From a6bf0821d37130b5693a47eb24e5c10196e9eff8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Ho=C3=9F?= Date: Sun, 11 Feb 2024 09:46:36 +0100 Subject: [PATCH] add projectcontour/contour MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Sebastian Hoß --- .reuse/dep5 | 4 + code-generator/src/catalog.rs | 7 + .../projectcontour.io/v1/httpproxies.args | 1 + .../projectcontour.io/v1/httpproxies.yaml | 1887 ++++++++++ .../v1/tlscertificatedelegations.args | 1 + .../v1/tlscertificatedelegations.yaml | 181 + .../v1alpha1/contourconfigurations.args | 1 + .../v1alpha1/contourconfigurations.yaml | 839 +++++ .../v1alpha1/contourdeployments.args | 1 + .../v1alpha1/contourdeployments.yaml | 2115 +++++++++++ .../v1alpha1/extensionservices.args | 1 + .../v1alpha1/extensionservices.yaml | 276 ++ kube-custom-resources-rs/Cargo.toml | 1 + kube-custom-resources-rs/src/lib.rs | 13 + .../src/projectcontour_io/mod.rs | 2 + .../src/projectcontour_io/v1/httpproxies.rs | 2432 ++++++++++++ .../src/projectcontour_io/v1/mod.rs | 2 + .../v1/tlscertificatedelegations.rs | 218 ++ .../v1alpha1/contourconfigurations.rs | 1268 +++++++ .../v1alpha1/contourdeployments.rs | 3293 +++++++++++++++++ .../v1alpha1/extensionservices.rs | 367 ++ .../src/projectcontour_io/v1alpha1/mod.rs | 3 + 22 files changed, 12913 insertions(+) create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.args create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.args create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.args create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.args create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.args create mode 100644 crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml create mode 100644 kube-custom-resources-rs/src/projectcontour_io/mod.rs create mode 100644 kube-custom-resources-rs/src/projectcontour_io/v1/httpproxies.rs create mode 100644 kube-custom-resources-rs/src/projectcontour_io/v1/mod.rs create mode 100644 kube-custom-resources-rs/src/projectcontour_io/v1/tlscertificatedelegations.rs create mode 100644 kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourconfigurations.rs create mode 100644 kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourdeployments.rs create mode 100644 kube-custom-resources-rs/src/projectcontour_io/v1alpha1/extensionservices.rs create mode 100644 kube-custom-resources-rs/src/projectcontour_io/v1alpha1/mod.rs diff --git a/.reuse/dep5 b/.reuse/dep5 index 6e572f12f..87ee092b0 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -771,6 +771,10 @@ Files: crd-catalog/projectcalico/calico/* Copyright: The projectcalico/calico Authors License: Apache-2.0 +Files: crd-catalog/projectcontour/contour/* +Copyright: The projectcontour/contour Authors +License: Apache-2.0 + Files: crd-catalog/prometheus-operator/prometheus-operator/* Copyright: The prometheus-operator/prometheus-operator Authors License: Apache-2.0 diff --git a/code-generator/src/catalog.rs b/code-generator/src/catalog.rs index 09817ed51..0ee7d76a8 100644 --- a/code-generator/src/catalog.rs +++ b/code-generator/src/catalog.rs @@ -2064,6 +2064,13 @@ pub const CRD_V1_SOURCES: &'static [UpstreamSource] = &[ "https://github.com/projectcalico/calico/blob/master/charts/tigera-operator/crds/operator.tigera.io_tigerastatuses_crd.yaml", ], }, + UpstreamSource { + project_name: "projectcontour/contour", + license: APACHE_V2, + urls: &[ + "https://github.com/projectcontour/contour/blob/main/examples/contour/01-crds.yaml", + ], + }, UpstreamSource { project_name: "prometheus-operator/prometheus-operator", license: APACHE_V2, diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.args b/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.args new file mode 100644 index 000000000..7ab47510b --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.args @@ -0,0 +1 @@ +--derive=PartialEq diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml new file mode 100644 index 000000000..5041408e3 --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml @@ -0,0 +1,1887 @@ +apiVersion: "apiextensions.k8s.io/v1" +kind: "CustomResourceDefinition" +metadata: + annotations: + controller-gen.kubebuilder.io/version: "v0.14.0" + name: "httpproxies.projectcontour.io" +spec: + group: "projectcontour.io" + names: + kind: "HTTPProxy" + listKind: "HTTPProxyList" + plural: "httpproxies" + shortNames: + - "proxy" + - "proxies" + singular: "httpproxy" + preserveUnknownFields: false + scope: "Namespaced" + versions: + - additionalPrinterColumns: + - description: "Fully qualified domain name" + jsonPath: ".spec.virtualhost.fqdn" + name: "FQDN" + type: "string" + - description: "Secret with TLS credentials" + jsonPath: ".spec.virtualhost.tls.secretName" + name: "TLS Secret" + type: "string" + - description: "The current status of the HTTPProxy" + jsonPath: ".status.currentStatus" + name: "Status" + type: "string" + - description: "Description of the current status" + jsonPath: ".status.description" + name: "Status Description" + type: "string" + name: "v1" + schema: + openAPIV3Schema: + description: "HTTPProxy is an Ingress CRD specification." + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + kind: + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + metadata: + type: "object" + spec: + description: "HTTPProxySpec defines the spec of the CRD." + properties: + includes: + description: "Includes allow for specific routing configuration to be included from another HTTPProxy,\npossibly in another namespace." + items: + description: "Include describes a set of policies that can be applied to an HTTPProxy in a namespace." + properties: + conditions: + description: "Conditions are a set of rules that are applied to included HTTPProxies.\nIn effect, they are added onto the Conditions of included HTTPProxy Route\nstructs.\nWhen applied, they are merged using AND, with one exception:\nThere can be only one Prefix MatchCondition per Conditions slice.\nMore than one Prefix, or contradictory Conditions, will make the\ninclude invalid. Exact and Regex match conditions are not allowed\non includes." + items: + description: "MatchCondition are a general holder for matching rules for HTTPProxies.\nOne of Prefix, Exact, Regex, Header or QueryParameter must be provided." + properties: + exact: + description: "Exact defines a exact match for a request.\nThis field is not allowed in include match conditions." + type: "string" + header: + description: "Header specifies the header condition to match." + properties: + contains: + description: "Contains specifies a substring that must be present in\nthe header value." + type: "string" + exact: + description: "Exact specifies a string that the header value must be equal to." + type: "string" + ignoreCase: + description: "IgnoreCase specifies that string matching should be case insensitive.\nNote that this has no effect on the Regex parameter." + type: "boolean" + name: + description: "Name is the name of the header to match against. Name is required.\nHeader names are case insensitive." + type: "string" + notcontains: + description: "NotContains specifies a substring that must not be present\nin the header value." + type: "string" + notexact: + description: "NoExact specifies a string that the header value must not be\nequal to. The condition is true if the header has any other value." + type: "string" + notpresent: + description: "NotPresent specifies that condition is true when the named header\nis not present. Note that setting NotPresent to false does not\nmake the condition true if the named header is present." + type: "boolean" + present: + description: "Present specifies that condition is true when the named header\nis present, regardless of its value. Note that setting Present\nto false does not make the condition true if the named header\nis absent." + type: "boolean" + regex: + description: "Regex specifies a regular expression pattern that must match the header\nvalue." + type: "string" + treatMissingAsEmpty: + description: "TreatMissingAsEmpty specifies if the header match rule specified header\ndoes not exist, this header value will be treated as empty. Defaults to false.\nUnlike the underlying Envoy implementation this is **only** supported for\nnegative matches (e.g. NotContains, NotExact)." + type: "boolean" + required: + - "name" + type: "object" + prefix: + description: "Prefix defines a prefix match for a request." + type: "string" + queryParameter: + description: "QueryParameter specifies the query parameter condition to match." + properties: + contains: + description: "Contains specifies a substring that must be present in\nthe query parameter value." + type: "string" + exact: + description: "Exact specifies a string that the query parameter value must be equal to." + type: "string" + ignoreCase: + description: "IgnoreCase specifies that string matching should be case insensitive.\nNote that this has no effect on the Regex parameter." + type: "boolean" + name: + description: "Name is the name of the query parameter to match against. Name is required.\nQuery parameter names are case insensitive." + type: "string" + prefix: + description: "Prefix defines a prefix match for the query parameter value." + type: "string" + present: + description: "Present specifies that condition is true when the named query parameter\nis present, regardless of its value. Note that setting Present\nto false does not make the condition true if the named query parameter\nis absent." + type: "boolean" + regex: + description: "Regex specifies a regular expression pattern that must match the query\nparameter value." + type: "string" + suffix: + description: "Suffix defines a suffix match for a query parameter value." + type: "string" + required: + - "name" + type: "object" + regex: + description: "Regex defines a regex match for a request.\nThis field is not allowed in include match conditions." + type: "string" + type: "object" + type: "array" + name: + description: "Name of the HTTPProxy" + type: "string" + namespace: + description: "Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied." + type: "string" + required: + - "name" + type: "object" + type: "array" + ingressClassName: + description: "IngressClassName optionally specifies the ingress class to use for this\nHTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class`\nannotation. For backwards compatibility, when that annotation is set, it\nis given precedence over this field." + type: "string" + routes: + description: "Routes are the ingress routes. If TCPProxy is present, Routes is ignored." + items: + description: "Route contains the set of routes for a virtual host." + properties: + authPolicy: + description: "AuthPolicy updates the authorization policy that was set\non the root HTTPProxy object for client requests that\nmatch this route." + properties: + context: + additionalProperties: + type: "string" + description: "Context is a set of key/value pairs that are sent to the\nauthentication server in the check request. If a context\nis provided at an enclosing scope, the entries are merged\nsuch that the inner scope overrides matching keys from the\nouter scope." + type: "object" + disabled: + description: "When true, this field disables client request authentication\nfor the scope of the policy." + type: "boolean" + type: "object" + conditions: + description: "Conditions are a set of rules that are applied to a Route.\nWhen applied, they are merged using AND, with one exception:\nThere can be only one Prefix, Exact or Regex MatchCondition\nper Conditions slice. More than one of these condition types,\nor contradictory Conditions, will make the route invalid." + items: + description: "MatchCondition are a general holder for matching rules for HTTPProxies.\nOne of Prefix, Exact, Regex, Header or QueryParameter must be provided." + properties: + exact: + description: "Exact defines a exact match for a request.\nThis field is not allowed in include match conditions." + type: "string" + header: + description: "Header specifies the header condition to match." + properties: + contains: + description: "Contains specifies a substring that must be present in\nthe header value." + type: "string" + exact: + description: "Exact specifies a string that the header value must be equal to." + type: "string" + ignoreCase: + description: "IgnoreCase specifies that string matching should be case insensitive.\nNote that this has no effect on the Regex parameter." + type: "boolean" + name: + description: "Name is the name of the header to match against. Name is required.\nHeader names are case insensitive." + type: "string" + notcontains: + description: "NotContains specifies a substring that must not be present\nin the header value." + type: "string" + notexact: + description: "NoExact specifies a string that the header value must not be\nequal to. The condition is true if the header has any other value." + type: "string" + notpresent: + description: "NotPresent specifies that condition is true when the named header\nis not present. Note that setting NotPresent to false does not\nmake the condition true if the named header is present." + type: "boolean" + present: + description: "Present specifies that condition is true when the named header\nis present, regardless of its value. Note that setting Present\nto false does not make the condition true if the named header\nis absent." + type: "boolean" + regex: + description: "Regex specifies a regular expression pattern that must match the header\nvalue." + type: "string" + treatMissingAsEmpty: + description: "TreatMissingAsEmpty specifies if the header match rule specified header\ndoes not exist, this header value will be treated as empty. Defaults to false.\nUnlike the underlying Envoy implementation this is **only** supported for\nnegative matches (e.g. NotContains, NotExact)." + type: "boolean" + required: + - "name" + type: "object" + prefix: + description: "Prefix defines a prefix match for a request." + type: "string" + queryParameter: + description: "QueryParameter specifies the query parameter condition to match." + properties: + contains: + description: "Contains specifies a substring that must be present in\nthe query parameter value." + type: "string" + exact: + description: "Exact specifies a string that the query parameter value must be equal to." + type: "string" + ignoreCase: + description: "IgnoreCase specifies that string matching should be case insensitive.\nNote that this has no effect on the Regex parameter." + type: "boolean" + name: + description: "Name is the name of the query parameter to match against. Name is required.\nQuery parameter names are case insensitive." + type: "string" + prefix: + description: "Prefix defines a prefix match for the query parameter value." + type: "string" + present: + description: "Present specifies that condition is true when the named query parameter\nis present, regardless of its value. Note that setting Present\nto false does not make the condition true if the named query parameter\nis absent." + type: "boolean" + regex: + description: "Regex specifies a regular expression pattern that must match the query\nparameter value." + type: "string" + suffix: + description: "Suffix defines a suffix match for a query parameter value." + type: "string" + required: + - "name" + type: "object" + regex: + description: "Regex defines a regex match for a request.\nThis field is not allowed in include match conditions." + type: "string" + type: "object" + type: "array" + cookieRewritePolicies: + description: "The policies for rewriting Set-Cookie header attributes. Note that\nrewritten cookie names must be unique in this list. Order rewrite\npolicies are specified in does not matter." + items: + properties: + domainRewrite: + description: "DomainRewrite enables rewriting the Set-Cookie Domain element.\nIf not set, Domain will not be rewritten." + properties: + value: + description: "Value is the value to rewrite the Domain attribute to.\nFor now this is required." + maxLength: 4096 + minLength: 1 + pattern: "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + type: "string" + required: + - "value" + type: "object" + name: + description: "Name is the name of the cookie for which attributes will be rewritten." + maxLength: 4096 + minLength: 1 + pattern: "^[^()<>@,;:\\\\\"\\/[\\]?={} \\t\\x7f\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f]+$" + type: "string" + pathRewrite: + description: "PathRewrite enables rewriting the Set-Cookie Path element.\nIf not set, Path will not be rewritten." + properties: + value: + description: "Value is the value to rewrite the Path attribute to.\nFor now this is required." + maxLength: 4096 + minLength: 1 + pattern: "^[^;\\x7f\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f]+$" + type: "string" + required: + - "value" + type: "object" + sameSite: + description: "SameSite enables rewriting the Set-Cookie SameSite element.\nIf not set, SameSite attribute will not be rewritten." + enum: + - "Strict" + - "Lax" + - "None" + type: "string" + secure: + description: "Secure enables rewriting the Set-Cookie Secure element.\nIf not set, Secure attribute will not be rewritten." + type: "boolean" + required: + - "name" + type: "object" + type: "array" + directResponsePolicy: + description: "DirectResponsePolicy returns an arbitrary HTTP response directly." + properties: + body: + description: "Body is the content of the response body.