currently fixed at "v3". However, + other protocol options will be available in future. + enum: + - v3 + type: string + services: + description: Services specifies the set of Kubernetes Service resources + that receive GRPC extension API requests. If no weights are specified + for any of the entries in this array, traffic will be spread evenly + across all the services. Otherwise, traffic is balanced proportionally + to the Weight field in each entry. + items: + description: ExtensionServiceTarget defines an Kubernetes Service + to target with extension service traffic. + properties: + name: + description: Name is the name of Kubernetes service that will + accept service traffic. + type: string + port: + description: Port (defined as Integer) to proxy traffic to since + a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + weight: + description: Weight defines proportion of traffic to balance + to the Kubernetes Service. + format: int32 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for requests to the services. + properties: + idle: + description: Timeout for how long the proxy should wait while + there is no activity during single request/response (for HTTP/1.1) + or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 + connection is idle between two consecutive requests. If not + specified, there is no per-route idle timeout, though a connection + manager-wide stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + idleConnection: + description: Timeout for how long connection from the proxy to + the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, Envoy's + default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + validation: + description: UpstreamValidation defines how to verify the backend + service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes secret + used to validate the certificate presented by the backend. The + secret must contain key named ca.crt. + type: string + subjectName: + description: Key which is expected to be present in the 'subjectAltName' + of the presented certificate. + type: string + required: + - caSecret + - subjectName + type: object + required: + - services + type: object + status: + description: ExtensionServiceStatus defines the observed state of an ExtensionService + resource. + properties: + conditions: + description: "Conditions contains the current status of the ExtensionService + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: httpproxies.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1 + schema: + openAPIV3Schema: + description: HTTPProxy is an Ingress CRD specification. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HTTPProxySpec defines the spec of the CRD. + properties: + includes: + description: Includes allow for specific routing configuration to + be included from another HTTPProxy, possibly in another namespace. + items: + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. + properties: + conditions: + description: 'Conditions are a set of rules that are applied + to included HTTPProxies. In effect, they are added onto the + Conditions of included HTTPProxy Route structs. When applied, + they are merged using AND, with one exception: There can be + only one Prefix MatchCondition per Conditions slice. More + than one Prefix, or contradictory Conditions, will make the + include invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + type: array + ingressClassName: + description: IngressClassName optionally specifies the ingress class + to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is + set, it is given precedence over this field. + type: string + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + authPolicy: + description: AuthPolicy updates the authorization policy that + was set on the root HTTPProxy object for client requests that + match this route. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that are + sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the entries + are merged such that the inner scope overrides matching + keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + conditions: + description: 'Conditions are a set of rules that are applied + to a Route. When applied, they are merged using AND, with + one exception: There can be only one Prefix MatchCondition + per Conditions slice. More than one Prefix, or contradictory + Conditions, will make the route invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header attributes. + Note that rewritten cookie names must be unique in this list. + Order rewrite policies are specified in does not matter. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the Set-Cookie + Domain element. If not set, Domain will not be rewritten. + properties: + value: + description: Value is the value to rewrite the Domain + attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the Path + attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute will + not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie Secure + element. If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + directResponsePolicy: + description: DirectResponsePolicy returns an arbitrary HTTP + response directly. + properties: + body: + description: "Body is the content of the response body. + If this setting is omitted, no body is included in the + generated response. \n Note: Body is not recommended to + set too long otherwise it can have significant resource + usage impacts." + type: string + statusCode: + description: StatusCode is the HTTP response status to be + returned. + maximum: 599 + minimum: 200 + type: integer + required: + - statusCode + type: object + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP health + check request. If left empty (default value), the name + "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash + policies to apply when the `RequestHash` load balancing + strategy is chosen. If an element of the supplied list + of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load + balancing strategy will fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration + for an individual hash policy on a request attribute. + properties: + hashSourceIP: + description: HashSourceIP should be set to true when + request source IP hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: HeaderHashOptions should be set when + request header hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not + present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: QueryParameterHashOptions should be set + when request query parameter hash based load balancing + is desired. It must be the only hash option field + set, otherwise this request hash policy object will + be ignored. + properties: + parameterName: + description: ParameterName is the name of the + HTTP request query parameter that will be used + to calculate the hash key. If the query parameter + specified is not present on a request, no hash + will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set + to true, and the request attribute specified in + the attribute hash options is present, no further + hash policies will be used to calculate a hash for + the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy + names are `Random`, `RoundRobin`, `WeightedLeastRequest`, + `Cookie`, and `RequestHash`. If an unknown strategy name + is specified or no policy is supplied, the default `RoundRobin` + policy is used. + type: string + type: object + pathRewritePolicy: + description: The policy for rewriting the path of the request + URL after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix + should be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. + properties: + prefix: + description: "Prefix specifies the URL path prefix + to be replaced. \n If Prefix is specified, it must + exactly match the MatchCondition prefix that is + rendered by the chain of including HTTPProxies and + only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through + multiple roots to only replace specific path prefixes, + leaving others unmodified. \n If Prefix is not specified, + all routing prefixes rendered by the include chain + will be replaced." + minLength: 1 + type: string + replacement: + description: Replacement is the string that the routing + path prefix will be replaced with. This must not + be empty. + minLength: 1 + type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: Allow this path to respond to insecure requests + over HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + rateLimitPolicy: + description: The policy for rate limiting on the route. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to + an external rate limit service (RLS) for a rate limit + decision on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit + service. Each descriptor contains 1+ key-value pair + entries. + items: + description: RateLimitDescriptor defines a list of + key-value pair generators. + properties: + entries: + description: Entries is the list of key-value + pair generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this + struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of + the descriptor entry. If not set, + the key is set to "generic_key". + type: string + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given + header is present on the request. The + descriptor key is static, and the descriptor + value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the + name of the header to look for on + the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if + the request's headers match a set of 1+ + match criteria. The descriptor key is + "header_match", and the descriptor value + is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match + the match criteria in order to generate + a descriptor entry (i.e. true), or + not match the match criteria in order + to generate a descriptor entry (i.e. + false). The default is true. + type: boolean + headers: + description: Headers is a list of 1+ + match criteria to apply against the + request to determine whether to populate + the descriptor entry or not. + items: + description: HeaderMatchCondition + specifies how to conditionally match + against HTTP headers. The Name field + is required, but only one of the + remaining fields should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a + string that the header value + must be equal to. + type: string + name: + description: Name is the name + of the header to match against. + Name is required. Header names + are case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be + present in the header value. + type: string + notexact: + description: NoExact specifies + a string that the header value + must not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when + the named header is not present. + Note that setting NotPresent + to false does not make the condition + true if the named header is + present. + type: boolean + present: + description: Present specifies + that condition is true when + the named header is present, + regardless of its value. Note + that setting Present to false + does not make the condition + true if the named header is + absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per + unit of time should be allowed before rate limiting + occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within + which requests over the limit will be rate limited. + Valid values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + requestRedirectPolicy: + description: RequestRedirectPolicy defines an HTTP redirection. + properties: + hostname: + description: Hostname is the precise hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. No wildcards + are allowed. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path allows for redirection to a different + path from the original on the request. The path must start + with a leading slash. \n Note: Only one of Path or Prefix + can be defined." + pattern: ^\/.*$ + type: string + port: + description: Port is the port to be used in the value of + the `Location` header in the response. When empty, port + (if specified) of the request is used. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + prefix: + description: "Prefix defines the value to swap the matched + prefix or path with. The prefix must start with a leading + slash. \n Note: Only one of Path or Prefix can be defined." + pattern: ^\/.