/
httpproxy.go
1081 lines (975 loc) · 45.4 KB
/
httpproxy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Copyright Project Contour Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// HTTPProxySpec defines the spec of the CRD.
type HTTPProxySpec struct {
// Virtualhost appears at most once. If it is present, the object is considered
// to be a "root" HTTPProxy.
// +optional
VirtualHost *VirtualHost `json:"virtualhost,omitempty"`
// Routes are the ingress routes. If TCPProxy is present, Routes is ignored.
// +optional
Routes []Route `json:"routes,omitempty"`
// TCPProxy holds TCP proxy information.
// +optional
TCPProxy *TCPProxy `json:"tcpproxy,omitempty"`
// Includes allow for specific routing configuration to be included from another HTTPProxy,
// possibly in another namespace.
// +optional
Includes []Include `json:"includes,omitempty"`
// IngressClassName optionally specifies the ingress class to use for this
// HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class`
// annotation. For backwards compatibility, when that annotation is set, it
// is given precedence over this field.
// +optional
IngressClassName string `json:"ingressClassName,omitempty"`
}
// Include describes a set of policies that can be applied to an HTTPProxy in a namespace.
type Include struct {
// Name of the HTTPProxy
Name string `json:"name"`
// Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.
// +optional
Namespace string `json:"namespace,omitempty"`
// Conditions are a set of rules that are applied to included HTTPProxies.
// In effect, they are added onto the Conditions of included HTTPProxy Route
// structs.
// When applied, they are merged using AND, with one exception:
// There can be only one Prefix MatchCondition per Conditions slice.
// More than one Prefix, or contradictory Conditions, will make the
// include invalid.
// +optional
Conditions []MatchCondition `json:"conditions,omitempty"`
}
// MatchCondition are a general holder for matching rules for HTTPProxies.
// One of Prefix or Header must be provided.
type MatchCondition struct {
// Prefix defines a prefix match for a request.
// +optional
Prefix string `json:"prefix,omitempty"`
// Header specifies the header condition to match.
// +optional
Header *HeaderMatchCondition `json:"header,omitempty"`
}
// HeaderMatchCondition specifies how to conditionally match against HTTP
// headers. The Name field is required, but only one of the remaining
// fields should be be provided.
type HeaderMatchCondition struct {
// Name is the name of the header to match against. Name is required.
// Header names are case insensitive.
Name string `json:"name"`
// Present specifies that condition is true when the named header
// is present, regardless of its value. Note that setting Present
// to false does not make the condition true if the named header
// is absent.
// +optional
Present bool `json:"present,omitempty"`
// NotPresent specifies that condition is true when the named header
// is not present. Note that setting NotPresent to false does not
// make the condition true if the named header is present.
// +optional
NotPresent bool `json:"notpresent,omitempty"`
// Contains specifies a substring that must be present in
// the header value.
// +optional
Contains string `json:"contains,omitempty"`
// NotContains specifies a substring that must not be present
// in the header value.
// +optional
NotContains string `json:"notcontains,omitempty"`
// Exact specifies a string that the header value must be equal to.
// +optional
Exact string `json:"exact,omitempty"`
// NoExact specifies a string that the header value must not be
// equal to. The condition is true if the header has any other value.
// +optional
NotExact string `json:"notexact,omitempty"`
}
// ExtensionServiceReference names an ExtensionService resource.
type ExtensionServiceReference struct {
// API version of the referent.
// If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
//
// +optional
// +kubebuilder:validation:MinLength=1
APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,5,opt,name=apiVersion"`
// Namespace of the referent.
// If this field is not specifies, the namespace of the resource that targets the referent will be used.
//
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
//
// +optional
// +kubebuilder:validation:MinLength=1
Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"`
// Name of the referent.
//
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
//
// +required
// +kubebuilder:validation:MinLength=1
Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"`
}
// AuthorizationServer configures an external server to authenticate
// client requests. The external server must implement the v3 Envoy
// external authorization GRPC protocol (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).
type AuthorizationServer struct {
// ExtensionServiceRef specifies the extension resource that will authorize client requests.
//
// +required
ExtensionServiceRef ExtensionServiceReference `json:"extensionRef"`
// AuthPolicy sets a default authorization policy for client requests.
// This policy will be used unless overridden by individual routes.
//
// +optional
AuthPolicy *AuthorizationPolicy `json:"authPolicy,omitempty"`
// ResponseTimeout configures maximum time to wait for a check response from the authorization server.
// Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// The string "infinity" is also a valid input and specifies no timeout.
//
// +optional
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
ResponseTimeout string `json:"responseTimeout,omitempty"`
// If FailOpen is true, the client request is forwarded to the upstream service
// even if the authorization server fails to respond. This field should not be
// set in most cases. It is intended for use only while migrating applications
// from internal authorization to Contour external authorization.
//
// +optional
FailOpen bool `json:"failOpen,omitempty"`
// WithRequestBody specifies configuration for sending the client request's body to authorization server.
// +optional
WithRequestBody *AuthorizationServerBufferSettings `json:"withRequestBody,omitempty"`
}
// AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client request data and send it as part of authorization request
type AuthorizationServerBufferSettings struct {
// MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory.
// +optional
// +kubebuilder:validation:Minimum=1
// +kubebuilder:default=1024
MaxRequestBytes uint32 `json:"maxRequestBytes,omitempty"`
// If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached.
// +optional
AllowPartialMessage bool `json:"allowPartialMessage,omitempty"`
// If PackAsBytes is true, the body sent to Authorization Server is in raw bytes.
// +optional
PackAsBytes bool `json:"packAsBytes,omitempty"`
}
// AuthorizationPolicy modifies how client requests are authenticated.
type AuthorizationPolicy struct {
// When true, this field disables client request authentication
// for the scope of the policy.
//
// +optional
Disabled bool `json:"disabled,omitempty"`
// Context is a set of key/value pairs that are sent to the
// authentication server in the check request. If a context
// is provided at an enclosing scope, the entries are merged
// such that the inner scope overrides matching keys from the
// outer scope.
//
// +optional
Context map[string]string `json:"context,omitempty"`
}
// VirtualHost appears at most once. If it is present, the object is considered
// to be a "root".
type VirtualHost struct {
// The fully qualified domain name of the root of the ingress tree
// all leaves of the DAG rooted at this object relate to the fqdn.
//
// +kubebuilder:validation:Pattern="^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
Fqdn string `json:"fqdn"`
// If present the fields describes TLS properties of the virtual
// host. The SNI names that will be matched on are described in fqdn,
// the tls.secretName secret must contain a certificate that itself
// contains a name that matches the FQDN.
//
// +optional
TLS *TLS `json:"tls,omitempty"`
// This field configures an extension service to perform
// authorization for this virtual host. Authorization can
// only be configured on virtual hosts that have TLS enabled.
// If the TLS configuration requires client certificate
// validation, the client certificate is always included in the
// authentication check request.
//
// +optional
Authorization *AuthorizationServer `json:"authorization,omitempty"`
// Specifies the cross-origin policy to apply to the VirtualHost.
// +optional
CORSPolicy *CORSPolicy `json:"corsPolicy,omitempty"`
// The policy for rate limiting on the virtual host.
// +optional
RateLimitPolicy *RateLimitPolicy `json:"rateLimitPolicy,omitempty"`
}
// TLS describes tls properties. The SNI names that will be matched on
// are described in the HTTPProxy's Spec.VirtualHost.Fqdn field.
type TLS struct {
// SecretName is the name of a TLS secret in the current namespace.
// Either SecretName or Passthrough must be specified, but not both.
// If specified, the named secret must contain a matching certificate
// for the virtual host's FQDN.
SecretName string `json:"secretName,omitempty"`
// MinimumProtocolVersion is the minimum TLS version this vhost should
// negotiate. Valid options are `1.2` (default) and `1.3`. Any other value
// defaults to TLS 1.2.
// +optional
MinimumProtocolVersion string `json:"minimumProtocolVersion,omitempty"`
// Passthrough defines whether the encrypted TLS handshake will be
// passed through to the backing cluster. Either Passthrough or
// SecretName must be specified, but not both.
// +optional
Passthrough bool `json:"passthrough,omitempty"`
// ClientValidation defines how to verify the client certificate
// when an external client establishes a TLS connection to Envoy.
//
// This setting:
//
// 1. Enables TLS client certificate validation.
// 2. Specifies how the client certificate will be validated (i.e.
// validation required or skipped).
//
// Note: Setting client certificate validation to be skipped should
// be only used in conjunction with an external authorization server that
// performs client validation as Contour will ensure client certificates
// are passed along.
//
// +optional
ClientValidation *DownstreamValidation `json:"clientValidation,omitempty"`
// EnableFallbackCertificate defines if the vhost should allow a default certificate to
// be applied which handles all requests which don't match the SNI defined in this vhost.