\nIf this setting is omitted, no body is included in the generated response.\nNote: Body is not recommended to set too long\notherwise it can have significant resource usage impacts." + type: "string" + statusCode: + description: "StatusCode is the HTTP response status to be returned." + maximum: 599.0 + minimum: 200.0 + type: "integer" + required: + - "statusCode" + type: "object" + enableWebsockets: + description: "Enables websocket support for the route." + type: "boolean" + healthCheckPolicy: + description: "The health check policy for this route." + properties: + expectedStatuses: + description: "The ranges of HTTP response statuses considered healthy. Follow half-open\nsemantics, i.e. for each range the start is inclusive and the end is exclusive.\nMust be within the range [100,600). If not specified, only a 200 response status\nis considered healthy." + items: + properties: + end: + description: "The end (exclusive) of a range of HTTP status codes." + format: "int64" + maximum: 600.0 + minimum: 101.0 + type: "integer" + start: + description: "The start (inclusive) of a range of HTTP status codes." + format: "int64" + maximum: 599.0 + minimum: 100.0 + type: "integer" + required: + - "end" + - "start" + type: "object" + type: "array" + healthyThresholdCount: + description: "The number of healthy health checks required before a host is marked healthy" + format: "int64" + minimum: 0.0 + type: "integer" + host: + description: "The value of the host header in the HTTP health check request.\nIf left empty (default value), the name \"contour-envoy-healthcheck\"\nwill be used." + type: "string" + intervalSeconds: + description: "The interval (seconds) between health checks" + format: "int64" + type: "integer" + path: + description: "HTTP endpoint used to perform health checks on upstream service" + type: "string" + timeoutSeconds: + description: "The time to wait (seconds) for a health check response" + format: "int64" + type: "integer" + unhealthyThresholdCount: + description: "The number of unhealthy health checks required before a host is marked unhealthy" + format: "int64" + minimum: 0.0 + type: "integer" + required: + - "path" + type: "object" + internalRedirectPolicy: + description: "The policy to define when to handle redirects responses internally." + properties: + allowCrossSchemeRedirect: + default: "Never" + description: "AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme\nthan the value of x-forwarded-proto.\nSafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream\nscheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme\nis HTTP, only HTTP redirect targets are allowed." + enum: + - "Always" + - "Never" + - "SafeOnly" + type: "string" + denyRepeatedRouteRedirect: + description: "If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has\nbeen followed by a previous redirect from the current route." + type: "boolean" + maxInternalRedirects: + description: "MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal\nredirects that a downstream request has encountered is lower than this value." + format: "int32" + type: "integer" + redirectResponseCodes: + description: "RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect.\nOnly 301, 302, 303, 307 and 308 are valid values." + items: + description: "RedirectResponseCode is a uint32 type alias with validation to ensure that the value is valid." + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + format: "int32" + type: "integer" + type: "array" + type: "object" + ipAllowPolicy: + description: "IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching\nrequests should be allowed. All other requests will be denied.\nOnly one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.\nThe rules defined here override any rules set on the root HTTPProxy." + items: + properties: + cidr: + description: "CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be\na bare IP address (without a mask) to filter on exactly one address." + type: "string" + source: + description: "Source indicates how to determine the ip address to filter on, and can be\none of two values:\n - `Remote` filters on the ip address of the client, accounting for PROXY and\n X-Forwarded-For as needed.\n - `Peer` filters on the ip of the network request, ignoring PROXY and\n X-Forwarded-For." + enum: + - "Peer" + - "Remote" + type: "string" + required: + - "cidr" + - "source" + type: "object" + type: "array" + ipDenyPolicy: + description: "IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching\nrequests should be denied. All other requests will be allowed.\nOnly one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.\nThe rules defined here override any rules set on the root HTTPProxy." + items: + properties: + cidr: + description: "CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be\na bare IP address (without a mask) to filter on exactly one address." + type: "string" + source: + description: "Source indicates how to determine the ip address to filter on, and can be\none of two values:\n - `Remote` filters on the ip address of the client, accounting for PROXY and\n X-Forwarded-For as needed.\n - `Peer` filters on the ip of the network request, ignoring PROXY and\n X-Forwarded-For." + enum: + - "Peer" + - "Remote" + type: "string" + required: + - "cidr" + - "source" + type: "object" + type: "array" + jwtVerificationPolicy: + description: "The policy for verifying JWTs for requests to this route." + properties: + disabled: + description: "Disabled defines whether to disable all JWT verification for this\nroute. This can be used to opt specific routes out of the default\nJWT provider for the HTTPProxy. At most one of this field or the\n\"require\" field can be specified." + type: "boolean" + require: + description: "Require names a specific JWT provider (defined in the virtual host)\nto require for the route. If specified, this field overrides the\ndefault provider if one exists. If this field is not specified,\nthe default provider will be required if one exists. At most one of\nthis field or the \"disabled\" field can be specified." + type: "string" + type: "object" + loadBalancerPolicy: + description: "The load balancing policy for this route." + properties: + requestHashPolicies: + description: "RequestHashPolicies contains a list of hash policies to apply when the\n`RequestHash` load balancing strategy is chosen. If an element of the\nsupplied list of hash policies is invalid, it will be ignored. If the\nlist of hash policies is empty after validation, the load balancing\nstrategy will fall back to the default `RoundRobin`." + items: + description: "RequestHashPolicy contains configuration for an individual hash policy\non a request attribute." + properties: + hashSourceIP: + description: "HashSourceIP should be set to true when request source IP hash based\nload balancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + type: "boolean" + headerHashOptions: + description: "HeaderHashOptions should be set when request header hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + properties: + headerName: + description: "HeaderName is the name of the HTTP request header that will be used to\ncalculate the hash key. If the header specified is not present on a\nrequest, no hash will be produced." + minLength: 1 + type: "string" + type: "object" + queryParameterHashOptions: + description: "QueryParameterHashOptions should be set when request query parameter hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + properties: + parameterName: + description: "ParameterName is the name of the HTTP request query parameter that will be used to\ncalculate the hash key. If the query parameter specified is not present on a\nrequest, no hash will be produced." + minLength: 1 + type: "string" + type: "object" + terminal: + description: "Terminal is a flag that allows for short-circuiting computing of a hash\nfor a given request. If set to true, and the request attribute specified\nin the attribute hash options is present, no further hash policies will\nbe used to calculate a hash for the request." + type: "boolean" + type: "object" + type: "array" + strategy: + description: "Strategy specifies the policy used to balance requests\nacross the pool of backend pods. Valid policy names are\n`Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,\nand `RequestHash`. If an unknown strategy name is specified\nor no policy is supplied, the default `RoundRobin` policy\nis used." + type: "string" + type: "object" + pathRewritePolicy: + description: "The policy for rewriting the path of the request URL\nafter the request has been routed to a Service." + properties: + replacePrefix: + description: "ReplacePrefix describes how the path prefix should be replaced." + items: + description: "ReplacePrefix describes a path prefix replacement." + properties: + prefix: + description: "Prefix specifies the URL path prefix to be replaced.\nIf Prefix is specified, it must exactly match the MatchCondition\nprefix that is rendered by the chain of including HTTPProxies\nand only that path prefix will be replaced by Replacement.\nThis allows HTTPProxies that are included through multiple\nroots to only replace specific path prefixes, leaving others\nunmodified.\nIf Prefix is not specified, all routing prefixes rendered\nby the include chain will be replaced." + minLength: 1 + type: "string" + replacement: + description: "Replacement is the string that the routing path prefix\nwill be replaced with. This must not be empty." + minLength: 1 + type: "string" + required: + - "replacement" + type: "object" + type: "array" + type: "object" + permitInsecure: + description: "Allow this path to respond to insecure requests over HTTP which are normally\nnot permitted when a `virtualhost.tls` block is present." + type: "boolean" + rateLimitPolicy: + description: "The policy for rate limiting on the route." + properties: + global: + description: "Global defines global rate limiting parameters, i.e. parameters\ndefining descriptors that are sent to an external rate limit\nservice (RLS) for a rate limit decision on each request." + properties: + descriptors: + description: "Descriptors defines the list of descriptors that will\nbe generated and sent to the rate limit service. Each\ndescriptor contains 1+ key-value pair entries." + items: + description: "RateLimitDescriptor defines a list of key-value pair generators." + properties: + entries: + description: "Entries is the list of key-value pair generators." + items: + description: "RateLimitDescriptorEntry is a key-value pair generator. Exactly\none field on this struct must be non-nil." + properties: + genericKey: + description: "GenericKey defines a descriptor entry with a static key and value." + properties: + key: + description: "Key defines the key of the descriptor entry. If not set, the\nkey is set to \"generic_key\"." + type: "string" + value: + description: "Value defines the value of the descriptor entry." + minLength: 1 + type: "string" + type: "object" + remoteAddress: + description: "RemoteAddress defines a descriptor entry with a key of \"remote_address\"\nand a value equal to the client's IP address (from x-forwarded-for)." + type: "object" + requestHeader: + description: "RequestHeader defines a descriptor entry that's populated only if\na given header is present on the request. The descriptor key is static,\nand the descriptor value is equal to the value of the header." + properties: + descriptorKey: + description: "DescriptorKey defines the key to use on the descriptor entry." + minLength: 1 + type: "string" + headerName: + description: "HeaderName defines the name of the header to look for on the request." + minLength: 1 + type: "string" + type: "object" + requestHeaderValueMatch: + description: "RequestHeaderValueMatch defines a descriptor entry that's populated\nif the request's headers match a set of 1+ match criteria. The\ndescriptor key is \"header_match\", and the descriptor value is static." + properties: + expectMatch: + default: true + description: "ExpectMatch defines whether the request must positively match the match\ncriteria in order to generate a descriptor entry (i.e. true), or not\nmatch the match criteria in order to generate a descriptor entry (i.e. false).\nThe default is true." + type: "boolean" + headers: + description: "Headers is a list of 1+ match criteria to apply against the request\nto determine whether to populate the descriptor entry or not." + items: + description: "HeaderMatchCondition specifies how to conditionally match against HTTP\nheaders. The Name field is required, only one of Present, NotPresent,\nContains, NotContains, Exact, NotExact and Regex can be set.\nFor negative matching rules only (e.g. NotContains or NotExact) you can set\nTreatMissingAsEmpty.\nIgnoreCase has no effect for Regex." + properties: + contains: + description: "Contains specifies a substring that must be present in\nthe header value." + type: "string" + exact: + description: "Exact specifies a string that the header value must be equal to." + type: "string" + ignoreCase: + description: "IgnoreCase specifies that string matching should be case insensitive.\nNote that this has no effect on the Regex parameter." + type: "boolean" + name: + description: "Name is the name of the header to match against. Name is required.\nHeader names are case insensitive." + type: "string" + notcontains: + description: "NotContains specifies a substring that must not be present\nin the header value." + type: "string" + notexact: + description: "NoExact specifies a string that the header value must not be\nequal to. The condition is true if the header has any other value." + type: "string" + notpresent: + description: "NotPresent specifies that condition is true when the named header\nis not present. Note that setting NotPresent to false does not\nmake the condition true if the named header is present." + type: "boolean" + present: + description: "Present specifies that condition is true when the named header\nis present, regardless of its value. Note that setting Present\nto false does not make the condition true if the named header\nis absent." + type: "boolean" + regex: + description: "Regex specifies a regular expression pattern that must match the header\nvalue." + type: "string" + treatMissingAsEmpty: + description: "TreatMissingAsEmpty specifies if the header match rule specified header\ndoes not exist, this header value will be treated as empty. Defaults to false.\nUnlike the underlying Envoy implementation this is **only** supported for\nnegative matches (e.g. NotContains, NotExact)." + type: "boolean" + required: + - "name" + type: "object" + minItems: 1 + type: "array" + value: + description: "Value defines the value of the descriptor entry." + minLength: 1 + type: "string" + type: "object" + type: "object" + minItems: 1 + type: "array" + type: "object" + minItems: 1 + type: "array" + disabled: + description: "Disabled configures the HTTPProxy to not use\nthe default global rate limit policy defined by the Contour configuration." + type: "boolean" + type: "object" + local: + description: "Local defines local rate limiting parameters, i.e. parameters\nfor rate limiting that occurs within each Envoy pod as requests\nare handled." + properties: + burst: + description: "Burst defines the number of requests above the requests per\nunit that should be allowed within a short period of time." + format: "int32" + type: "integer" + requests: + description: "Requests defines how many requests per unit of time should\nbe allowed before rate limiting occurs." + format: "int32" + minimum: 1.0 + type: "integer" + responseHeadersToAdd: + description: "ResponseHeadersToAdd is an optional list of response headers to\nset when a request is rate-limited." + items: + description: "HeaderValue represents a header name/value pair" + properties: + name: + description: "Name represents a key of a header" + minLength: 1 + type: "string" + value: + description: "Value represents the value of a header specified by a key" + minLength: 1 + type: "string" + required: + - "name" + - "value" + type: "object" + type: "array" + responseStatusCode: + description: "ResponseStatusCode is the HTTP status code to use for responses\nto rate-limited requests. Codes must be in the 400-599 range\n(inclusive). If not specified, the Envoy default of 429 (Too\nMany Requests) is used." + format: "int32" + maximum: 599.0 + minimum: 400.0 + type: "integer" + unit: + description: "Unit defines the period of time within which requests\nover the limit will be rate limited. Valid values are\n\"second\", \"minute\" and \"hour\"." + enum: + - "second" + - "minute" + - "hour" + type: "string" + required: + - "requests" + - "unit" + type: "object" + type: "object" + requestHeadersPolicy: + description: "The policy for managing request headers during proxying.\nYou may dynamically rewrite the Host header to be forwarded\nupstream to the content of a request header using\nthe below format \"%REQ(X-Header-Name)%\". If the value of the header\nis empty, it is ignored.\n*NOTE: Pay attention to the potential security implications of using this option.\nProvided header must come from trusted source.