*$ + type: string + scheme: + description: Scheme is the scheme to be used in the value + of the `Location` header in the response. When empty, + the scheme of the request is used. + enum: + - http + - https + type: string + statusCode: + default: 302 + description: StatusCode is the HTTP status code to be used + in response. + enum: + - 301 + - 302 + type: integer + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + retryPolicy: + description: The retry policy for this route. + properties: + count: + default: 1 + description: NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. If set to 0 or + not supplied, the value is set to the Envoy default of + 1. + format: int64 + minimum: -1 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + retriableStatusCodes: + description: "RetriableStatusCodes specifies the HTTP status + codes that should be retried. \n This field is only respected + when you include `retriable-status-codes` in the `RetryOn` + field." + items: + format: int32 + type: integer + type: array + retryOn: + description: "RetryOn specifies the conditions on which + to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + \n - `5xx` - `gateway-error` - `reset` - `connect-failure` + - `retriable-4xx` - `refused-stream` - `retriable-status-codes` + - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + \n - `cancelled` - `deadline-exceeded` - `internal` - + `resource-exhausted` - `unavailable`" + items: + description: RetryOn is a string type alias with validation + to ensure that the value is valid. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - retriable-headers + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the + Set-Cookie Domain element. If not set, Domain + will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Domain attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for + which attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Path attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute + will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie + Secure element. If not set, Secure attribute will + not be rewritten. + type: boolean + required: + - name + type: object + type: array + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to + proxy traffic. Names defined here will be used to look + up corresponding endpoints which contain the ips to + route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may + be tls, h2, h2c. If omitted, protocol-selection falls + back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers + during proxying. Rewriting the 'Host' header is not + supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes + secret used to validate the certificate presented + by the backend. The secret must contain key named + ca.crt. + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate. + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: Timeout for how long the proxy should wait + while there is no activity during single request/response + (for HTTP/1.1) or stream (for HTTP/2). Timeout will not + trigger while HTTP/1.1 connection is idle between two + consecutive requests. If not specified, there is no per-route + idle timeout, though a connection manager-wide stream_idle_timeout + default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + idleConnection: + description: Timeout for how long connection from the proxy + to the upstream service is kept when there are no active + requests. If not supplied, Envoy's default value of 1h + applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, + Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: "IncludesDeprecated allow for specific routing configuration + to be appended to another HTTPProxy in another namespace. \n + Exists due to a mistake when developing HTTPProxy and the field + was marked plural when it should have been singular. This field + should stay to not break backwards compatibility to v1 users." + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: The load balancing policy for the backend services. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy + is chosen. If an element of the supplied list of hash policies + is invalid, it will be ignored. If the list of hash policies + is empty after validation, the load balancing strategy will + fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for + an individual hash policy on a request attribute. + properties: + hashSourceIP: + description: HashSourceIP should be set to true when + request source IP hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + type: boolean + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must + be the only hash option field set, otherwise this + request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not present + on a request, no hash will be produced. + minLength: 1 + type: string + type: object + queryParameterHashOptions: + description: QueryParameterHashOptions should be set + when request query parameter hash based load balancing + is desired. It must be the only hash option field + set, otherwise this request hash policy object will + be ignored. + properties: + parameterName: + description: ParameterName is the name of the HTTP + request query parameter that will be used to calculate + the hash key. If the query parameter specified + is not present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to + true, and the request attribute specified in the attribute + hash options is present, no further hash policies + will be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy names + are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the Set-Cookie + Domain element. If not set, Domain will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Domain attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Path attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute + will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie + Secure element. If not set, Secure attribute will + not be rewritten. + type: boolean + required: + - name + type: object + type: array + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may be + tls, h2, h2c. If omitted, protocol-selection falls back + on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes + secret used to validate the certificate presented + by the backend. The secret must contain key named + ca.crt. + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate. + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root" HTTPProxy. + properties: + authorization: + description: This field configures an extension service to perform + authorization for this virtual host. Authorization can only + be configured on virtual hosts that have TLS enabled. If the + TLS configuration requires client certificate validation, the + client certificate is always included in the authentication + check request. + properties: + authPolicy: + description: AuthPolicy sets a default authorization policy + for client requests. This policy will be used unless overridden + by individual routes. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that + are sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the + entries are merged such that the inner scope overrides + matching keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this field + is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this field + is not specifies, the namespace of the resource that + targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request is forwarded + to the upstream service even if the authorization server + fails to respond. This field should not be set in most cases. + It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time to wait + for a check response from the authorization server. Timeout + durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". The string "infinity" is also a valid input and specifies + no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy + will buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of + message body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to + Authorization Server is in raw bytes. + type: boolean + type: object + required: + - extensionRef + type: object + corsPolicy: + description: Specifies the cross-origin policy to apply to the + VirtualHost. + properties: + allowCredentials: + description: Specifies whether the resource allows credentials. + type: boolean + allowHeaders: + description: AllowHeaders specifies the content for the *access-control-allow-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowMethods: + description: AllowMethods specifies the content for the *access-control-allow-methods* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowOrigin: + description: AllowOrigin specifies the origins that will be + allowed to do CORS requests. "*" means allow any origin. + items: + type: string + type: array + exposeHeaders: + description: ExposeHeaders Specifies the content for the *access-control-expose-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + maxAge: + description: MaxAge indicates for how long the results of + a preflight request can be cached. MaxAge durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". Only positive values are allowed while 0 disables the + cache requiring a preflight OPTIONS check for all cross-origin + requests. + type: string + required: + - allowMethods + - allowOrigin + type: object + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn. + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + rateLimitPolicy: + description: The policy for rate limiting on the virtual host. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to an + external rate limit service (RLS) for a rate limit decision + on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit service. + Each descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this struct + must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of the + descriptor entry. If not set, the key + is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given header + is present on the request. The descriptor + key is static, and the descriptor value + is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if the + request's headers match a set of 1+ match + criteria. The descriptor key is "header_match", + and the descriptor value is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match the + match criteria in order to generate + a descriptor entry (i.e. true), or not + match the match criteria in order to + generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: Headers is a list of 1+ match + criteria to apply against the request + to determine whether to populate the + descriptor entry or not. + items: + description: HeaderMatchCondition specifies + how to conditionally match against + HTTP headers. The Name field is required, + but only one of the remaining fields + should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + name: + description: Name is the name of + the header to match against. Name + is required. Header names are + case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be present + in the header value. + type: string + notexact: + description: NoExact specifies a + string that the header value must + not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when the + named header is not present. Note + that setting NotPresent to false + does not make the condition true + if the named header is present. + type: boolean + present: + description: Present specifies that + condition is true when the named + header is present, regardless + of its value. Note that setting + Present to false does not make + the condition true if the named + header is absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per unit + of time should be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within which + requests over the limit will be rate limited. Valid + values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + tls: + description: If present the fields describes TLS properties of + the virtual host. The SNI names that will be matched on are + described in fqdn, the tls.secretName secret must contain a + certificate that itself contains a name that matches the FQDN. + properties: + clientValidation: + description: "ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. \n This setting: \n 1. Enables TLS client certificate + validation. 