EnableFallbackCertificate bool `json:"enableFallbackCertificate,omitempty"`
}
// CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
// +kubebuilder:validation:Pattern="^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$"
type CORSHeaderValue string
// CORSPolicy allows setting the CORS policy
type CORSPolicy struct {
// Specifies whether the resource allows credentials.
// +optional
AllowCredentials bool `json:"allowCredentials,omitempty"`
// AllowOrigin specifies the origins that will be allowed to do CORS requests. "*" means
// allow any origin.
// +kubebuilder:validation:Required
AllowOrigin []string `json:"allowOrigin"`
// AllowMethods specifies the content for the *access-control-allow-methods* header.
// +kubebuilder:validation:Required
AllowMethods []CORSHeaderValue `json:"allowMethods"`
// AllowHeaders specifies the content for the *access-control-allow-headers* header.
// +optional
AllowHeaders []CORSHeaderValue `json:"allowHeaders,omitempty"`
// ExposeHeaders Specifies the content for the *access-control-expose-headers* header.
// +optional
ExposeHeaders []CORSHeaderValue `json:"exposeHeaders,omitempty"`
// MaxAge indicates for how long the results of a preflight request can be cached.
// MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS
// check for all cross-origin requests.
// +optional
MaxAge string `json:"maxAge,omitempty"`
}
// Route contains the set of routes for a virtual host.
type Route struct {
// Conditions are a set of rules that are applied to a Route.
// When applied, they are merged using AND, with one exception:
// There can be only one Prefix MatchCondition per Conditions slice.
// More than one Prefix, or contradictory Conditions, will make the
// route invalid.
// +optional
Conditions []MatchCondition `json:"conditions,omitempty"`
// Services are the services to proxy traffic.
// +optional
Services []Service `json:"services,omitempty"`
// Enables websocket support for the route.
// +optional
EnableWebsockets bool `json:"enableWebsockets,omitempty"`
// Allow this path to respond to insecure requests over HTTP which are normally
// not permitted when a `virtualhost.tls` block is present.
// +optional
PermitInsecure bool `json:"permitInsecure,omitempty"`
// AuthPolicy updates the authorization policy that was set
// on the root HTTPProxy object for client requests that
// match this route.
// +optional
AuthPolicy *AuthorizationPolicy `json:"authPolicy,omitempty"`
// The timeout policy for this route.
// +optional
TimeoutPolicy *TimeoutPolicy `json:"timeoutPolicy,omitempty"`
// The retry policy for this route.
// +optional
RetryPolicy *RetryPolicy `json:"retryPolicy,omitempty"`
// The health check policy for this route.
// +optional
HealthCheckPolicy *HTTPHealthCheckPolicy `json:"healthCheckPolicy,omitempty"`
// The load balancing policy for this route.
// +optional
LoadBalancerPolicy *LoadBalancerPolicy `json:"loadBalancerPolicy,omitempty"`
// The policy for rewriting the path of the request URL
// after the request has been routed to a Service.
//
// +optional
PathRewritePolicy *PathRewritePolicy `json:"pathRewritePolicy,omitempty"`
// The policy for managing request headers during proxying.
// +optional
RequestHeadersPolicy *HeadersPolicy `json:"requestHeadersPolicy,omitempty"`
// The policy for managing response headers during proxying.
// Rewriting the 'Host' header is not supported.
// +optional
ResponseHeadersPolicy *HeadersPolicy `json:"responseHeadersPolicy,omitempty"`
// The policies for rewriting Set-Cookie header attributes. Note that
// rewritten cookie names must be unique in this list. Order rewrite
// policies are specified in does not matter.
// +optional
CookieRewritePolicies []CookieRewritePolicy `json:"cookieRewritePolicies,omitempty"`
// The policy for rate limiting on the route.
// +optional
RateLimitPolicy *RateLimitPolicy `json:"rateLimitPolicy,omitempty"`
// RequestRedirectPolicy defines an HTTP redirection.
// +optional
RequestRedirectPolicy *HTTPRequestRedirectPolicy `json:"requestRedirectPolicy,omitempty"`
// DirectResponsePolicy returns an arbitrary HTTP response directly.
// +optional
DirectResponsePolicy *HTTPDirectResponsePolicy `json:"directResponsePolicy,omitempty"`
}
type HTTPDirectResponsePolicy struct {
// StatusCode is the HTTP response status to be returned.