\n**NOTE: The header rewrite is only done while forwarding and has no bearing\non the routing decision." + properties: + remove: + description: "Remove specifies a list of HTTP header names to remove." + items: + type: "string" + type: "array" + set: + description: "Set specifies a list of HTTP header values that will be set in the HTTP header.\nIf the header does not exist it will be added, otherwise it will be overwritten with the new value." + items: + description: "HeaderValue represents a header name/value pair" + properties: + name: + description: "Name represents a key of a header" + minLength: 1 + type: "string" + value: + description: "Value represents the value of a header specified by a key" + minLength: 1 + type: "string" + required: + - "name" + - "value" + type: "object" + type: "array" + type: "object" + requestRedirectPolicy: + description: "RequestRedirectPolicy defines an HTTP redirection." + properties: + hostname: + description: "Hostname is the precise hostname to be used in the value of the `Location`\nheader in the response.\nWhen empty, the hostname of the request is used.\nNo wildcards are allowed." + maxLength: 253 + minLength: 1 + pattern: "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + type: "string" + path: + description: "Path allows for redirection to a different path from the\noriginal on the request. The path must start with a\nleading slash.\nNote: Only one of Path or Prefix can be defined." + pattern: "^\\/.*$" + type: "string" + port: + description: "Port is the port to be used in the value of the `Location`\nheader in the response.\nWhen empty, port (if specified) of the request is used." + format: "int32" + maximum: 65535.0 + minimum: 1.0 + type: "integer" + prefix: + description: "Prefix defines the value to swap the matched prefix or path with.\nThe prefix must start with a leading slash.\nNote: Only one of Path or Prefix can be defined." + pattern: "^\\/.*$" + type: "string" + scheme: + description: "Scheme is the scheme to be used in the value of the `Location`\nheader in the response.\nWhen empty, the scheme of the request is used." + enum: + - "http" + - "https" + type: "string" + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response." + enum: + - 301 + - 302 + type: "integer" + type: "object" + responseHeadersPolicy: + description: "The policy for managing response headers during proxying.\nRewriting the 'Host' header is not supported." + properties: + remove: + description: "Remove specifies a list of HTTP header names to remove." + items: + type: "string" + type: "array" + set: + description: "Set specifies a list of HTTP header values that will be set in the HTTP header.\nIf the header does not exist it will be added, otherwise it will be overwritten with the new value." + items: + description: "HeaderValue represents a header name/value pair" + properties: + name: + description: "Name represents a key of a header" + minLength: 1 + type: "string" + value: + description: "Value represents the value of a header specified by a key" + minLength: 1 + type: "string" + required: + - "name" + - "value" + type: "object" + type: "array" + type: "object" + retryPolicy: + description: "The retry policy for this route." + properties: + count: + default: 1 + description: "NumRetries is maximum allowed number of retries.\nIf set to -1, then retries are disabled.\nIf set to 0 or not supplied, the value is set\nto the Envoy default of 1." + format: "int64" + minimum: -1.0 + type: "integer" + perTryTimeout: + description: "PerTryTimeout specifies the timeout per retry attempt.\nIgnored if NumRetries is not supplied." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + retriableStatusCodes: + description: "RetriableStatusCodes specifies the HTTP status codes that should be retried.\nThis field is only respected when you include `retriable-status-codes` in the `RetryOn` field." + items: + format: "int32" + type: "integer" + type: "array" + retryOn: + description: "RetryOn specifies the conditions on which to retry a request.\nSupported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on):\n- `5xx`\n- `gateway-error`\n- `reset`\n- `connect-failure`\n- `retriable-4xx`\n- `refused-stream`\n- `retriable-status-codes`\n- `retriable-headers`\nSupported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on):\n- `cancelled`\n- `deadline-exceeded`\n- `internal`\n- `resource-exhausted`\n- `unavailable`" + items: + description: "RetryOn is a string type alias with validation to ensure that the value is valid." + enum: + - "5xx" + - "gateway-error" + - "reset" + - "connect-failure" + - "retriable-4xx" + - "refused-stream" + - "retriable-status-codes" + - "retriable-headers" + - "cancelled" + - "deadline-exceeded" + - "internal" + - "resource-exhausted" + - "unavailable" + type: "string" + type: "array" + type: "object" + services: + description: "Services are the services to proxy traffic." + items: + description: "Service defines an Kubernetes Service to proxy traffic." + properties: + cookieRewritePolicies: + description: "The policies for rewriting Set-Cookie header attributes." + items: + properties: + domainRewrite: + description: "DomainRewrite enables rewriting the Set-Cookie Domain element.\nIf not set, Domain will not be rewritten." + properties: + value: + description: "Value is the value to rewrite the Domain attribute to.\nFor now this is required." + maxLength: 4096 + minLength: 1 + pattern: "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + type: "string" + required: + - "value" + type: "object" + name: + description: "Name is the name of the cookie for which attributes will be rewritten." + maxLength: 4096 + minLength: 1 + pattern: "^[^()<>@,;:\\\\\"\\/[\\]?={} \\t\\x7f\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f]+$" + type: "string" + pathRewrite: + description: "PathRewrite enables rewriting the Set-Cookie Path element.\nIf not set, Path will not be rewritten." + properties: + value: + description: "Value is the value to rewrite the Path attribute to.\nFor now this is required." + maxLength: 4096 + minLength: 1 + pattern: "^[^;\\x7f\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f]+$" + type: "string" + required: + - "value" + type: "object" + sameSite: + description: "SameSite enables rewriting the Set-Cookie SameSite element.\nIf not set, SameSite attribute will not be rewritten." + enum: + - "Strict" + - "Lax" + - "None" + type: "string" + secure: + description: "Secure enables rewriting the Set-Cookie Secure element.\nIf not set, Secure attribute will not be rewritten." + type: "boolean" + required: + - "name" + type: "object" + type: "array" + healthPort: + description: "HealthPort is the port for this service healthcheck.\nIf not specified, Port is used for service healthchecks." + maximum: 65535.0 + minimum: 1.0 + type: "integer" + mirror: + description: "If Mirror is true the Service will receive a read only mirror of the traffic for this route.\nIf Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight\nfield. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring.\nNOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This\noccurs since we cannot distinguish omitted fields from those explicitly set to their default\nvalues" + type: "boolean" + name: + description: "Name is the name of Kubernetes service to proxy traffic.\nNames defined here will be used to look up corresponding endpoints which contain the ips to route." + type: "string" + port: + description: "Port (defined as Integer) to proxy traffic to since a service can have multiple defined." + exclusiveMaximum: true + maximum: 65536.0 + minimum: 1.0 + type: "integer" + protocol: + description: "Protocol may be used to specify (or override) the protocol used to reach this Service.\nValues may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations." + enum: + - "h2" + - "h2c" + - "tls" + type: "string" + requestHeadersPolicy: + description: "The policy for managing request headers during proxying." + properties: + remove: + description: "Remove specifies a list of HTTP header names to remove." + items: + type: "string" + type: "array" + set: + description: "Set specifies a list of HTTP header values that will be set in the HTTP header.\nIf the header does not exist it will be added, otherwise it will be overwritten with the new value." + items: + description: "HeaderValue represents a header name/value pair" + properties: + name: + description: "Name represents a key of a header" + minLength: 1 + type: "string" + value: + description: "Value represents the value of a header specified by a key" + minLength: 1 + type: "string" + required: + - "name" + - "value" + type: "object" + type: "array" + type: "object" + responseHeadersPolicy: + description: "The policy for managing response headers during proxying.\nRewriting the 'Host' header is not supported." + properties: + remove: + description: "Remove specifies a list of HTTP header names to remove." + items: + type: "string" + type: "array" + set: + description: "Set specifies a list of HTTP header values that will be set in the HTTP header.\nIf the header does not exist it will be added, otherwise it will be overwritten with the new value." + items: + description: "HeaderValue represents a header name/value pair" + properties: + name: + description: "Name represents a key of a header" + minLength: 1 + type: "string" + value: + description: "Value represents the value of a header specified by a key" + minLength: 1 + type: "string" + required: + - "name" + - "value" + type: "object" + type: "array" + type: "object" + slowStartPolicy: + description: "Slow start will gradually increase amount of traffic to a newly added endpoint." + properties: + aggression: + default: "1.0" + description: "The speed of traffic increase over the slow start window.\nDefaults to 1.0, so that endpoint would get linearly increasing amount of traffic.\nWhen increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.\nThe value of aggression parameter should be greater than 0.0.\nMore info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + pattern: "^([0-9]+([.][0-9]+)?|[.][0-9]+)$" + type: "string" + minWeightPercent: + default: 10 + description: "The minimum or starting percentage of traffic to send to new endpoints.\nA non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window.\nIf not specified, the default is 10%." + format: "int32" + maximum: 100.0 + minimum: 0.0 + type: "integer" + window: + description: "The duration of slow start window.\nDuration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+)$" + type: "string" + required: + - "window" + type: "object" + validation: + description: "UpstreamValidation defines how to verify the backend service's certificate" + properties: + caSecret: + description: "Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.\nThe secret must contain key named ca.crt.\nThe name can be optionally prefixed with namespace \"namespace/name\".\nWhen cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.\nMax length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)" + maxLength: 317 + minLength: 1 + type: "string" + subjectName: + description: "Key which is expected to be present in the 'subjectAltName' of the presented certificate.\nDeprecated: migrate to using the plural field subjectNames." + maxLength: 250 + minLength: 1 + type: "string" + subjectNames: + description: "List of keys, of which at least one is expected to be present in the 'subjectAltName of the\npresented certificate." + items: + type: "string" + maxItems: 8 + minItems: 1 + type: "array" + required: + - "caSecret" + - "subjectName" + type: "object" + x-kubernetes-validations: + - message: "subjectNames[0] must equal subjectName if set" + rule: "has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true" + weight: + description: "Weight defines percentage of traffic to balance traffic" + format: "int64" + minimum: 0.0 + type: "integer" + required: + - "name" + - "port" + type: "object" + type: "array" + timeoutPolicy: + description: "The timeout policy for this route." + properties: + idle: + description: "Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).\nTimeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.\nIf not specified, there is no per-route idle timeout, though a connection manager-wide\nstream_idle_timeout default of 5m still applies." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + idleConnection: + description: "Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.\nIf not supplied, Envoy's default value of 1h applies." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + response: + description: "Timeout for receiving a response from the server after processing a request from client.\nIf not supplied, Envoy's default value of 15s applies." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + type: "object" + type: "object" + type: "array" + tcpproxy: + description: "TCPProxy holds TCP proxy information." + properties: + healthCheckPolicy: + description: "The health check policy for this tcp proxy" + properties: + healthyThresholdCount: + description: "The number of healthy health checks required before a host is marked healthy" + format: "int32" + type: "integer" + intervalSeconds: + description: "The interval (seconds) between health checks" + format: "int64" + type: "integer" + timeoutSeconds: + description: "The time to wait (seconds) for a health check response" + format: "int64" + type: "integer" + unhealthyThresholdCount: + description: "The number of unhealthy health checks required before a host is marked unhealthy" + format: "int32" + type: "integer" + type: "object" + include: + description: "Include specifies that this tcpproxy should be delegated to another HTTPProxy." + properties: + name: + description: "Name of the child HTTPProxy" + type: "string" + namespace: + description: "Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied." + type: "string" + required: + - "name" + type: "object" + includes: + description: "IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.\nExists due to a mistake when developing HTTPProxy and the field was marked plural\nwhen it should have been singular. This field should stay to not break backwards compatibility to v1 users." + properties: + name: + description: "Name of the child HTTPProxy" + type: "string" + namespace: + description: "Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied." + type: "string" + required: + - "name" + type: "object" + loadBalancerPolicy: + description: "The load balancing policy for the backend services. Note that the\n`Cookie` and `RequestHash` load balancing strategies cannot be used\nhere." + properties: + requestHashPolicies: + description: "RequestHashPolicies contains a list of hash policies to apply when the\n`RequestHash` load balancing strategy is chosen. If an element of the\nsupplied list of hash policies is invalid, it will be ignored. If the\nlist of hash policies is empty after validation, the load balancing\nstrategy will fall back to the default `RoundRobin`." + items: + description: "RequestHashPolicy contains configuration for an individual hash policy\non a request attribute." + properties: + hashSourceIP: + description: "HashSourceIP should be set to true when request source IP hash based\nload balancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + type: "boolean" + headerHashOptions: + description: "HeaderHashOptions should be set when request header hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + properties: + headerName: + description: "HeaderName is the name of the HTTP request header that will be used to\ncalculate the hash key. If the header specified is not present on a\nrequest, no hash will be produced." + minLength: 1 + type: "string" + type: "object" + queryParameterHashOptions: + description: "QueryParameterHashOptions should be set when request query parameter hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + properties: + parameterName: + description: "ParameterName is the name of the HTTP request query parameter that will be used to\ncalculate the hash key. If the query parameter specified is not present on a\nrequest, no hash will be produced." + minLength: 1 + type: "string" + type: "object" + terminal: + description: "Terminal is a flag that allows for short-circuiting computing of a hash\nfor a given request. If set to true, and the request attribute specified\nin the attribute hash options is present, no further hash policies will\nbe used to calculate a hash for the request." + type: "boolean" + type: "object" + type: "array" + strategy: + description: "Strategy specifies the policy used to balance requests\nacross the pool of backend pods. Valid policy names are\n`Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,\nand `RequestHash`. If an unknown strategy name is specified\nor no policy is supplied, the default `RoundRobin` policy\nis used." + type: "string" + type: "object" + services: + description: "Services are the services to proxy traffic" + items: + description: "Service defines an Kubernetes Service to proxy traffic." + properties: + cookieRewritePolicies: + description: "The policies for rewriting Set-Cookie header attributes." + items: + properties: + domainRewrite: + description: "DomainRewrite enables rewriting the Set-Cookie Domain element.