2. Specifies how the client certificate will + be validated (i.e. validation required or skipped). \n + Note: Setting client certificate validation to be skipped + should be only used in conjunction with an external authorization + server that performs client validation as Contour will ensure + client certificates are passed along." + properties: + caSecret: + description: Name of a Kubernetes secret that contains + a CA certificate bundle. The secret must contain key + named ca.crt. The client certificate must validate against + the certificates in the bundle. If specified and SkipClientCertValidation + is true, client certificates will be required on requests. + minLength: 1 + type: string + crlOnlyVerifyLeafCert: + description: If this option is set to true, only the certificate + at the end of the certificate chain will be subject + to validation by CRL. + type: boolean + crlSecret: + description: Name of a Kubernetes opaque secret that contains + a concatenated list of PEM encoded CRLs. The secret + must contain key named crl.pem. This field will be used + to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert + is true. Large CRL lists are not supported since individual + secrets are limited to 1MiB in size. + minLength: 1 + type: string + skipClientCertValidation: + description: SkipClientCertValidation disables downstream + client certificate validation. Defaults to false. This + field is intended to be used in conjunction with external + authorization in order to enable the external authorization + server to validate client certificates. When this field + is set to true, client certificates are requested but + not verified by Envoy. If CACertificate is specified, + client certificates are required on requests, but not + verified. If external authorization is in use, they + are presented to the external authorization server. + type: boolean + type: object + enableFallbackCertificate: + description: EnableFallbackCertificate defines if the vhost + should allow a default certificate to be applied which handles + all requests which don't match the SNI defined in this vhost. + type: boolean + minimumProtocolVersion: + description: MinimumProtocolVersion is the minimum TLS version + this vhost should negotiate. Valid options are `1.2` (default) + and `1.3`. Any other value defaults to TLS 1.2. + type: string + passthrough: + description: Passthrough defines whether the encrypted TLS + handshake will be passed through to the backing cluster. + Either Passthrough or SecretName must be specified, but + not both. + type: boolean + secretName: + description: SecretName is the name of a TLS secret in the + current namespace. Either SecretName or Passthrough must + be specified, but not both. If specified, the named secret + must contain a matching certificate for the virtual host's + FQDN. + type: string + type: object + required: + - fqdn + type: object + type: object + status: + default: + currentStatus: NotReconciled + description: Waiting for controller + description: Status is a container for computed information about the + HTTPProxy. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com/ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentStatus: + type: string + description: + type: string + loadBalancer: + description: LoadBalancer contains the current status of the load + balancer. + properties: + ingress: + description: Ingress is a list containing ingress points for the + load-balancer. Traffic intended for the service should be sent + to these ingress points. + items: + description: 'LoadBalancerIngress represents the status of a + load-balancer ingress point: traffic intended for the service + should be sent to an ingress point.' + properties: + hostname: + description: Hostname is set for load-balancer ingress points + that are DNS based (typically AWS load-balancers) + type: string + ip: + description: IP is set for load-balancer ingress points + that are IP based (typically GCE or OpenStack load-balancers) + type: string + ports: + description: Ports is a list of records of service ports + If used, every port defined in the service should have + an entry in it + items: + properties: + error: + description: 'Error is to record the problem with + the service port The format of the error shall comply + with the following rules: - built-in error values + shall be specified in this file and those shall + use CamelCase names - cloud provider specific + error values must have names that comply with the format + foo.example.com/CamelCase. --- The regex it matches + is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + default: TCP + description: 'Protocol is the protocol of the service + port of which status is recorded here The supported + values are: "TCP", "UDP", "SCTP"' + type: string + required: + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: tlscertificatedelegations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD + specification. See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + status: + description: TLSCertificateDelegationStatus allows for the status of the + delegation to be presented to the user. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com\\ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour-certgen + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen-v1.22.0 + namespace: projectcontour +spec: + template: + metadata: + labels: + app: "contour-certgen" + spec: + containers: + - name: contour + image: ghcr.io/projectcontour/contour:v1.22.0 + imagePullPolicy: IfNotPresent + command: + - contour + - certgen + - --kube + - --incluster + - --overwrite + - --secrets-format=compact + - --namespace=$(CONTOUR_NAMESPACE) + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + serviceAccountName: contour-certgen + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + parallelism: 1 + completions: 1 + backoffLimit: 1 + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour-rolebinding + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour + +# The following ClusterRole and Role are generated from kubebuilder RBAC tags by +# generate-rbac.sh. Do not edit this file directly but instead edit the source +# files and re-render. + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: contour +rules: +- apiGroups: + - "" + resources: + - endpoints + - namespaces + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - referencegrants + - referencepolicies + - tlsroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tlsroutes/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations + - extensionservices + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations/status + - extensionservices/status + - httpproxies/status + verbs: + - create + - get + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: contour + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + +--- +apiVersion: v1 +kind: Service +metadata: + name: contour + namespace: projectcontour +spec: + ports: + - port: 8001 + name: xds + protocol: TCP + targetPort: 8001 + selector: + app: contour + type: ClusterIP + +--- +apiVersion: v1 +kind: Service +metadata: + name: envoy + namespace: projectcontour + annotations: + # This annotation puts the AWS ELB into "TCP" mode so that it does not + # do HTTP negotiation for HTTPS connections at the ELB edge. + # The downside of this is the remote IP address of all connections will + # appear to be the internal address of the ELB. See docs/proxy-proto.md + # for information about enabling the PROXY protocol on the ELB to recover + # the original remote IP address. + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp +spec: + externalTrafficPolicy: Local + ports: + - port: 80 + name: http + protocol: TCP + targetPort: 8080 + - port: 443 + name: https + protocol: TCP + targetPort: 8443 + selector: + app: envoy + type: LoadBalancer + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: contour + name: contour + namespace: projectcontour +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 50% + selector: + matchLabels: + app: contour + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + labels: + app: contour + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: contour + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - args: + - serve + - --incluster + - --xds-address=0.0.0.0 + - --xds-port=8001 + - --contour-cafile=/certs/ca.crt + - --contour-cert-file=/certs/tls.crt + - --contour-key-file=/certs/tls.key + - --config-path=/config/contour.yaml + command: ["contour"] + image: ghcr.io/projectcontour/contour:v1.22.0 + imagePullPolicy: IfNotPresent + name: contour + ports: + - containerPort: 8001 + name: xds + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + - containerPort: 6060 + name: debug + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8000 + readinessProbe: + tcpSocket: + port: 8001 + initialDelaySeconds: 15 + periodSeconds: 10 + volumeMounts: + - name: contourcert + mountPath: /certs + readOnly: true + - name: contour-config + mountPath: /config + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + dnsPolicy: ClusterFirst + serviceAccountName: contour + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumes: + - name: contourcert + secret: + secretName: contourcert + - name: contour-config + configMap: + name: contour + defaultMode: 0644 + items: + - key: contour.yaml + path: contour.yaml + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: envoy + name: envoy + namespace: projectcontour +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 10% + selector: + matchLabels: + app: envoy + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8002" + prometheus.io/path: "/stats/prometheus" + labels: + app: envoy + spec: + containers: + - command: + - /bin/contour + args: + - envoy + - shutdown-manager + image: ghcr.io/projectcontour/contour:v1.22.0 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/contour + - envoy + - shutdown + livenessProbe: + httpGet: + path: /healthz + port: 8090 + initialDelaySeconds: 3 + periodSeconds: 10 + name: shutdown-manager + volumeMounts: + - name: envoy-admin + mountPath: /admin + - args: + - -c + - /config/envoy.json + - --service-cluster $(CONTOUR_NAMESPACE) + - --service-node $(ENVOY_POD_NAME) + - --log-level info + command: + - envoy + image: docker.io/envoyproxy/envoy:v1.22-latest + imagePullPolicy: IfNotPresent + name: envoy + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 8080 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8002 + initialDelaySeconds: 3 + periodSeconds: 4 + volumeMounts: + - name: envoy-config + mountPath: /config + readOnly: true + - name: envoycert + mountPath: /certs + readOnly: true + - name: envoy-admin + mountPath: /admin + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + initContainers: + - args: + - bootstrap + - /config/envoy.json + - --xds-address=contour + - --xds-port=8001 + - --xds-resource-version=v3 + - --resources-dir=/config/resources + - --envoy-cafile=/certs/ca.crt + - --envoy-cert-file=/certs/tls.crt + - --envoy-key-file=/certs/tls.key + command: + - contour + image: ghcr.io/projectcontour/contour:v1.22.0 + imagePullPolicy: IfNotPresent + name: envoy-initconfig + volumeMounts: + - name: envoy-config + mountPath: /config + - name: envoycert + mountPath: /certs + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + automountServiceAccountToken: false + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - name: envoy-admin + emptyDir: {} + - name: envoy-config + emptyDir: {} + - name: envoycert + secret: + secretName: envoycert + restartPolicy: Always + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Equal + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Equal + effect: NoSchedule diff --git a/spicedb-kind-setup/kind-kube/kind-ingress.config b/spicedb-kind-setup/kind-kube/kind-ingress.config new file mode 100644 index 0000000..818dba0 --- /dev/null +++ b/spicedb-kind-setup/kind-kube/kind-ingress.config @@ -0,0 +1,18 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +name: sp-cluster +nodes: + - role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + listenAddress: "0.0.0.0" + - containerPort: 443 + hostPort: 443 + listenAddress: "0.0.0.0" diff --git a/spicedb-kind-setup/postgres/README.md b/spicedb-kind-setup/postgres/README.md new file mode 100644 index 0000000..00c5883 --- /dev/null +++ b/spicedb-kind-setup/postgres/README.md @@ -0,0 +1,5 @@ +`kubectl create namespace spicedb` + +`kubectl apply -f secret.yaml -n spicedb` +`kubectl apply -f storage.yaml -n spicedb` +`kubectl apply -f postgresql.yaml -n spicedb` \ No newline at end of file diff --git a/spicedb-kind-setup/postgres/postgresql.yaml b/spicedb-kind-setup/postgres/postgresql.yaml new file mode 100644 index 0000000..591bc02 --- /dev/null +++ b/spicedb-kind-setup/postgres/postgresql.