// +required
// +kubebuilder:validation:Minimum=200
// +kubebuilder:validation:Maximum=599
StatusCode int `json:"statusCode"`
// Body is the content of the response body.
// If this setting is omitted, no body is included in the generated response.
//
// Note: Body is not recommended to set too long
// otherwise it can have significant resource usage impacts.
//
// +optional
Body string `json:"body,omitempty"`
}
// HTTPRequestRedirectPolicy defines configuration for redirecting a request.
type HTTPRequestRedirectPolicy struct {
// Scheme is the scheme to be used in the value of the `Location`
// header in the response.
// When empty, the scheme of the request is used.
// +optional
// +kubebuilder:validation:Enum=http;https
Scheme *string `json:"scheme,omitempty"`
// Hostname is the precise hostname to be used in the value of the `Location`
// header in the response.
// When empty, the hostname of the request is used.
// No wildcards are allowed.
// +optional
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
Hostname *string `json:"hostname,omitempty"`
// Port is the port to be used in the value of the `Location`
// header in the response.
// When empty, port (if specified) of the request is used.
// +optional
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65535
Port *int32 `json:"port,omitempty"`
// StatusCode is the HTTP status code to be used in response.
// +optional
// +kubebuilder:default=302
// +kubebuilder:validation:Enum=301;302
StatusCode *int `json:"statusCode,omitempty"`
// Path allows for redirection to a different path from the
// original on the request. The path must start with a
// leading slash.
//
// Note: Only one of Path or Prefix can be defined.
//
// +optional
// +kubebuilder:validation:Pattern=`^\/.*$`
Path *string `json:"path,omitempty"`
// Prefix defines the value to swap the matched prefix or path with.
// The prefix must start with a leading slash.
//
// Note: Only one of Path or Prefix can be defined.
//
// +optional
// +kubebuilder:validation:Pattern=`^\/.*$`
Prefix *string `json:"prefix,omitempty"`
}
type CookieRewritePolicy struct {
// Name is the name of the cookie for which attributes will be rewritten.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=4096
// +kubebuilder:validation:Pattern=`^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$`
Name string `json:"name"`
// PathRewrite enables rewriting the Set-Cookie Path element.
// If not set, Path will not be rewritten.
// +optional
PathRewrite *CookiePathRewrite `json:"pathRewrite,omitempty"`
// DomainRewrite enables rewriting the Set-Cookie Domain element.
// If not set, Domain will not be rewritten.
// +optional
DomainRewrite *CookieDomainRewrite `json:"domainRewrite,omitempty"`
// Secure enables rewriting the Set-Cookie Secure element.
// If not set, Secure attribute will not be rewritten.
// +optional
Secure *bool `json:"secure,omitempty"`
// SameSite enables rewriting the Set-Cookie SameSite element.
// If not set, SameSite attribute will not be rewritten.
// +optional
// +kubebuilder:validation:Enum=Strict;Lax;None
SameSite *string `json:"sameSite,omitempty"`
}
type CookiePathRewrite struct {
// Value is the value to rewrite the Path attribute to.
// For now this is required.
// +required
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=4096
// +kubebuilder:validation:Pattern=`^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$`
Value string `json:"value"`
}
type CookieDomainRewrite struct {
// Value is the value to rewrite the Domain attribute to.
// For now this is required.
// +required
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=4096
// +kubebuilder:validation:Pattern="^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
Value string `json:"value"`
}
// RateLimitPolicy defines rate limiting parameters.
type RateLimitPolicy struct {
// Local defines local rate limiting parameters, i.e. parameters
// for rate limiting that occurs within each Envoy pod as requests
// are handled.
// +optional
Local *LocalRateLimitPolicy `json:"local,omitempty"`
// Global defines global rate limiting parameters, i.e. parameters
// defining descriptors that are sent to an external rate limit
// service (RLS) for a rate limit decision on each request.
// +optional
Global *GlobalRateLimitPolicy `json:"global,omitempty"`
}
// LocalRateLimitPolicy defines local rate limiting parameters.
type LocalRateLimitPolicy struct {
// Requests defines how many requests per unit of time should
// be allowed before rate limiting occurs.
// +required
// +kubebuilder:validation:Minimum=1
Requests uint32 `json:"requests"`
// Unit defines the period of time within which requests
// over the limit will be rate limited. Valid values are
// "second", "minute" and "hour".