\nIf not set, Domain will not be rewritten." + properties: + value: + description: "Value is the value to rewrite the Domain attribute to.\nFor now this is required." + maxLength: 4096 + minLength: 1 + pattern: "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + type: "string" + required: + - "value" + type: "object" + name: + description: "Name is the name of the cookie for which attributes will be rewritten." + maxLength: 4096 + minLength: 1 + pattern: "^[^()<>@,;:\\\\\"\\/[\\]?={} \\t\\x7f\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f]+$" + type: "string" + pathRewrite: + description: "PathRewrite enables rewriting the Set-Cookie Path element.\nIf not set, Path will not be rewritten." + properties: + value: + description: "Value is the value to rewrite the Path attribute to.\nFor now this is required." + maxLength: 4096 + minLength: 1 + pattern: "^[^;\\x7f\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f]+$" + type: "string" + required: + - "value" + type: "object" + sameSite: + description: "SameSite enables rewriting the Set-Cookie SameSite element.\nIf not set, SameSite attribute will not be rewritten." + enum: + - "Strict" + - "Lax" + - "None" + type: "string" + secure: + description: "Secure enables rewriting the Set-Cookie Secure element.\nIf not set, Secure attribute will not be rewritten." + type: "boolean" + required: + - "name" + type: "object" + type: "array" + healthPort: + description: "HealthPort is the port for this service healthcheck.\nIf not specified, Port is used for service healthchecks." + maximum: 65535.0 + minimum: 1.0 + type: "integer" + mirror: + description: "If Mirror is true the Service will receive a read only mirror of the traffic for this route.\nIf Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight\nfield. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring.\nNOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This\noccurs since we cannot distinguish omitted fields from those explicitly set to their default\nvalues" + type: "boolean" + name: + description: "Name is the name of Kubernetes service to proxy traffic.\nNames defined here will be used to look up corresponding endpoints which contain the ips to route." + type: "string" + port: + description: "Port (defined as Integer) to proxy traffic to since a service can have multiple defined." + exclusiveMaximum: true + maximum: 65536.0 + minimum: 1.0 + type: "integer" + protocol: + description: "Protocol may be used to specify (or override) the protocol used to reach this Service.\nValues may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations." + enum: + - "h2" + - "h2c" + - "tls" + type: "string" + requestHeadersPolicy: + description: "The policy for managing request headers during proxying." + properties: + remove: + description: "Remove specifies a list of HTTP header names to remove." + items: + type: "string" + type: "array" + set: + description: "Set specifies a list of HTTP header values that will be set in the HTTP header.\nIf the header does not exist it will be added, otherwise it will be overwritten with the new value." + items: + description: "HeaderValue represents a header name/value pair" + properties: + name: + description: "Name represents a key of a header" + minLength: 1 + type: "string" + value: + description: "Value represents the value of a header specified by a key" + minLength: 1 + type: "string" + required: + - "name" + - "value" + type: "object" + type: "array" + type: "object" + responseHeadersPolicy: + description: "The policy for managing response headers during proxying.\nRewriting the 'Host' header is not supported." + properties: + remove: + description: "Remove specifies a list of HTTP header names to remove." + items: + type: "string" + type: "array" + set: + description: "Set specifies a list of HTTP header values that will be set in the HTTP header.\nIf the header does not exist it will be added, otherwise it will be overwritten with the new value." + items: + description: "HeaderValue represents a header name/value pair" + properties: + name: + description: "Name represents a key of a header" + minLength: 1 + type: "string" + value: + description: "Value represents the value of a header specified by a key" + minLength: 1 + type: "string" + required: + - "name" + - "value" + type: "object" + type: "array" + type: "object" + slowStartPolicy: + description: "Slow start will gradually increase amount of traffic to a newly added endpoint." + properties: + aggression: + default: "1.0" + description: "The speed of traffic increase over the slow start window.\nDefaults to 1.0, so that endpoint would get linearly increasing amount of traffic.\nWhen increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.\nThe value of aggression parameter should be greater than 0.0.\nMore info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + pattern: "^([0-9]+([.][0-9]+)?|[.][0-9]+)$" + type: "string" + minWeightPercent: + default: 10 + description: "The minimum or starting percentage of traffic to send to new endpoints.\nA non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window.\nIf not specified, the default is 10%." + format: "int32" + maximum: 100.0 + minimum: 0.0 + type: "integer" + window: + description: "The duration of slow start window.\nDuration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+)$" + type: "string" + required: + - "window" + type: "object" + validation: + description: "UpstreamValidation defines how to verify the backend service's certificate" + properties: + caSecret: + description: "Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.\nThe secret must contain key named ca.crt.\nThe name can be optionally prefixed with namespace \"namespace/name\".\nWhen cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.\nMax length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)" + maxLength: 317 + minLength: 1 + type: "string" + subjectName: + description: "Key which is expected to be present in the 'subjectAltName' of the presented certificate.\nDeprecated: migrate to using the plural field subjectNames." + maxLength: 250 + minLength: 1 + type: "string" + subjectNames: + description: "List of keys, of which at least one is expected to be present in the 'subjectAltName of the\npresented certificate." + items: + type: "string" + maxItems: 8 + minItems: 1 + type: "array" + required: + - "caSecret" + - "subjectName" + type: "object" + x-kubernetes-validations: + - message: "subjectNames[0] must equal subjectName if set" + rule: "has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true" + weight: + description: "Weight defines percentage of traffic to balance traffic" + format: "int64" + minimum: 0.0 + type: "integer" + required: + - "name" + - "port" + type: "object" + type: "array" + type: "object" + virtualhost: + description: "Virtualhost appears at most once. If it is present, the object is considered\nto be a \"root\" HTTPProxy." + properties: + authorization: + description: "This field configures an extension service to perform\nauthorization for this virtual host. Authorization can\nonly be configured on virtual hosts that have TLS enabled.\nIf the TLS configuration requires client certificate\nvalidation, the client certificate is always included in the\nauthentication check request." + properties: + authPolicy: + description: "AuthPolicy sets a default authorization policy for client requests.\nThis policy will be used unless overridden by individual routes." + properties: + context: + additionalProperties: + type: "string" + description: "Context is a set of key/value pairs that are sent to the\nauthentication server in the check request. If a context\nis provided at an enclosing scope, the entries are merged\nsuch that the inner scope overrides matching keys from the\nouter scope." + type: "object" + disabled: + description: "When true, this field disables client request authentication\nfor the scope of the policy." + type: "boolean" + type: "object" + extensionRef: + description: "ExtensionServiceRef specifies the extension resource that will authorize client requests." + properties: + apiVersion: + description: "API version of the referent.\nIf this field is not specified, the default \"projectcontour.io/v1alpha1\" will be used" + minLength: 1 + type: "string" + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: "string" + namespace: + description: "Namespace of the referent.\nIf this field is not specifies, the namespace of the resource that targets the referent will be used.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: "string" + type: "object" + failOpen: + description: "If FailOpen is true, the client request is forwarded to the upstream service\neven if the authorization server fails to respond. This field should not be\nset in most cases. It is intended for use only while migrating applications\nfrom internal authorization to Contour external authorization." + type: "boolean" + responseTimeout: + description: "ResponseTimeout configures maximum time to wait for a check response from the authorization server.\nTimeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\nThe string \"infinity\" is also a valid input and specifies no timeout." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + withRequestBody: + description: "WithRequestBody specifies configuration for sending the client request's body to authorization server." + properties: + allowPartialMessage: + description: "If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached." + type: "boolean" + maxRequestBytes: + default: 1024 + description: "MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory." + format: "int32" + minimum: 1.0 + type: "integer" + packAsBytes: + description: "If PackAsBytes is true, the body sent to Authorization Server is in raw bytes." + type: "boolean" + type: "object" + type: "object" + corsPolicy: + description: "Specifies the cross-origin policy to apply to the VirtualHost." + properties: + allowCredentials: + description: "Specifies whether the resource allows credentials." + type: "boolean" + allowHeaders: + description: "AllowHeaders specifies the content for the *access-control-allow-headers* header." + items: + description: "CORSHeaderValue specifies the value of the string headers returned by a cross-domain request." + pattern: "^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$" + type: "string" + minItems: 1 + type: "array" + allowMethods: + description: "AllowMethods specifies the content for the *access-control-allow-methods* header." + items: + description: "CORSHeaderValue specifies the value of the string headers returned by a cross-domain request." + pattern: "^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$" + type: "string" + minItems: 1 + type: "array" + allowOrigin: + description: "AllowOrigin specifies the origins that will be allowed to do CORS requests.\nAllowed values include \"*\" which signifies any origin is allowed, an exact\norigin of the form \"scheme://host[:port]\" (where port is optional), or a valid\nregex pattern.\nNote that regex patterns are validated and a simple \"glob\" pattern (e.g. *.foo.com)\nwill be rejected or produce unexpected matches when applied as a regex." + items: + type: "string" + minItems: 1 + type: "array" + allowPrivateNetwork: + description: "AllowPrivateNetwork specifies whether to allow private network requests.\nSee https://developer.chrome.com/blog/private-network-access-preflight." + type: "boolean" + exposeHeaders: + description: "ExposeHeaders Specifies the content for the *access-control-expose-headers* header." + items: + description: "CORSHeaderValue specifies the value of the string headers returned by a cross-domain request." + pattern: "^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$" + type: "string" + minItems: 1 + type: "array" + maxAge: + description: "MaxAge indicates for how long the results of a preflight request can be cached.\nMaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\nOnly positive values are allowed while 0 disables the cache requiring a preflight OPTIONS\ncheck for all cross-origin requests." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|0)$" + type: "string" + required: + - "allowMethods" + - "allowOrigin" + type: "object" + fqdn: + description: "The fully qualified domain name of the root of the ingress tree\nall leaves of the DAG rooted at this object relate to the fqdn." + pattern: "^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + type: "string" + ipAllowPolicy: + description: "IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching\nrequests should be allowed. All other requests will be denied.\nOnly one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.\nThe rules defined here may be overridden in a Route." + items: + properties: + cidr: + description: "CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be\na bare IP address (without a mask) to filter on exactly one address." + type: "string" + source: + description: "Source indicates how to determine the ip address to filter on, and can be\none of two values:\n - `Remote` filters on the ip address of the client, accounting for PROXY and\n X-Forwarded-For as needed.\n - `Peer` filters on the ip of the network request, ignoring PROXY and\n X-Forwarded-For." + enum: + - "Peer" + - "Remote" + type: "string" + required: + - "cidr" + - "source" + type: "object" + type: "array" + ipDenyPolicy: + description: "IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching\nrequests should be denied. All other requests will be allowed.\nOnly one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.\nThe rules defined here may be overridden in a Route." + items: + properties: + cidr: + description: "CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be\na bare IP address (without a mask) to filter on exactly one address." + type: "string" + source: + description: "Source indicates how to determine the ip address to filter on, and can be\none of two values:\n - `Remote` filters on the ip address of the client, accounting for PROXY and\n X-Forwarded-For as needed.\n - `Peer` filters on the ip of the network request, ignoring PROXY and\n X-Forwarded-For." + enum: + - "Peer" + - "Remote" + type: "string" + required: + - "cidr" + - "source" + type: "object" + type: "array" + jwtProviders: + description: "Providers to use for verifying JSON Web Tokens (JWTs) on the virtual host." + items: + description: "JWTProvider defines how to verify JWTs on requests." + properties: + audiences: + description: "Audiences that JWTs are allowed to have in the \"aud\" field.\nIf not provided, JWT audiences are not checked." + items: + type: "string" + type: "array" + default: + description: "Whether the provider should apply to all\nroutes in the HTTPProxy/its includes by\ndefault. At most one provider can be marked\nas the default. If no provider is marked\nas the default, individual routes must explicitly\nidentify the provider they require." + type: "boolean" + forwardJWT: + description: "Whether the JWT should be forwarded to the backend\nservice after successful verification. By default,\nthe JWT is not forwarded." + type: "boolean" + issuer: + description: "Issuer that JWTs are required to have in the \"iss\" field.\nIf not provided, JWT issuers are not checked." + type: "string" + name: + description: "Unique name for the provider." + minLength: 1 + type: "string" + remoteJWKS: + description: "Remote JWKS to use for verifying JWT signatures." + properties: + cacheDuration: + description: "How long to cache the JWKS locally. If not specified,\nEnvoy's default of 5m applies." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+)$" + type: "string" + dnsLookupFamily: + description: "The DNS IP address resolution policy for the JWKS URI.\nWhen configured as \"v4\", the DNS resolver will only perform a lookup\nfor addresses in the IPv4 family. If \"v6\" is configured, the DNS resolver\nwill only perform a lookup for addresses in the IPv6 family.\nIf \"all\" is configured, the DNS resolver\nwill perform a lookup for addresses in both the IPv4 and IPv6 family.\nIf \"auto\" is configured, the DNS resolver will first perform a lookup\nfor addresses in the IPv6 family and fallback to a lookup for addresses\nin the IPv4 family. If not specified, the Contour-wide setting defined\nin the config file or ContourConfiguration applies (defaults to \"auto\").\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily\nfor more information." + enum: + - "auto" + - "v4" + - "v6" + type: "string" + timeout: + description: "How long to wait for a response from the URI.\nIf not specified, a default of 1s applies." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+)$" + type: "string" + uri: + description: "The URI for the JWKS." + minLength: 1 + type: "string" + validation: + description: "UpstreamValidation defines how to verify the JWKS's TLS certificate." + properties: + caSecret: + description: "Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.\nThe secret must contain key named ca.crt.\nThe name can be optionally prefixed with namespace \"namespace/name\".\nWhen cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.\nMax length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)" + maxLength: 317 + minLength: 1 + type: "string" + subjectName: + description: "Key which is expected to be present in the 'subjectAltName' of the presented certificate.