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgres + namespace: spicedb + labels: + app: postgres +spec: + ports: + - port: 5432 + name: postgres + selector: + app: postgres + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres + namespace: spicedb +spec: + selector: + matchLabels: + app: postgres + strategy: + type: Recreate + template: + metadata: + labels: + app: postgres + spec: + containers: + - image: postgres:latest + name: postgres + envFrom: + - secretRef: + name: postgres-credentials + ports: + - containerPort: 5432 + name: postgres + securityContext: + privileged: false + volumeMounts: + - name: postgres-storage + mountPath: /var/lib/postgresql/data + resources: + limits: + memory: 512Mi + cpu: "1" + requests: + memory: 256Mi + cpu: "0.2" + volumes: + - name: postgres-storage + persistentVolumeClaim: + claimName: postgres-pvc \ No newline at end of file diff --git a/spicedb-kind-setup/postgres/secret.yaml b/spicedb-kind-setup/postgres/secret.yaml new file mode 100644 index 0000000..d081173 --- /dev/null +++ b/spicedb-kind-setup/postgres/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: postgres-credentials + namespace: spicedb +type: Opaque +stringData: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: yPsw5e6ab4bvAGe5H + POSTGRES_DB: spicedb diff --git a/spicedb-kind-setup/postgres/storage.yaml b/spicedb-kind-setup/postgres/storage.yaml new file mode 100644 index 0000000..743333b --- /dev/null +++ b/spicedb-kind-setup/postgres/storage.yaml @@ -0,0 +1,32 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: postgres-pv + namespace: spicedb + labels: + type: local + app: postgres +spec: + storageClassName: "standard" + capacity: + storage: 1Gi + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/mnt/data" +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgres-pvc + namespace: spicedb + labels: + app: postgres +spec: + storageClassName: "standard" + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/spicedb-kind-setup/setup.sh b/spicedb-kind-setup/setup.sh new file mode 100755 index 0000000..50bd5ba --- /dev/null +++ b/spicedb-kind-setup/setup.sh @@ -0,0 +1,55 @@ +#!/bin/bash +set -oe errexit + +if ! command -v kind &> /dev/null +then + echo "kind could not be found" + exit +fi + +if ! command -v helm &> /dev/null +then + echo "helm could not be found" + exit +fi + +if ! command -v kubectl &> /dev/null +then + echo "kubectl could not be found" + exit +fi + +# desired cluster name; default is "kind" +echo "creating kind cluster" + +kind create cluster --config ./spicedb-kind-setup/kind-kube/kind-ingress.config + +echo "> waiting for kubernetes node(s) become ready" +kubectl wait --for=condition=ready node --all --timeout=60s + +echo "deploy contour" +kubectl apply -f ./spicedb-kind-setup/kind-kube/contour.yaml + + +echo "Install spicedb-operator" +kubectl create namespace spicedb-operator +kubectl apply --server-side -f https://github.com/authzed/spicedb-operator/releases/latest/download/bundle.yaml -n spicedb-operator + +echo "create spicedb namespace" +kubectl create namespace spicedb +echo "deploy postgres" +kubectl apply -f ./spicedb-kind-setup/postgres/secret.yaml -n spicedb +kubectl apply -f ./spicedb-kind-setup/postgres/storage.yaml -n spicedb +kubectl apply -f ./spicedb-kind-setup/postgres/postgresql.yaml -n spicedb + +echo "deploy spicedb" +kubectl apply -f ./spicedb-kind-setup/spicedb-cr.yaml -n spicedb +kubectl apply -f ./spicedb-kind-setup/svc-ingress.yaml -n spicedb + +while [[ -z $(kubectl get deployments.apps -n spicedb spicedb-cr-spicedb -o jsonpath="{.status.readyReplicas}" 2>/dev/null) ]]; do + echo "still waiting for spicedb" + sleep 1 +done +echo "spicedb is ready" + +kubectl get ingresses.networking.k8s.io -n spicedb \ No newline at end of file diff --git a/spicedb-kind-setup/sm-spicedb.yaml b/spicedb-kind-setup/sm-spicedb.yaml new file mode 100644 index 0000000..2992eb8 --- /dev/null +++ b/spicedb-kind-setup/sm-spicedb.yaml @@ -0,0 +1,21 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: spicedb-cr-service-monitor + # Change this to the namespace the Prometheus instance is running in + # namespace: default + labels: + app: kube-prometheus-stack + release: kube-prometheus-stack +spec: + jobLabel: job + namespaceSelector: + matchNames: + - spicedb + selector: + matchLabels: + authzed.com/cluster: spicedb-cr + endpoints: + - port: metrics + path: /metrics + interval: 15s \ No newline at end of file diff --git a/spicedb-kind-setup/spicedb-cr.yaml b/spicedb-kind-setup/spicedb-cr.yaml new file mode 100644 index 0000000..d0b9d1e --- /dev/null +++ b/spicedb-kind-setup/spicedb-cr.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: authzed.com/v1alpha1 +kind: SpiceDBCluster +metadata: + name: spicedb-cr + namespace: spicedb +spec: + config: + logLevel: debug + datastoreEngine: postgres + #datastoreTLSSecretName: datastore-tls + replicas: 2 + secretName: spicedb-config +--- +apiVersion: v1 +kind: Secret +metadata: + name: spicedb-config + namespace: spicedb +stringData: + datastore_uri: "postgres://postgres:yPsw5e6ab4bvAGe5H@postgres:5432/spicedb?sslmode=disable" + preshared_key: "foobar" +--- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: datastore-tls +# namespace: spicedb +# stringData: +# ca.crt: | +# -----BEGIN CERTIFICATE----- +# --- example aws rds ca cert +# -----END CERTIFICATE----- +# --- \ No newline at end of file diff --git a/spicedb-kind-setup/svc-ingress.yaml b/spicedb-kind-setup/svc-ingress.yaml new file mode 100644 index 0000000..5ca095b --- /dev/null +++ b/spicedb-kind-setup/svc-ingress.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: spicedb-https + labels: + app: spicedb-cr +spec: + rules: + - host: spicedb-http.127.0.0.1.nip.io + http: + paths: + - backend: + service: + name: spicedb-cr + port: + number: 8443 + path: / + pathType: Prefix +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: spicedb-prometheus + labels: + app: spicedb-cr +spec: + rules: + - host: spicedb-metric.127.0.0.1.nip.io + http: + paths: + - backend: + service: + name: spicedb-cr + port: + number: 9090 + path: / + pathType: Prefix +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: spicedb-grpc + labels: + app: spicedb-cr +spec: + rules: + - host: spicedb-grpc.127.0.0.1.nip.io + http: + paths: + - backend: + service: + name: spicedb-cr + port: + number: 50051 + path: / + pathType: Prefix +--- +apiVersion: projectcontour.io/v1 +kind: HTTPProxy +metadata: + name: spicedb +spec: + virtualhost: + fqdn: spicedb-grpc.127.0.0.1.nip.io + routes: + - conditions: + - prefix: / + services: + - name: spicedb-cr + port: 50051 + protocol: h2c diff --git a/spicedb/.env b/spicedb/.env new file mode 100644 index 0000000..d5a54db --- /dev/null +++ b/spicedb/.env @@ -0,0 +1,4 @@ +SPICEDB_GRPC_PRESHARED_KEY="foobar" +POSTGRES_PASSWORD="yPsw5e6ab4bvAGe5H" +POSTGRES_USER="postgres" +POSTGRES_DBNAME="spicedb" \ No newline at end of file diff --git a/spicedb/README.md b/spicedb/README.md new file mode 100644 index 