// +kubebuilder:validation:Enum=second;minute;hour
// +required
Unit string `json:"unit"`
// Burst defines the number of requests above the requests per
// unit that should be allowed within a short period of time.
// +optional
Burst uint32 `json:"burst,omitempty"`
// ResponseStatusCode is the HTTP status code to use for responses
// to rate-limited requests. Codes must be in the 400-599 range
// (inclusive). If not specified, the Envoy default of 429 (Too
// Many Requests) is used.
// +optional
// +kubebuilder:validation:Minimum=400
// +kubebuilder:validation:Maximum=599
ResponseStatusCode uint32 `json:"responseStatusCode,omitempty"`
// ResponseHeadersToAdd is an optional list of response headers to
// set when a request is rate-limited.
// +optional
ResponseHeadersToAdd []HeaderValue `json:"responseHeadersToAdd,omitempty"`
}
// GlobalRateLimitPolicy defines global rate limiting parameters.
type GlobalRateLimitPolicy struct {
// Descriptors defines the list of descriptors that will
// be generated and sent to the rate limit service. Each
// descriptor contains 1+ key-value pair entries.
// +required
// +kubebuilder:validation:MinItems=1
Descriptors []RateLimitDescriptor `json:"descriptors,omitempty"`
}
// RateLimitDescriptor defines a list of key-value pair generators.
type RateLimitDescriptor struct {
// Entries is the list of key-value pair generators.
// +required
// +kubebuilder:validation:MinItems=1
Entries []RateLimitDescriptorEntry `json:"entries,omitempty"`
}
// RateLimitDescriptorEntry is a key-value pair generator. Exactly
// one field on this struct must be non-nil.
type RateLimitDescriptorEntry struct {
// GenericKey defines a descriptor entry with a static key and value.
// +optional
GenericKey *GenericKeyDescriptor `json:"genericKey,omitempty"`
// RequestHeader defines a descriptor entry that's populated only if
// a given header is present on the request. The descriptor key is static,
// and the descriptor value is equal to the value of the header.
// +optional
RequestHeader *RequestHeaderDescriptor `json:"requestHeader,omitempty"`
// RequestHeaderValueMatch defines a descriptor entry that's populated
// if the request's headers match a set of 1+ match criteria. The
// descriptor key is "header_match", and the descriptor value is static.
// +optional
RequestHeaderValueMatch *RequestHeaderValueMatchDescriptor `json:"requestHeaderValueMatch,omitempty"`
// RemoteAddress defines a descriptor entry with a key of "remote_address"
// and a value equal to the client's IP address (from x-forwarded-for).
// +optional
RemoteAddress *RemoteAddressDescriptor `json:"remoteAddress,omitempty"`
}
// GenericKeyDescriptor defines a descriptor entry with a static key and
// value.
type GenericKeyDescriptor struct {
// Key defines the key of the descriptor entry. If not set, the
// key is set to "generic_key".
// +optional
Key string `json:"key,omitempty"`
// Value defines the value of the descriptor entry.
// +required
// +kubebuilder:validation:MinLength=1
Value string `json:"value,omitempty"`
}
// RequestHeaderDescriptor defines a descriptor entry that's populated only
// if a given header is present on the request. The value of the descriptor
// entry is equal to the value of the header (if present).
type RequestHeaderDescriptor struct {
// HeaderName defines the name of the header to look for on the request.
// +required
// +kubebuilder:validation:MinLength=1
HeaderName string `json:"headerName,omitempty"`
// DescriptorKey defines the key to use on the descriptor entry.
// +required
// +kubebuilder:validation:MinLength=1
DescriptorKey string `json:"descriptorKey,omitempty"`
}
// RequestHeaderValueMatchDescriptor defines a descriptor entry that's populated
// if the request's headers match a set of 1+ match criteria. The descriptor key
// is "header_match", and the descriptor value is statically defined.
type RequestHeaderValueMatchDescriptor struct {
// Headers is a list of 1+ match criteria to apply against the request
// to determine whether to populate the descriptor entry or not.
// +kubebuilder:validation:MinItems=1
Headers []HeaderMatchCondition `json:"headers,omitempty"`
// ExpectMatch defines whether the request must positively match the match
// criteria in order to generate a descriptor entry (i.e. true), or not
// match the match criteria in order to generate a descriptor entry (i.e. false).
// The default is true.
// +kubebuilder:default=true
ExpectMatch bool `json:"expectMatch,omitempty"`
// Value defines the value of the descriptor entry.