\nDeprecated: migrate to using the plural field subjectNames." + maxLength: 250 + minLength: 1 + type: "string" + subjectNames: + description: "List of keys, of which at least one is expected to be present in the 'subjectAltName of the\npresented certificate." + items: + type: "string" + maxItems: 8 + minItems: 1 + type: "array" + required: + - "caSecret" + - "subjectName" + type: "object" + x-kubernetes-validations: + - message: "subjectNames[0] must equal subjectName if set" + rule: "has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true" + required: + - "uri" + type: "object" + required: + - "name" + - "remoteJWKS" + type: "object" + type: "array" + rateLimitPolicy: + description: "The policy for rate limiting on the virtual host." + properties: + global: + description: "Global defines global rate limiting parameters, i.e. parameters\ndefining descriptors that are sent to an external rate limit\nservice (RLS) for a rate limit decision on each request." + properties: + descriptors: + description: "Descriptors defines the list of descriptors that will\nbe generated and sent to the rate limit service. Each\ndescriptor contains 1+ key-value pair entries." + items: + description: "RateLimitDescriptor defines a list of key-value pair generators." + properties: + entries: + description: "Entries is the list of key-value pair generators." + items: + description: "RateLimitDescriptorEntry is a key-value pair generator. Exactly\none field on this struct must be non-nil." + properties: + genericKey: + description: "GenericKey defines a descriptor entry with a static key and value." + properties: + key: + description: "Key defines the key of the descriptor entry. If not set, the\nkey is set to \"generic_key\"." + type: "string" + value: + description: "Value defines the value of the descriptor entry." + minLength: 1 + type: "string" + type: "object" + remoteAddress: + description: "RemoteAddress defines a descriptor entry with a key of \"remote_address\"\nand a value equal to the client's IP address (from x-forwarded-for)." + type: "object" + requestHeader: + description: "RequestHeader defines a descriptor entry that's populated only if\na given header is present on the request. The descriptor key is static,\nand the descriptor value is equal to the value of the header." + properties: + descriptorKey: + description: "DescriptorKey defines the key to use on the descriptor entry." + minLength: 1 + type: "string" + headerName: + description: "HeaderName defines the name of the header to look for on the request." + minLength: 1 + type: "string" + type: "object" + requestHeaderValueMatch: + description: "RequestHeaderValueMatch defines a descriptor entry that's populated\nif the request's headers match a set of 1+ match criteria. The\ndescriptor key is \"header_match\", and the descriptor value is static." + properties: + expectMatch: + default: true + description: "ExpectMatch defines whether the request must positively match the match\ncriteria in order to generate a descriptor entry (i.e. true), or not\nmatch the match criteria in order to generate a descriptor entry (i.e. false).\nThe default is true." + type: "boolean" + headers: + description: "Headers is a list of 1+ match criteria to apply against the request\nto determine whether to populate the descriptor entry or not." + items: + description: "HeaderMatchCondition specifies how to conditionally match against HTTP\nheaders. The Name field is required, only one of Present, NotPresent,\nContains, NotContains, Exact, NotExact and Regex can be set.\nFor negative matching rules only (e.g. NotContains or NotExact) you can set\nTreatMissingAsEmpty.\nIgnoreCase has no effect for Regex." + properties: + contains: + description: "Contains specifies a substring that must be present in\nthe header value." + type: "string" + exact: + description: "Exact specifies a string that the header value must be equal to." + type: "string" + ignoreCase: + description: "IgnoreCase specifies that string matching should be case insensitive.\nNote that this has no effect on the Regex parameter." + type: "boolean" + name: + description: "Name is the name of the header to match against. Name is required.\nHeader names are case insensitive." + type: "string" + notcontains: + description: "NotContains specifies a substring that must not be present\nin the header value." + type: "string" + notexact: + description: "NoExact specifies a string that the header value must not be\nequal to. The condition is true if the header has any other value." + type: "string" + notpresent: + description: "NotPresent specifies that condition is true when the named header\nis not present. Note that setting NotPresent to false does not\nmake the condition true if the named header is present." + type: "boolean" + present: + description: "Present specifies that condition is true when the named header\nis present, regardless of its value. Note that setting Present\nto false does not make the condition true if the named header\nis absent." + type: "boolean" + regex: + description: "Regex specifies a regular expression pattern that must match the header\nvalue." + type: "string" + treatMissingAsEmpty: + description: "TreatMissingAsEmpty specifies if the header match rule specified header\ndoes not exist, this header value will be treated as empty. Defaults to false.\nUnlike the underlying Envoy implementation this is **only** supported for\nnegative matches (e.g. NotContains, NotExact)." + type: "boolean" + required: + - "name" + type: "object" + minItems: 1 + type: "array" + value: + description: "Value defines the value of the descriptor entry." + minLength: 1 + type: "string" + type: "object" + type: "object" + minItems: 1 + type: "array" + type: "object" + minItems: 1 + type: "array" + disabled: + description: "Disabled configures the HTTPProxy to not use\nthe default global rate limit policy defined by the Contour configuration." + type: "boolean" + type: "object" + local: + description: "Local defines local rate limiting parameters, i.e. parameters\nfor rate limiting that occurs within each Envoy pod as requests\nare handled." + properties: + burst: + description: "Burst defines the number of requests above the requests per\nunit that should be allowed within a short period of time." + format: "int32" + type: "integer" + requests: + description: "Requests defines how many requests per unit of time should\nbe allowed before rate limiting occurs." + format: "int32" + minimum: 1.0 + type: "integer" + responseHeadersToAdd: + description: "ResponseHeadersToAdd is an optional list of response headers to\nset when a request is rate-limited." + items: + description: "HeaderValue represents a header name/value pair" + properties: + name: + description: "Name represents a key of a header" + minLength: 1 + type: "string" + value: + description: "Value represents the value of a header specified by a key" + minLength: 1 + type: "string" + required: + - "name" + - "value" + type: "object" + type: "array" + responseStatusCode: + description: "ResponseStatusCode is the HTTP status code to use for responses\nto rate-limited requests. Codes must be in the 400-599 range\n(inclusive). If not specified, the Envoy default of 429 (Too\nMany Requests) is used." + format: "int32" + maximum: 599.0 + minimum: 400.0 + type: "integer" + unit: + description: "Unit defines the period of time within which requests\nover the limit will be rate limited. Valid values are\n\"second\", \"minute\" and \"hour\"." + enum: + - "second" + - "minute" + - "hour" + type: "string" + required: + - "requests" + - "unit" + type: "object" + type: "object" + tls: + description: "If present the fields describes TLS properties of the virtual\nhost. The SNI names that will be matched on are described in fqdn,\nthe tls.secretName secret must contain a certificate that itself\ncontains a name that matches the FQDN." + properties: + clientValidation: + description: "ClientValidation defines how to verify the client certificate\nwhen an external client establishes a TLS connection to Envoy.\nThis setting:\n1. Enables TLS client certificate validation.\n2. Specifies how the client certificate will be validated (i.e.\n validation required or skipped).\nNote: Setting client certificate validation to be skipped should\nbe only used in conjunction with an external authorization server that\nperforms client validation as Contour will ensure client certificates\nare passed along." + properties: + caSecret: + description: "Name of a Kubernetes secret that contains a CA certificate bundle.\nThe secret must contain key named ca.crt.\nThe client certificate must validate against the certificates in the bundle.\nIf specified and SkipClientCertValidation is true, client certificates will\nbe required on requests.\nThe name can be optionally prefixed with namespace \"namespace/name\".\nWhen cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret." + minLength: 1 + type: "string" + crlOnlyVerifyLeafCert: + description: "If this option is set to true, only the certificate at the end of the\ncertificate chain will be subject to validation by CRL." + type: "boolean" + crlSecret: + description: "Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs.\nThe secret must contain key named crl.pem.\nThis field will be used to verify that a client certificate has not been revoked.\nCRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true.\nLarge CRL lists are not supported since individual secrets are limited to 1MiB in size.\nThe name can be optionally prefixed with namespace \"namespace/name\".\nWhen cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret." + minLength: 1 + type: "string" + forwardClientCertificate: + description: "ForwardClientCertificate adds the selected data from the passed client TLS certificate\nto the x-forwarded-client-cert header." + properties: + cert: + description: "Client cert in URL encoded PEM format." + type: "boolean" + chain: + description: "Client cert chain (including the leaf cert) in URL encoded PEM format." + type: "boolean" + dns: + description: "DNS type Subject Alternative Names of the client cert." + type: "boolean" + subject: + description: "Subject of the client cert." + type: "boolean" + uri: + description: "URI type Subject Alternative Name of the client cert." + type: "boolean" + type: "object" + optionalClientCertificate: + description: "OptionalClientCertificate when set to true will request a client certificate\nbut allow the connection to continue if the client does not provide one.\nIf a client certificate is sent, it will be verified according to the\nother properties, which includes disabling validation if\nSkipClientCertValidation is set. Defaults to false." + type: "boolean" + skipClientCertValidation: + description: "SkipClientCertValidation disables downstream client certificate\nvalidation. Defaults to false. This field is intended to be used in\nconjunction with external authorization in order to enable the external\nauthorization server to validate client certificates. When this field\nis set to true, client certificates are requested but not verified by\nEnvoy. If CACertificate is specified, client certificates are required on\nrequests, but not verified. If external authorization is in use, they are\npresented to the external authorization server." + type: "boolean" + type: "object" + enableFallbackCertificate: + description: "EnableFallbackCertificate defines if the vhost should allow a default certificate to\nbe applied which handles all requests which don't match the SNI defined in this vhost." + type: "boolean" + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS version this vhost should\nnegotiate. Valid options are `1.2` and `1.3` (default). Any other value\ndefaults to TLS 1.3." + type: "string" + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS version this vhost should\nnegotiate. Valid options are `1.2` (default) and `1.3`. Any other value\ndefaults to TLS 1.2." + type: "string" + passthrough: + description: "Passthrough defines whether the encrypted TLS handshake will be\npassed through to the backing cluster. Either Passthrough or\nSecretName must be specified, but not both." + type: "boolean" + secretName: + description: "SecretName is the name of a TLS secret.\nEither SecretName or Passthrough must be specified, but not both.\nIf specified, the named secret must contain a matching certificate\nfor the virtual host's FQDN.\nThe name can be optionally prefixed with namespace \"namespace/name\".\nWhen cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret." + type: "string" + type: "object" + required: + - "fqdn" + type: "object" + type: "object" + status: + default: + currentStatus: "NotReconciled" + description: "Waiting for controller" + description: "Status is a container for computed information about the HTTPProxy." + properties: + conditions: + description: "Conditions contains information about the current status of the HTTPProxy,\nin an upstream-friendly container.\nContour will update a single condition, `Valid`, that is in normal-true polarity.\nThat is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,\nand vice versa.\nContour will leave untouched any other Conditions set in this block,\nin case some other controller wants to add a Condition.\nIf you are another controller owner and wish to add a condition, you *should*\nnamespace your condition with a label, like `controller.domain.com/ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes conditions, with two extra\nfields to hold sub-conditions, which provide more detailed reasons for the state (True or False)\nof the condition.\n`errors` holds information about sub-conditions which are fatal to that condition and render its state False.\n`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.\nRemember that Conditions have a type, a status, and a reason.\nThe type is the type of the condition, the most important one in this CRD set is `Valid`.\n`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.\nIn more detail, `status: true` means that the object is has been ingested into Contour with no errors.\n`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`\nslice in this case.\n`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.\nThe details of the errors will be present under the `errors` field. There must be at least one error in the `errors`\nslice if `status` is `false`.\nFor DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.\nWhen they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.\nWhen they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.\nIn either case, there may be entries in the `warnings` slice.\nRegardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason\n(if there is one and only one entry in total across both the `errors` and `warnings` slices), or\n`MultipleReasons` if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions for this object.\nSubconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.\nAn empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.\nIt contains a subset of the Condition fields.\nIt is intended for warnings and errors, so `type` names should use abnormal-true polarity,\nthat is, they should be of the form \"ErrorPresent: true\".\nThe expected lifecycle for these errors is that they should only be present when the error or warning is,\nand should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + reason: + description: "Reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "Status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.\nThis must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + lastTransitionTime: + description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." + format: "date-time" + type: "string" + message: + description: "message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + observedGeneration: + description: "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance." + format: "int64" + minimum: 0.0 + type: "integer" + reason: + description: "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + warnings: + description: "Warnings contains a slice of relevant warning subconditions for this object.\nSubconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.\nAn empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.\nIt contains a subset of the Condition fields.\nIt is intended for warnings and errors, so `type` names should use abnormal-true polarity,\nthat is, they should be of the form \"ErrorPresent: true\".\nThe expected lifecycle for these errors is that they should only be present when the error or warning is,\nand should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + reason: + description: "Reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "Status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.\nThis must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + required: + - "lastTransitionTime" + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + x-kubernetes-list-map-keys: + - "type" + x-kubernetes-list-type: "map" + currentStatus: + type: "string" + description: + type: "string" + loadBalancer: + description: "LoadBalancer contains the current status of the load balancer." + properties: + ingress: + description: "Ingress is a list containing ingress points for the load-balancer.