0000000..62645af --- /dev/null +++ b/spicedb/README.md @@ -0,0 +1,42 @@ +# Running SpiceDB with PostgreSQL using docker compose + +### Required +* using docker/docker compose + + +### SpiceDB settings: +* pre-shared key: [env](.env) +* dashboard address: http://localhost:8080 +* metrics address: http://localhost:9090 +* grpc address: http://localhost:50051 + +## Postgres settings: + +Set the database name, user, password in the secrets folders + +* user: [db.user](secrets/db.user) +* password: [db.password](secrets/db.password) +* datapase name: [db.name](secrets/db.name) +* port: 5432 + +# Start reading PostgreSQL + +`./start-postgresql.sh` + +# Start SpiceDB + + +`docker-compose --env-file .env up -d` + + + +# Test the Spicedb + +open in the browser `http://localhost:8080/` + +## Follow the instructions using zed client + +`zed context set first-dev-context :50051 "foobar" --insecure ` + +## Read schema +`zed --insecure --endpoint=localhost:50051 --token=foobar schema read` \ No newline at end of file diff --git a/spicedb/check_docker_podman.sh b/spicedb/check_docker_podman.sh new file mode 100755 index 0000000..cce75b8 --- /dev/null +++ b/spicedb/check_docker_podman.sh @@ -0,0 +1,30 @@ +# Function to check if a command is available +command_exists() { + command -v "$1" >/dev/null 2>&1 +} + +# Check if Docker is installed +if command_exists docker; then + echo "Docker is installed. Using Docker." + export DOCKER=docker +else + echo "Docker not found. Checking for Podman." + + # Check if Podman is installed + if command_exists podman; then + echo "Podman is installed. Using Podman." + export DOCKER=podman + else + echo "Podman not found. Please install either Docker or Podman to proceed." + exit 1 + fi + + # Check if Podman is installed + if command_exists docker-compose; then + echo "docker-compose is installed." + else + echo "docker-compose not found. Please install either docker-compose or podman-compose to proceed." + exit 1 + fi +fi + diff --git a/spicedb/docker-compose.yaml b/spicedb/docker-compose.yaml new file mode 100644 index 0000000..3886832 --- /dev/null +++ b/spicedb/docker-compose.yaml @@ -0,0 +1,62 @@ +--- +# This runs SpiceDB, using Postgres as the storage engine. SpiceDB will not have +# any schema written to it. +# +# Once the database service is running, the migrate service executes, running +# "spicedb migrate head" to migrate Postgres to the most current revision. After +# Postgres is migrated, the migrate service will stop. +# +# SpiceDB settings: +# pre-shared key: foobar +# dashboard address: http://localhost:8080 +# metrics address: http://localhost:9090 +# grpc address: http://localhost:50051 +# +# Postgres settings: +# user: postgres +# password: secret +# port: 5432 + +version: "3" + +services: + rebac: + image: "quay.io/ciam_authz/insights-rebac:latest" + profiles: ["rebac"] + restart: "always" + ports: + - "8000:8000" + - "9000:9000" + + spicedb: + image: "authzed/spicedb" + command: "serve" + restart: "always" + ports: + - "8080:8080" + - "9090:9090" + - "50051:50051" + environment: + - "SPICEDB_GRPC_PRESHARED_KEY=${SPICEDB_GRPC_PRESHARED_KEY}" + - "SPICEDB_DATASTORE_ENGINE=postgres" + - "SPICEDB_DATASTORE_CONN_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/spicedb?sslmode=disable" + depends_on: + - "migrate" + + migrate: + image: "authzed/spicedb" + command: "migrate head" + restart: "on-failure" + environment: + - "SPICEDB_DATASTORE_ENGINE=postgres" + - "SPICEDB_DATASTORE_CONN_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/spicedb?sslmode=disable" + depends_on: + - "database" + + database: + image: "postgres" + ports: + - "5432:5432" + environment: + - "POSTGRES_PASSWORD=${POSTGRES_PASSWORD}" + - "POSTGRES_DB=${POSTGRES_DBNAME}" \ No newline at end of file diff --git a/spicedb/secrets/db.name b/spicedb/secrets/db.name new file mode 100644 index 0000000..b6cb54d --- /dev/null +++ b/spicedb/secrets/db.name @@ -0,0 +1 @@ +spicedb \ No newline at end of file diff --git a/spicedb/secrets/db.password b/spicedb/secrets/db.password new file mode 100644 index 0000000..536aca3 --- /dev/null +++ b/spicedb/secrets/db.password @@ -0,0 +1 @@ +secret \ No newline at end of file diff --git a/spicedb/secrets/db.user b/spicedb/secrets/db.user new file mode 100644 index 0000000..7d72bd7 --- /dev/null +++ b/spicedb/secrets/db.user @@ -0,0 +1 @@ +postgres \ No newline at end of file diff --git a/spicedb/start-insights-rebac.sh b/spicedb/start-insights-rebac.sh new file mode 100755 index 0000000..2689dc4 --- /dev/null +++ b/spicedb/start-insights-rebac.sh @@ -0,0 +1 @@ +docker-compose --profile rebac -f ./spicedb/docker-compose.yaml up -d \ No newline at end of file diff --git a/spicedb/start-postgresql.sh b/spicedb/start-postgresql.sh new file mode 100755 index 0000000..c6a681c --- /dev/null +++ b/spicedb/start-postgresql.sh @@ -0,0 +1,15 @@ +set -e +# Function to check if a command is available +source ./spicedb/check_docker_podman.sh + +$DOCKER network create spicedb-net || true + +$DOCKER run \ + --name spicedb-datastore \ + --net spicedb-net \ + --restart=always \ + -e POSTGRES_PASSWORD=$(cat ./spicedb/secrets/db.password) \ + -e POSTGRES_USER=$(cat ./spicedb/secrets/db.user) \ + -e POSTGRES_DB=$(cat ./spicedb/secrets/db.name) \ + -p $(cat ./spicedb/secrets/secrets/db.port):5432 \ + -d postgres:latest \ No newline at end of file diff --git a/spicedb/start-spicedb.sh b/spicedb/start-spicedb.sh new file mode 100755 index 0000000..2c1bef9 --- /dev/null +++ b/spicedb/start-spicedb.sh @@ -0,0 +1 @@ +docker-compose --env-file ./spicedb/.env -f ./spicedb/docker-compose.yaml up -d \ No newline at end of file diff --git a/spicedb/teardown.sh b/spicedb/teardown.sh new file mode 100755 index 0000000..85070ab --- /dev/null +++ b/spicedb/teardown.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Function to check if a command is available +source ./spicedb/check_docker_podman.sh + +set -e + +$DOCKER stop spicedb-datastore + +$DOCKER rm spicedb-datastore + +$DOCKER network rm spicedb-net + +docker-compose -f ./spicedb/docker-compose.yaml down + + diff --git a/spicedb/teardownrebac.sh b/spicedb/teardownrebac.sh new file mode 100755 index 0000000..6b5c106 --- /dev/null +++ b/spicedb/teardownrebac.sh @@ -0,0 +1 @@ +docker-compose --profile rebac -f ./spicedb/docker-compose.yaml down \ No newline at end of file