// +required
// +kubebuilder:validation:MinLength=1
Value string `json:"value,omitempty"`
}
// RemoteAddressDescriptor defines a descriptor entry with a key of
// "remote_address" and a value equal to the client's IP address
// (from x-forwarded-for).
type RemoteAddressDescriptor struct{}
// TCPProxy contains the set of services to proxy TCP connections.
type TCPProxy struct {
// The load balancing policy for the backend services. Note that the
// `Cookie` and `RequestHash` load balancing strategies cannot be used
// here.
// +optional
LoadBalancerPolicy *LoadBalancerPolicy `json:"loadBalancerPolicy,omitempty"`
// Services are the services to proxy traffic
// +optional
Services []Service `json:"services"`
// Include specifies that this tcpproxy should be delegated to another HTTPProxy.
// +optional
Include *TCPProxyInclude `json:"include,omitempty"`
// IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.
//
// Exists due to a mistake when developing HTTPProxy and the field was marked plural
// when it should have been singular. This field should stay to not break backwards compatibility to v1 users.
// +optional
IncludesDeprecated *TCPProxyInclude `json:"includes,omitempty"`
// The health check policy for this tcp proxy
// +optional
HealthCheckPolicy *TCPHealthCheckPolicy `json:"healthCheckPolicy,omitempty"`
}
// TCPProxyInclude describes a target HTTPProxy document which contains the TCPProxy details.
type TCPProxyInclude struct {
// Name of the child HTTPProxy
Name string `json:"name"`
// Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.
// +optional
Namespace string `json:"namespace,omitempty"`
}
// Service defines an Kubernetes Service to proxy traffic.
type Service struct {
// Name is the name of Kubernetes service to proxy traffic.
// Names defined here will be used to look up corresponding endpoints which contain the ips to route.
Name string `json:"name"`
// Port (defined as Integer) to proxy traffic to since a service can have multiple defined.
//
// +required
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65536
// +kubebuilder:validation:ExclusiveMinimum=false
// +kubebuilder:validation:ExclusiveMaximum=true
Port int `json:"port"`
// Protocol may be used to specify (or override) the protocol used to reach this Service.
// Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
// +kubebuilder:validation:Enum=h2;h2c;tls
// +optional
Protocol *string `json:"protocol,omitempty"`
// Weight defines percentage of traffic to balance traffic
// +optional
// +kubebuilder:validation:Minimum=0
Weight int64 `json:"weight,omitempty"`
// UpstreamValidation defines how to verify the backend service's certificate
// +optional
UpstreamValidation *UpstreamValidation `json:"validation,omitempty"`
// If Mirror is true the Service will receive a read only mirror of the traffic for this route.
Mirror bool `json:"mirror,omitempty"`
// The policy for managing request headers during proxying.
// Rewriting the 'Host' header is not supported.
// +optional
RequestHeadersPolicy *HeadersPolicy `json:"requestHeadersPolicy,omitempty"`
// The policy for managing response headers during proxying.
// Rewriting the 'Host' header is not supported.
// +optional
ResponseHeadersPolicy *HeadersPolicy `json:"responseHeadersPolicy,omitempty"`
// The policies for rewriting Set-Cookie header attributes.
// +optional
CookieRewritePolicies []CookieRewritePolicy `json:"cookieRewritePolicies,omitempty"`
}
// HTTPHealthCheckPolicy defines health checks on the upstream service.
type HTTPHealthCheckPolicy struct {
// HTTP endpoint used to perform health checks on upstream service
Path string `json:"path"`
// The value of the host header in the HTTP health check request.
// If left empty (default value), the name "contour-envoy-healthcheck"
// will be used.
Host string `json:"host,omitempty"`
// The interval (seconds) between health checks
// +optional
IntervalSeconds int64 `json:"intervalSeconds"`
// The time to wait (seconds) for a health check response
// +optional
TimeoutSeconds int64 `json:"timeoutSeconds"`
// The number of unhealthy health checks required before a host is marked unhealthy
// +optional
// +kubebuilder:validation:Minimum=0
UnhealthyThresholdCount int64 `json:"unhealthyThresholdCount"`
// The number of healthy health checks required before a host is marked healthy
// +optional
// +kubebuilder:validation:Minimum=0
HealthyThresholdCount int64 `json:"healthyThresholdCount"`
}
// TCPHealthCheckPolicy defines health checks on the upstream service.