\nTraffic intended for the service should be sent to these ingress points." + items: + description: "LoadBalancerIngress represents the status of a load-balancer ingress point:\ntraffic intended for the service should be sent to an ingress point." + properties: + hostname: + description: "Hostname is set for load-balancer ingress points that are DNS based\n(typically AWS load-balancers)" + type: "string" + ip: + description: "IP is set for load-balancer ingress points that are IP based\n(typically GCE or OpenStack load-balancers)" + type: "string" + ipMode: + description: "IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.\nSetting this to \"VIP\" indicates that traffic is delivered to the node with\nthe destination set to the load-balancer's IP and port.\nSetting this to \"Proxy\" indicates that traffic is delivered to the node or pod with\nthe destination set to the node's IP and node port or the pod's IP and port.\nService implementations may use this information to adjust traffic routing." + type: "string" + ports: + description: "Ports is a list of records of service ports\nIf used, every port defined in the service should have an entry in it" + items: + properties: + error: + description: "Error is to record the problem with the service port\nThe format of the error shall comply with the following rules:\n- built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.\n---\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + port: + description: "Port is the port number of the service port of which status is recorded here" + format: "int32" + type: "integer" + protocol: + default: "TCP" + description: "Protocol is the protocol of the service port of which status is recorded here\nThe supported values are: \"TCP\", \"UDP\", \"SCTP\"" + type: "string" + required: + - "port" + - "protocol" + type: "object" + type: "array" + x-kubernetes-list-type: "atomic" + type: "object" + type: "array" + type: "object" + type: "object" + required: + - "metadata" + - "spec" + type: "object" + served: true + storage: true + subresources: + status: {} diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.args b/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.args new file mode 100644 index 000000000..7ab47510b --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.args @@ -0,0 +1 @@ +--derive=PartialEq diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml new file mode 100644 index 000000000..42737e872 --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml @@ -0,0 +1,181 @@ +apiVersion: "apiextensions.k8s.io/v1" +kind: "CustomResourceDefinition" +metadata: + annotations: + controller-gen.kubebuilder.io/version: "v0.14.0" + name: "tlscertificatedelegations.projectcontour.io" +spec: + group: "projectcontour.io" + names: + kind: "TLSCertificateDelegation" + listKind: "TLSCertificateDelegationList" + plural: "tlscertificatedelegations" + shortNames: + - "tlscerts" + singular: "tlscertificatedelegation" + preserveUnknownFields: false + scope: "Namespaced" + versions: + - name: "v1" + schema: + openAPIV3Schema: + description: "TLSCertificateDelegation is an TLS Certificate Delegation CRD specification.\nSee design/tls-certificate-delegation.md for details." + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + kind: + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + metadata: + type: "object" + spec: + description: "TLSCertificateDelegationSpec defines the spec of the CRD" + properties: + delegations: + items: + description: "CertificateDelegation maps the authority to reference a secret\nin the current namespace to a set of namespaces." + properties: + secretName: + description: "required, the name of a secret in the current namespace." + type: "string" + targetNamespaces: + description: "required, the namespaces the authority to reference the\nsecret will be delegated to.\nIf TargetNamespaces is nil or empty, the CertificateDelegation'\nis ignored. If the TargetNamespace list contains the character, \"*\"\nthe secret will be delegated to all namespaces." + items: + type: "string" + type: "array" + required: + - "secretName" + - "targetNamespaces" + type: "object" + type: "array" + required: + - "delegations" + type: "object" + status: + description: "TLSCertificateDelegationStatus allows for the status of the delegation\nto be presented to the user." + properties: + conditions: + description: "Conditions contains information about the current status of the HTTPProxy,\nin an upstream-friendly container.\nContour will update a single condition, `Valid`, that is in normal-true polarity.\nThat is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,\nand vice versa.\nContour will leave untouched any other Conditions set in this block,\nin case some other controller wants to add a Condition.\nIf you are another controller owner and wish to add a condition, you *should*\nnamespace your condition with a label, like `controller.domain.com\\ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes conditions, with two extra\nfields to hold sub-conditions, which provide more detailed reasons for the state (True or False)\nof the condition.\n`errors` holds information about sub-conditions which are fatal to that condition and render its state False.\n`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.\nRemember that Conditions have a type, a status, and a reason.\nThe type is the type of the condition, the most important one in this CRD set is `Valid`.\n`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.\nIn more detail, `status: true` means that the object is has been ingested into Contour with no errors.\n`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`\nslice in this case.\n`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.\nThe details of the errors will be present under the `errors` field. There must be at least one error in the `errors`\nslice if `status` is `false`.\nFor DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.\nWhen they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.\nWhen they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.\nIn either case, there may be entries in the `warnings` slice.\nRegardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason\n(if there is one and only one entry in total across both the `errors` and `warnings` slices), or\n`MultipleReasons` if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions for this object.\nSubconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.\nAn empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.\nIt contains a subset of the Condition fields.\nIt is intended for warnings and errors, so `type` names should use abnormal-true polarity,\nthat is, they should be of the form \"ErrorPresent: true\".\nThe expected lifecycle for these errors is that they should only be present when the error or warning is,\nand should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + reason: + description: "Reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "Status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.\nThis must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + lastTransitionTime: + description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." + format: "date-time" + type: "string" + message: + description: "message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + observedGeneration: + description: "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance." + format: "int64" + minimum: 0.0 + type: "integer" + reason: + description: "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + warnings: + description: "Warnings contains a slice of relevant warning subconditions for this object.\nSubconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.\nAn empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.\nIt contains a subset of the Condition fields.\nIt is intended for warnings and errors, so `type` names should use abnormal-true polarity,\nthat is, they should be of the form \"ErrorPresent: true\".\nThe expected lifecycle for these errors is that they should only be present when the error or warning is,\nand should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + reason: + description: "Reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "Status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.\nThis must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + required: + - "lastTransitionTime" + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + x-kubernetes-list-map-keys: + - "type" + x-kubernetes-list-type: "map" + type: "object" + required: + - "metadata" + - "spec" + type: "object" + served: true + storage: true + subresources: + status: {} diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.args b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.args new file mode 100644 index 000000000..7ab47510b --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.args @@ -0,0 +1 @@ +--derive=PartialEq diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml new file mode 100644 index 000000000..1fc8ab20c --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml @@ -0,0 +1,839 @@ +apiVersion: "apiextensions.k8s.io/v1" +kind: "CustomResourceDefinition" +metadata: + annotations: + controller-gen.kubebuilder.io/version: "v0.14.0" + name: "contourconfigurations.projectcontour.io" +spec: + group: "projectcontour.io" + names: + kind: "ContourConfiguration" + listKind: "ContourConfigurationList" + plural: "contourconfigurations" + shortNames: + - "contourconfig" + singular: "contourconfiguration" + preserveUnknownFields: false + scope: "Namespaced" + versions: + - name: "v1alpha1" + schema: + openAPIV3Schema: + description: "ContourConfiguration is the schema for a Contour instance." + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + kind: + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + metadata: + type: "object" + spec: + description: "ContourConfigurationSpec represents a configuration of a Contour controller.\nIt contains most of all the options that can be customized, the\nother remaining options being command line flags." + properties: + debug: + description: "Debug contains parameters to enable debug logging\nand debug interfaces inside Contour." + properties: + address: + description: "Defines the Contour debug address interface.\nContour's default is \"127.0.0.1\"." + type: "string" + port: + description: "Defines the Contour debug address port.\nContour's default is 6060." + type: "integer" + type: "object" + enableExternalNameService: + description: "EnableExternalNameService allows processing of ExternalNameServices\nContour's default is false for security reasons." + type: "boolean" + envoy: + description: "Envoy contains parameters for Envoy as well\nas how to optionally configure a managed Envoy fleet." + properties: + clientCertificate: + description: "ClientCertificate defines the namespace/name of the Kubernetes\nsecret containing the client certificate and private key\nto be used when establishing TLS connection to upstream\ncluster." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + cluster: + description: "Cluster holds various configurable Envoy cluster values that can\nbe set in the config file." + properties: + circuitBreakers: + description: "GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.\nIf defined, this will be used as the default for all services." + properties: + maxConnections: + description: "The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024." + format: "int32" + type: "integer" + maxPendingRequests: + description: "The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024." + format: "int32" + type: "integer" + maxRequests: + description: "The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024" + format: "int32" + type: "integer" + maxRetries: + description: "The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3." + format: "int32" + type: "integer" + type: "object" + dnsLookupFamily: + description: "DNSLookupFamily defines how external names are looked up\nWhen configured as V4, the DNS resolver will only perform a lookup\nfor addresses in the IPv4 family. If V6 is configured, the DNS resolver\nwill only perform a lookup for addresses in the IPv6 family.\nIf AUTO is configured, the DNS resolver will first perform a lookup\nfor addresses in the IPv6 family and fallback to a lookup for addresses\nin the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for\nboth IPv4 and IPv6 families, and return all resolved addresses.\nWhen this is used, Happy Eyeballs will be enabled for upstream connections.\nRefer to Happy Eyeballs Support for more information.\nNote: This only applies to externalName clusters.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily\nfor more information.\nValues: `auto` (default), `v4`, `v6`, `all`.\nOther values will produce an error." + type: "string" + maxRequestsPerConnection: + description: "Defines the maximum requests for upstream connections. If not specified, there is no limit.\nsee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions\nfor more information." + format: "int32" + minimum: 1.0 + type: "integer" + per-connection-buffer-limit-bytes: + description: "Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.\nIf unspecified, an implementation defined default is applied (1MiB).\nsee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes\nfor more information." + format: "int32" + minimum: 1.0 + type: "integer" + upstreamTLS: + description: "UpstreamTLS contains the TLS policy parameters for upstream connections" + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to be supported by Envoy TLS\nlisteners when negotiating TLS 1.2. Ciphers are validated against the\nset that Envoy supports by default. This parameter should only be used\nby advanced users. Note that these will be ignored when TLS 1.3 is in\nuse.\nThis field is optional; when it is undefined, a Contour-managed ciphersuite list\nwill be used, which may be updated to keep it secure.\nContour's default list is:\n - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"\n - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"\n - \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n - \"ECDHE-RSA-AES256-GCM-SHA384\"\nCiphers provided are validated against the following list:\n - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"\n - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"\n - \"ECDHE-ECDSA-AES128-GCM-SHA256\"\n - \"ECDHE-RSA-AES128-GCM-SHA256\"\n - \"ECDHE-ECDSA-AES128-SHA\"\n - \"ECDHE-RSA-AES128-SHA\"\n - \"AES128-GCM-SHA256\"\n - \"AES128-SHA\"\n - \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n - \"ECDHE-RSA-AES256-GCM-SHA384\"\n - \"ECDHE-ECDSA-AES256-SHA\"\n - \"ECDHE-RSA-AES256-SHA\"\n - \"AES256-GCM-SHA384\"\n - \"AES256-SHA\"\nContour recommends leaving this undefined unless you are sure you must.\nSee: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters\nNote: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS." + items: + type: "string" + type: "array" + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS version this vhost should\nnegotiate.\nValues: `1.2`, `1.3`(default).\nOther values will produce an error." + type: "string" + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS version this vhost should\nnegotiate.\nValues: `1.2` (default), `1.3`.\nOther values will produce an error." + type: "string" + type: "object" + type: "object" + defaultHTTPVersions: + description: "DefaultHTTPVersions defines the default set of HTTPS\nversions the proxy should accept. HTTP versions are\nstrings of the form \"HTTP/xx\". Supported versions are\n\"HTTP/1.1\" and \"HTTP/2\".\nValues: `HTTP/1.1`, `HTTP/2` (default: both).\nOther values will produce an error." + items: + description: "HTTPVersionType is the name of a supported HTTP version." + type: "string" + type: "array" + health: + description: "Health defines the endpoint Envoy uses to serve health checks.\nContour's default is { address: \"0.0.0.0\", port: 8002 }." + properties: + address: + description: "Defines the health address interface." + minLength: 1 + type: "string" + port: + description: "Defines the health port." + type: "integer" + type: "object" + http: + description: "Defines the HTTP Listener for Envoy.\nContour's default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" }." + properties: + accessLog: + description: "AccessLog defines where Envoy logs are outputted for this listener." + type: "string" + address: + description: "Defines an Envoy Listener Address." + minLength: 1 + type: "string" + port: + description: "Defines an Envoy listener Port." + type: "integer" + type: "object" + https: + description: "Defines the HTTPS Listener for Envoy.\nContour's default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" }." + properties: + accessLog: + description: "AccessLog defines where Envoy logs are outputted for this listener." + type: "string" + address: + description: "Defines an Envoy Listener Address." + minLength: 1 + type: "string" + port: + description: "Defines an Envoy listener Port." + type: "integer" + type: "object" + listener: + description: "Listener hold various configurable Envoy listener values." + properties: + connectionBalancer: + description: "ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig\nfor more information.\nValues: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.