type TCPHealthCheckPolicy struct {
// The interval (seconds) between health checks
// +optional
IntervalSeconds int64 `json:"intervalSeconds"`
// The time to wait (seconds) for a health check response
// +optional
TimeoutSeconds int64 `json:"timeoutSeconds"`
// The number of unhealthy health checks required before a host is marked unhealthy
// +optional
UnhealthyThresholdCount uint32 `json:"unhealthyThresholdCount"`
// The number of healthy health checks required before a host is marked healthy
// +optional
HealthyThresholdCount uint32 `json:"healthyThresholdCount"`
}
// TimeoutPolicy configures timeouts that are used for handling network requests.
//
// TimeoutPolicy durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// The string "infinity" is also a valid input and specifies no timeout.
// A value of "0s" will be treated as if the field were not set, i.e. by using Envoy's default behavior.
//
// Example input values: "300ms", "5s", "1m".
type TimeoutPolicy struct {
// Timeout for receiving a response from the server after processing a request from client.
// If not supplied, Envoy's default value of 15s applies.
// +optional
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
Response string `json:"response,omitempty"`
// Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
// Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.
// If not specified, there is no per-route idle timeout, though a connection manager-wide
// stream_idle_timeout default of 5m still applies.
// +optional
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
Idle string `json:"idle,omitempty"`
// Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.
// If not supplied, Envoy's default value of 1h applies.
// +optional
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
IdleConnection string `json:"idleConnection,omitempty"`
}
// RetryOn is a string type alias with validation to ensure that the value is valid.
// +kubebuilder:validation:Enum="5xx";gateway-error;reset;connect-failure;retriable-4xx;refused-stream;retriable-status-codes;retriable-headers;cancelled;deadline-exceeded;internal;resource-exhausted;unavailable
type RetryOn string
// RetryPolicy defines the attributes associated with retrying policy.
type RetryPolicy struct {
// NumRetries is maximum allowed number of retries.
// If set to -1, then retries are disabled.
// If set to 0 or not supplied, the value is set
// to the Envoy default of 1.
// +optional
// +kubebuilder:default=1
// +kubebuilder:validation:Minimum=-1
NumRetries int64 `json:"count"`
// PerTryTimeout specifies the timeout per retry attempt.
// Ignored if NumRetries is not supplied.
// +optional
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
PerTryTimeout string `json:"perTryTimeout,omitempty"`
// RetryOn specifies the conditions on which to retry a request.
//
// Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on):
//
// - `5xx`
// - `gateway-error`
// - `reset`
// - `connect-failure`
// - `retriable-4xx`
// - `refused-stream`
// - `retriable-status-codes`
// - `retriable-headers`
//
// Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on):
//
// - `cancelled`
// - `deadline-exceeded`
// - `internal`
// - `resource-exhausted`
// - `unavailable`
// +optional
RetryOn []RetryOn `json:"retryOn,omitempty"`
// RetriableStatusCodes specifies the HTTP status codes that should be retried.
//
// This field is only respected when you include `retriable-status-codes` in the `RetryOn` field.
// +optional
RetriableStatusCodes []uint32 `json:"retriableStatusCodes,omitempty"`
}
// ReplacePrefix describes a path prefix replacement.
type ReplacePrefix struct {
// Prefix specifies the URL path prefix to be replaced.
//
// If Prefix is specified, it must exactly match the MatchCondition
// prefix that is rendered by the chain of including HTTPProxies
// and only that path prefix will be replaced by Replacement.
// This allows HTTPProxies that are included through multiple
// roots to only replace specific path prefixes, leaving others
// unmodified.
//
// If Prefix is not specified, all routing prefixes rendered
// by the include chain will be replaced.
//
// +optional
// +kubebuilder:validation:MinLength=1
Prefix string `json:"prefix,omitempty"`
// Replacement is the string that the routing path prefix
// will be replaced with. This must not be empty.
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinLength=1
Replacement string `json:"replacement"`
}
// PathRewritePolicy specifies how a request URL path should be
// rewritten. This rewriting takes place after a request is routed
// and has no subsequent effects on the proxy's routing decision.
// No HTTP headers or body content is rewritten.
//
// Exactly one field in this struct may be specified.
type PathRewritePolicy struct {
// ReplacePrefix describes how the path prefix should be replaced.