\nOther values will produce an error." + type: "string" + disableAllowChunkedLength: + description: "DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to\nstrip the \"Content-Length\" header if \"Transfer-Encoding: chunked\" is\nalso set. This is an emergency off-switch to revert back to Envoy's\ndefault behavior in case of failures. Please file an issue if failures\nare encountered.\nSee: https://github.com/projectcontour/contour/issues/3221\nContour's default is false." + type: "boolean" + disableMergeSlashes: + description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option\nwhich strips duplicate slashes from request URL paths.\nContour's default is false." + type: "boolean" + httpMaxConcurrentStreams: + description: "Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the\nSETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed\nfor a peer on a single HTTP/2 connection. It is recommended to not set this lower\nthan 100 but this field can be used to bound resource usage by HTTP/2 connections\nand mitigate attacks like CVE-2023-44487. The default value when this is not set is\nunlimited." + format: "int32" + minimum: 1.0 + type: "integer" + maxConnectionsPerListener: + description: "Defines the limit on number of active connections to a listener. The limit is applied\nper listener. The default value when this is not set is unlimited." + format: "int32" + minimum: 1.0 + type: "integer" + maxRequestsPerConnection: + description: "Defines the maximum requests for downstream connections. If not specified, there is no limit.\nsee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions\nfor more information." + format: "int32" + minimum: 1.0 + type: "integer" + maxRequestsPerIOCycle: + description: "Defines the limit on number of HTTP requests that Envoy will process from a single\nconnection in a single I/O cycle. Requests over this limit are processed in subsequent\nI/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is\ndetected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default\nvalue when this is not set is no limit." + format: "int32" + minimum: 1.0 + type: "integer" + per-connection-buffer-limit-bytes: + description: "Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.\nIf unspecified, an implementation defined default is applied (1MiB).\nsee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes\nfor more information." + format: "int32" + minimum: 1.0 + type: "integer" + serverHeaderTransformation: + description: "Defines the action to be applied to the Server header on the response path.\nWhen configured as overwrite, overwrites any Server header with \"envoy\".\nWhen configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\".\nWhen configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.\nValues: `overwrite` (default), `append_if_absent`, `pass_through`\nOther values will produce an error.\nContour's default is overwrite." + type: "string" + socketOptions: + description: "SocketOptions defines configurable socket options for the listeners.\nSingle set of options are applied to all listeners." + properties: + tos: + description: "Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.\nSingle value is applied to all listeners.\nIf listeners are bound to IPv6-only addresses, setting this option will cause an error." + format: "int32" + maximum: 255.0 + minimum: 0.0 + type: "integer" + trafficClass: + description: "Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.\nSingle value is applied to all listeners.\nIf listeners are bound to IPv4-only addresses, setting this option will cause an error." + format: "int32" + maximum: 255.0 + minimum: 0.0 + type: "integer" + type: "object" + tls: + description: "TLS holds various configurable Envoy TLS listener values." + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to be supported by Envoy TLS\nlisteners when negotiating TLS 1.2. Ciphers are validated against the\nset that Envoy supports by default. This parameter should only be used\nby advanced users. Note that these will be ignored when TLS 1.3 is in\nuse.\nThis field is optional; when it is undefined, a Contour-managed ciphersuite list\nwill be used, which may be updated to keep it secure.\nContour's default list is:\n - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"\n - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"\n - \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n - \"ECDHE-RSA-AES256-GCM-SHA384\"\nCiphers provided are validated against the following list:\n - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"\n - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"\n - \"ECDHE-ECDSA-AES128-GCM-SHA256\"\n - \"ECDHE-RSA-AES128-GCM-SHA256\"\n - \"ECDHE-ECDSA-AES128-SHA\"\n - \"ECDHE-RSA-AES128-SHA\"\n - \"AES128-GCM-SHA256\"\n - \"AES128-SHA\"\n - \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n - \"ECDHE-RSA-AES256-GCM-SHA384\"\n - \"ECDHE-ECDSA-AES256-SHA\"\n - \"ECDHE-RSA-AES256-SHA\"\n - \"AES256-GCM-SHA384\"\n - \"AES256-SHA\"\nContour recommends leaving this undefined unless you are sure you must.\nSee: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters\nNote: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS." + items: + type: "string" + type: "array" + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS version this vhost should\nnegotiate.\nValues: `1.2`, `1.3`(default).\nOther values will produce an error." + type: "string" + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS version this vhost should\nnegotiate.\nValues: `1.2` (default), `1.3`.\nOther values will produce an error." + type: "string" + type: "object" + useProxyProtocol: + description: "Use PROXY protocol for all listeners.\nContour's default is false." + type: "boolean" + type: "object" + logging: + description: "Logging defines how Envoy's logs can be configured." + properties: + accessLogFormat: + description: "AccessLogFormat sets the global access log format.\nValues: `envoy` (default), `json`.\nOther values will produce an error." + type: "string" + accessLogFormatString: + description: "AccessLogFormatString sets the access log format when format is set to `envoy`.\nWhen empty, Envoy's default format is used." + type: "string" + accessLogJSONFields: + description: "AccessLogJSONFields sets the fields that JSON logging will\noutput when AccessLogFormat is json." + items: + type: "string" + type: "array" + accessLogLevel: + description: "AccessLogLevel sets the verbosity level of the access log.\nValues: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.\nOther values will produce an error." + type: "string" + type: "object" + metrics: + description: "Metrics defines the endpoint Envoy uses to serve metrics.\nContour's default is { address: \"0.0.0.0\", port: 8002 }." + properties: + address: + description: "Defines the metrics address interface." + maxLength: 253 + minLength: 1 + type: "string" + port: + description: "Defines the metrics port." + type: "integer" + tls: + description: "TLS holds TLS file config details.\nMetrics and health endpoints cannot have same port number when metrics is served over HTTPS." + properties: + caFile: + description: "CA filename." + type: "string" + certFile: + description: "Client certificate filename." + type: "string" + keyFile: + description: "Client key filename." + type: "string" + type: "object" + type: "object" + network: + description: "Network holds various configurable Envoy network values." + properties: + adminPort: + description: "Configure the port used to access the Envoy Admin interface.\nIf configured to port \"0\" then the admin interface is disabled.\nContour's default is 9001." + type: "integer" + numTrustedHops: + description: "XffNumTrustedHops defines the number of additional ingress proxy hops from the\nright side of the x-forwarded-for HTTP header to trust when determining the origin\nclient’s IP address.\nSee https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops\nfor more information.\nContour's default is 0." + format: "int32" + type: "integer" + type: "object" + service: + description: "Service holds Envoy service parameters for setting Ingress status.\nContour's default is { namespace: \"projectcontour\", name: \"envoy\" }." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + timeouts: + description: "Timeouts holds various configurable timeouts that can\nbe set in the config file." + properties: + connectTimeout: + description: "ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.\nIf not set, a default value of 2 seconds will be used.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout\nfor more information." + type: "string" + connectionIdleTimeout: + description: "ConnectionIdleTimeout defines how long the proxy should wait while there are\nno active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating\nan HTTP connection. Set to \"infinity\" to disable the timeout entirely.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout\nfor more information." + type: "string" + connectionShutdownGracePeriod: + description: "ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an\ninitial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.\nDuring this grace period, the proxy will continue to respond to new streams. After the final\nGOAWAY frame has been sent, the proxy will refuse new streams.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout\nfor more information." + type: "string" + delayedCloseTimeout: + description: "DelayedCloseTimeout defines how long envoy will wait, once connection\nclose processing has been initiated, for the downstream peer to close\nthe connection before Envoy closes the socket associated with the connection.\nSetting this timeout to 'infinity' will disable it, equivalent to setting it to '0'\nin Envoy. Leaving it unset will result in the Envoy default value being used.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout\nfor more information." + type: "string" + maxConnectionDuration: + description: "MaxConnectionDuration defines the maximum period of time after an HTTP connection\nhas been established from the client to the proxy before it is closed by the proxy,\nregardless of whether there has been activity or not. Omit or set to \"infinity\" for\nno max duration.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration\nfor more information." + type: "string" + requestTimeout: + description: "RequestTimeout sets the client request timeout globally for Contour. Note that\nthis is a timeout for the entire request, not an idle timeout. Omit or set to\n\"infinity\" to disable the timeout entirely.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout\nfor more information." + type: "string" + streamIdleTimeout: + description: "StreamIdleTimeout defines how long the proxy should wait while there is no\nrequest activity (for HTTP/1.1) or stream activity (for HTTP/2) before\nterminating the HTTP request or stream. Set to \"infinity\" to disable the\ntimeout entirely.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout\nfor more information." + type: "string" + type: "object" + type: "object" + featureFlags: + description: "FeatureFlags defines toggle to enable new contour features.\nAvailable toggles are:\nuseEndpointSlices - configures contour to fetch endpoint data\nfrom k8s endpoint slices. defaults to false and reading endpoint\ndata from the k8s endpoints." + items: + type: "string" + type: "array" + gateway: + description: "Gateway contains parameters for the gateway-api Gateway that Contour\nis configured to serve traffic." + properties: + controllerName: + description: "ControllerName is used to determine whether Contour should reconcile a\nGatewayClass. The string takes the form of \"projectcontour.io//contour\".\nIf unset, the gatewayclass controller will not be started.\nExactly one of ControllerName or GatewayRef must be set.\nDeprecated: users should use GatewayRef, or the Gateway provisioner,\nin place of this field. This field will be removed in a future release." + type: "string" + gatewayRef: + description: "GatewayRef defines a specific Gateway that this Contour\ninstance corresponds to. If set, Contour will reconcile\nonly this gateway, and will not reconcile any gateway\nclasses.\nExactly one of ControllerName or GatewayRef must be set." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + type: "object" + globalExtAuth: + description: "GlobalExternalAuthorization allows envoys external authorization filter\nto be enabled for all virtual hosts." + properties: + authPolicy: + description: "AuthPolicy sets a default authorization policy for client requests.\nThis policy will be used unless overridden by individual routes." + properties: + context: + additionalProperties: + type: "string" + description: "Context is a set of key/value pairs that are sent to the\nauthentication server in the check request. If a context\nis provided at an enclosing scope, the entries are merged\nsuch that the inner scope overrides matching keys from the\nouter scope." + type: "object" + disabled: + description: "When true, this field disables client request authentication\nfor the scope of the policy." + type: "boolean" + type: "object" + extensionRef: + description: "ExtensionServiceRef specifies the extension resource that will authorize client requests." + properties: + apiVersion: + description: "API version of the referent.\nIf this field is not specified, the default \"projectcontour.io/v1alpha1\" will be used" + minLength: 1 + type: "string" + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: "string" + namespace: + description: "Namespace of the referent.\nIf this field is not specifies, the namespace of the resource that targets the referent will be used.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: "string" + type: "object" + failOpen: + description: "If FailOpen is true, the client request is forwarded to the upstream service\neven if the authorization server fails to respond. This field should not be\nset in most cases. It is intended for use only while migrating applications\nfrom internal authorization to Contour external authorization." + type: "boolean" + responseTimeout: + description: "ResponseTimeout configures maximum time to wait for a check response from the authorization server.\nTimeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\nThe string \"infinity\" is also a valid input and specifies no timeout." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + withRequestBody: + description: "WithRequestBody specifies configuration for sending the client request's body to authorization server." + properties: + allowPartialMessage: + description: "If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached." + type: "boolean" + maxRequestBytes: + default: 1024 + description: "MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory." + format: "int32" + minimum: 1.0 + type: "integer" + packAsBytes: + description: "If PackAsBytes is true, the body sent to Authorization Server is in raw bytes." + type: "boolean" + type: "object" + type: "object" + health: + description: "Health defines the endpoints Contour uses to serve health checks.\nContour's default is { address: \"0.0.0.0\", port: 8000 }." + properties: + address: + description: "Defines the health address interface." + minLength: 1 + type: "string" + port: + description: "Defines the health port." + type: "integer" + type: "object" + httpproxy: + description: "HTTPProxy defines parameters on HTTPProxy." + properties: + disablePermitInsecure: + description: "DisablePermitInsecure disables the use of the\npermitInsecure field in HTTPProxy.\nContour's default is false." + type: "boolean" + fallbackCertificate: + description: "FallbackCertificate defines the namespace/name of the Kubernetes secret to\nuse as fallback when a non-SNI request is received." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + rootNamespaces: + description: "Restrict Contour to searching these namespaces for root ingress routes." + items: + type: "string" + type: "array" + type: "object" + ingress: + description: "Ingress contains parameters for ingress options." + properties: + classNames: + description: "Ingress Class Names Contour should use." + items: + type: "string" + type: "array" + statusAddress: + description: "Address to set in Ingress object status." + type: "string" + type: "object" + metrics: + description: "Metrics defines the endpoint Contour uses to serve metrics.\nContour's default is { address: \"0.0.0.0\", port: 8000 }." + properties: + address: + description: "Defines the metrics address interface." + maxLength: 253 + minLength: 1 + type: "string" + port: + description: "Defines the metrics port." + type: "integer" + tls: + description: "TLS holds TLS file config details.