// +optional
ReplacePrefix []ReplacePrefix `json:"replacePrefix,omitempty"`
}
// HeaderHashOptions contains options to configure a HTTP request header hash
// policy, used in request attribute hash based load balancing.
type HeaderHashOptions struct {
// HeaderName is the name of the HTTP request header that will be used to
// calculate the hash key. If the header specified is not present on a
// request, no hash will be produced.
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinLength=1
HeaderName string `json:"headerName,omitempty"`
}
// QueryParameterHashOptions contains options to configure a query parameter based hash
// policy, used in request attribute hash based load balancing.
type QueryParameterHashOptions struct {
// ParameterName is the name of the HTTP request query parameter that will be used to
// calculate the hash key. If the query parameter specified is not present on a
// request, no hash will be produced.
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinLength=1
ParameterName string `json:"parameterName,omitempty"`
}
// RequestHashPolicy contains configuration for an individual hash policy
// on a request attribute.
type RequestHashPolicy struct {
// Terminal is a flag that allows for short-circuiting computing of a hash
// for a given request. If set to true, and the request attribute specified
// in the attribute hash options is present, no further hash policies will
// be used to calculate a hash for the request.
Terminal bool `json:"terminal,omitempty"`
// HeaderHashOptions should be set when request header hash based load
// balancing is desired. It must be the only hash option field set,
// otherwise this request hash policy object will be ignored.
// +optional
HeaderHashOptions *HeaderHashOptions `json:"headerHashOptions,omitempty"`
// QueryParameterHashOptions should be set when request query parameter hash based load
// balancing is desired. It must be the only hash option field set,
// otherwise this request hash policy object will be ignored.
// +optional
QueryParameterHashOptions *QueryParameterHashOptions `json:"queryParameterHashOptions,omitempty"`
// HashSourceIP should be set to true when request source IP hash based
// load balancing is desired. It must be the only hash option field set,
// otherwise this request hash policy object will be ignored.
// +optional
HashSourceIP bool `json:"hashSourceIP,omitempty"`
}
// LoadBalancerPolicy defines the load balancing policy.
type LoadBalancerPolicy struct {
// Strategy specifies the policy used to balance requests
// across the pool of backend pods. Valid policy names are
// `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
// and `RequestHash`. If an unknown strategy name is specified
// or no policy is supplied, the default `RoundRobin` policy
// is used.
Strategy string `json:"strategy,omitempty"`
// RequestHashPolicies contains a list of hash policies to apply when the
// `RequestHash` load balancing strategy is chosen. If an element of the
// supplied list of hash policies is invalid, it will be ignored. If the
// list of hash policies is empty after validation, the load balancing
// strategy will fall back the the default `RoundRobin`.
RequestHashPolicies []RequestHashPolicy `json:"requestHashPolicies,omitempty"`
}
// HeadersPolicy defines how headers are managed during forwarding.
// The `Host` header is treated specially and if set in a HTTP response
// will be used as the SNI server name when forwarding over TLS. It is an
// error to attempt to set the `Host` header in a HTTP response.
type HeadersPolicy struct {
// Set specifies a list of HTTP header values that will be set in the HTTP header.
// If the header does not exist it will be added, otherwise it will be overwritten with the new value.
// +optional
Set []HeaderValue `json:"set,omitempty"`
// Remove specifies a list of HTTP header names to remove.
// +optional
Remove []string `json:"remove,omitempty"`
}
// HeaderValue represents a header name/value pair
type HeaderValue struct {
// Name represents a key of a header
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Value represents the value of a header specified by a key
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinLength=1
Value string `json:"value"`
}
// UpstreamValidation defines how to verify the backend service's certificate
type UpstreamValidation struct {
// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
// The secret must contain key named ca.crt.
CACertificate string `json:"caSecret"`
// Key which is expected to be present in the 'subjectAltName' of the presented certificate.
SubjectName string `json:"subjectName"`
}
// DownstreamValidation defines how to verify the client certificate.
type DownstreamValidation struct {
// Name of a Kubernetes secret that contains a CA certificate bundle.
// The secret must contain key named ca.crt.
// The client certificate must validate against the certificates in the bundle.
// If specified and SkipClientCertValidation is true, client certificates will
// be required on requests.
// +optional
// +kubebuilder:validation:MinLength=1
CACertificate string `json:"caSecret,omitempty"`
// SkipClientCertValidation disables downstream client certificate
// validation. Defaults to false. This field is intended to be used in
// conjunction with external authorization in order to enable the external
// authorization server to validate client certificates. When this field