\nMetrics and health endpoints cannot have same port number when metrics is served over HTTPS." + properties: + caFile: + description: "CA filename." + type: "string" + certFile: + description: "Client certificate filename." + type: "string" + keyFile: + description: "Client key filename." + type: "string" + type: "object" + type: "object" + policy: + description: "Policy specifies default policy applied if not overridden by the user" + properties: + applyToIngress: + description: "ApplyToIngress determines if the Policies will apply to ingress objects\nContour's default is false." + type: "boolean" + requestHeaders: + description: "RequestHeadersPolicy defines the request headers set/removed on all routes" + properties: + remove: + items: + type: "string" + type: "array" + set: + additionalProperties: + type: "string" + type: "object" + type: "object" + responseHeaders: + description: "ResponseHeadersPolicy defines the response headers set/removed on all routes" + properties: + remove: + items: + type: "string" + type: "array" + set: + additionalProperties: + type: "string" + type: "object" + type: "object" + type: "object" + rateLimitService: + description: "RateLimitService optionally holds properties of the Rate Limit Service\nto be used for global rate limiting." + properties: + defaultGlobalRateLimitPolicy: + description: "DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.\nHTTPProxy can overwrite this configuration." + properties: + descriptors: + description: "Descriptors defines the list of descriptors that will\nbe generated and sent to the rate limit service. Each\ndescriptor contains 1+ key-value pair entries." + items: + description: "RateLimitDescriptor defines a list of key-value pair generators." + properties: + entries: + description: "Entries is the list of key-value pair generators." + items: + description: "RateLimitDescriptorEntry is a key-value pair generator. Exactly\none field on this struct must be non-nil." + properties: + genericKey: + description: "GenericKey defines a descriptor entry with a static key and value." + properties: + key: + description: "Key defines the key of the descriptor entry. If not set, the\nkey is set to \"generic_key\"." + type: "string" + value: + description: "Value defines the value of the descriptor entry." + minLength: 1 + type: "string" + type: "object" + remoteAddress: + description: "RemoteAddress defines a descriptor entry with a key of \"remote_address\"\nand a value equal to the client's IP address (from x-forwarded-for)." + type: "object" + requestHeader: + description: "RequestHeader defines a descriptor entry that's populated only if\na given header is present on the request. The descriptor key is static,\nand the descriptor value is equal to the value of the header." + properties: + descriptorKey: + description: "DescriptorKey defines the key to use on the descriptor entry." + minLength: 1 + type: "string" + headerName: + description: "HeaderName defines the name of the header to look for on the request." + minLength: 1 + type: "string" + type: "object" + requestHeaderValueMatch: + description: "RequestHeaderValueMatch defines a descriptor entry that's populated\nif the request's headers match a set of 1+ match criteria. The\ndescriptor key is \"header_match\", and the descriptor value is static." + properties: + expectMatch: + default: true + description: "ExpectMatch defines whether the request must positively match the match\ncriteria in order to generate a descriptor entry (i.e. true), or not\nmatch the match criteria in order to generate a descriptor entry (i.e. false).\nThe default is true." + type: "boolean" + headers: + description: "Headers is a list of 1+ match criteria to apply against the request\nto determine whether to populate the descriptor entry or not." + items: + description: "HeaderMatchCondition specifies how to conditionally match against HTTP\nheaders. The Name field is required, only one of Present, NotPresent,\nContains, NotContains, Exact, NotExact and Regex can be set.\nFor negative matching rules only (e.g. NotContains or NotExact) you can set\nTreatMissingAsEmpty.\nIgnoreCase has no effect for Regex." + properties: + contains: + description: "Contains specifies a substring that must be present in\nthe header value." + type: "string" + exact: + description: "Exact specifies a string that the header value must be equal to." + type: "string" + ignoreCase: + description: "IgnoreCase specifies that string matching should be case insensitive.\nNote that this has no effect on the Regex parameter." + type: "boolean" + name: + description: "Name is the name of the header to match against. Name is required.\nHeader names are case insensitive." + type: "string" + notcontains: + description: "NotContains specifies a substring that must not be present\nin the header value." + type: "string" + notexact: + description: "NoExact specifies a string that the header value must not be\nequal to. The condition is true if the header has any other value." + type: "string" + notpresent: + description: "NotPresent specifies that condition is true when the named header\nis not present. Note that setting NotPresent to false does not\nmake the condition true if the named header is present." + type: "boolean" + present: + description: "Present specifies that condition is true when the named header\nis present, regardless of its value. Note that setting Present\nto false does not make the condition true if the named header\nis absent." + type: "boolean" + regex: + description: "Regex specifies a regular expression pattern that must match the header\nvalue." + type: "string" + treatMissingAsEmpty: + description: "TreatMissingAsEmpty specifies if the header match rule specified header\ndoes not exist, this header value will be treated as empty. Defaults to false.\nUnlike the underlying Envoy implementation this is **only** supported for\nnegative matches (e.g. NotContains, NotExact)." + type: "boolean" + required: + - "name" + type: "object" + minItems: 1 + type: "array" + value: + description: "Value defines the value of the descriptor entry." + minLength: 1 + type: "string" + type: "object" + type: "object" + minItems: 1 + type: "array" + type: "object" + minItems: 1 + type: "array" + disabled: + description: "Disabled configures the HTTPProxy to not use\nthe default global rate limit policy defined by the Contour configuration." + type: "boolean" + type: "object" + domain: + description: "Domain is passed to the Rate Limit Service." + type: "string" + enableResourceExhaustedCode: + description: "EnableResourceExhaustedCode enables translating error code 429 to\ngrpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE" + type: "boolean" + enableXRateLimitHeaders: + description: "EnableXRateLimitHeaders defines whether to include the X-RateLimit\nheaders X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset\n(as defined by the IETF Internet-Draft linked below), on responses\nto clients when the Rate Limit Service is consulted for a request.\nref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + type: "boolean" + extensionService: + description: "ExtensionService identifies the extension service defining the RLS." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + failOpen: + description: "FailOpen defines whether to allow requests to proceed when the\nRate Limit Service fails to respond with a valid rate limit\ndecision within the timeout defined on the extension service." + type: "boolean" + required: + - "extensionService" + type: "object" + tracing: + description: "Tracing defines properties for exporting trace data to OpenTelemetry." + properties: + customTags: + description: "CustomTags defines a list of custom tags with unique tag name." + items: + description: "CustomTag defines custom tags with unique tag name\nto create tags for the active span." + properties: + literal: + description: "Literal is a static custom tag value.\nPrecisely one of Literal, RequestHeaderName must be set." + type: "string" + requestHeaderName: + description: "RequestHeaderName indicates which request header\nthe label value is obtained from.\nPrecisely one of Literal, RequestHeaderName must be set." + type: "string" + tagName: + description: "TagName is the unique name of the custom tag." + type: "string" + required: + - "tagName" + type: "object" + type: "array" + extensionService: + description: "ExtensionService identifies the extension service defining the otel-collector." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + includePodDetail: + description: "IncludePodDetail defines a flag.\nIf it is true, contour will add the pod name and namespace to the span of the trace.\nthe default is true.\nNote: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly." + type: "boolean" + maxPathTagLength: + description: "MaxPathTagLength defines maximum length of the request path\nto extract and include in the HttpUrl tag.\ncontour's default is 256." + format: "int32" + type: "integer" + overallSampling: + description: "OverallSampling defines the sampling rate of trace data.\ncontour's default is 100." + type: "string" + serviceName: + description: "ServiceName defines the name for the service.\ncontour's default is contour." + type: "string" + required: + - "extensionService" + type: "object" + xdsServer: + description: "XDSServer contains parameters for the xDS server." + properties: + address: + description: "Defines the xDS gRPC API address which Contour will serve.\nContour's default is \"0.0.0.0\"." + minLength: 1 + type: "string" + port: + description: "Defines the xDS gRPC API port which Contour will serve.\nContour's default is 8001." + type: "integer" + tls: + description: "TLS holds TLS file config details.\nContour's default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", keyFile: \"/certs/tls.key\", insecure: false }." + properties: + caFile: + description: "CA filename." + type: "string" + certFile: + description: "Client certificate filename." + type: "string" + insecure: + description: "Allow serving the xDS gRPC API without TLS." + type: "boolean" + keyFile: + description: "Client key filename." + type: "string" + type: "object" + type: + description: "Defines the XDSServer to use for `contour serve`.\nValues: `contour` (default), `envoy`.\nOther values will produce an error." + type: "string" + type: "object" + type: "object" + status: + description: "ContourConfigurationStatus defines the observed state of a ContourConfiguration resource." + properties: + conditions: + description: "Conditions contains the current status of the Contour resource.\nContour will update a single condition, `Valid`, that is in normal-true polarity.\nContour will not modify any other Conditions set in this block,\nin case some other controller wants to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes conditions, with two extra\nfields to hold sub-conditions, which provide more detailed reasons for the state (True or False)\nof the condition.\n`errors` holds information about sub-conditions which are fatal to that condition and render its state False.\n`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.\nRemember that Conditions have a type, a status, and a reason.\nThe type is the type of the condition, the most important one in this CRD set is `Valid`.\n`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.\nIn more detail, `status: true` means that the object is has been ingested into Contour with no errors.\n`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`\nslice in this case.\n`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.\nThe details of the errors will be present under the `errors` field. There must be at least one error in the `errors`\nslice if `status` is `false`.\nFor DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.\nWhen they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.\nWhen they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.\nIn either case, there may be entries in the `warnings` slice.\nRegardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason\n(if there is one and only one entry in total across both the `errors` and `warnings` slices), or\n`MultipleReasons` if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions for this object.\nSubconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.\nAn empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.\nIt contains a subset of the Condition fields.\nIt is intended for warnings and errors, so `type` names should use abnormal-true polarity,\nthat is, they should be of the form \"ErrorPresent: true\".\nThe expected lifecycle for these errors is that they should only be present when the error or warning is,\nand should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + reason: + description: "Reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "Status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.\nThis must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + lastTransitionTime: + description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." + format: "date-time" + type: "string" + message: + description: "message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + observedGeneration: + description: "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance." + format: "int64" + minimum: 0.0 + type: "integer" + reason: + description: "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + warnings: + description: "Warnings contains a slice of relevant warning subconditions for this object.\nSubconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.\nAn empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.\nIt contains a subset of the Condition fields.\nIt is intended for warnings and errors, so `type` names should use abnormal-true polarity,\nthat is, they should be of the form \"ErrorPresent: true\".\nThe expected lifecycle for these errors is that they should only be present when the error or warning is,\nand should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + reason: + description: "Reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "Status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.\nThis must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + required: + - "lastTransitionTime" + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + x-kubernetes-list-map-keys: + - "type" + x-kubernetes-list-type: "map" + type: "object" + required: + - "spec" + type: "object" + served: true + storage: true + subresources: + status: {} diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.args b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.args new file mode 100644 index 000000000..7ab47510b --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.args @@ -0,0 +1 @@ +--derive=PartialEq diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml new file mode 100644 index 000000000..a89a48cd1 --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml @@ -0,0 +1,2115 @@ +apiVersion: "apiextensions.k8s.io/v1" +kind: "CustomResourceDefinition" +metadata: + annotations: + controller-gen.kubebuilder.io/version: "v0.14.0" + name: "contourdeployments.projectcontour.io" +spec: + group: "projectcontour.io" + names: + kind: "ContourDeployment" + listKind: "ContourDeploymentList" + plural: "contourdeployments" + shortNames: + - "contourdeploy" + singular: "contourdeployment" + preserveUnknownFields: false + scope: "Namespaced" + versions: + - name: "v1alpha1" + schema: + openAPIV3Schema: + description: "ContourDeployment is the schema for a Contour Deployment." + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + kind: + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + metadata: + type: "object" + spec: + description: "ContourDeploymentSpec specifies options for how a Contour\ninstance should be provisioned." + properties: + contour: + description: "Contour specifies deployment-time settings for the Contour\npart of the installation, i.e. the xDS server/control plane\nand associated resources, including things like replica count\nfor the Deployment, and node placement constraints for the pods." + properties: + deployment: + description: "Deployment describes the settings for running contour as a `Deployment`." + properties: + replicas: + description: "Replicas is the desired number of replicas." + format: "int32" + minimum: 0.0 + type: "integer" + strategy: + description: "Strategy describes the deployment strategy to use to replace existing pods with new pods." + properties: + rollingUpdate: + description: "Rolling update config params. Present only if DeploymentStrategyType =\nRollingUpdate.\n---\nTODO: Update this to follow our convention for oneOf, whatever we decide it\nto be." + properties: + maxSurge: + anyOf: + - type: "integer" + - type: "string" + description: "The maximum number of pods that can be scheduled above the desired number of\npods.\nValue can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).\nThis can not be 0 if MaxUnavailable is 0.\nAbsolute number is calculated from percentage by rounding up.\nDefaults to 25%.\nExample: when this is set to 30%, the new ReplicaSet can be scaled up immediately when\nthe rolling update starts, such that the total number of old and new pods do not exceed\n130% of desired pods. Once old pods have been killed,\nnew ReplicaSet can be scaled up further, ensuring that total number of pods running\nat any time during the update is at most 130% of desired pods." + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: "integer" + - type: "string" + description: "The maximum number of pods that can be unavailable during the update.\nValue can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).\nAbsolute number is calculated from percentage by rounding down.\nThis can not be 0 if MaxSurge is 0.\nDefaults to 25%.\nExample: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods\nimmediately when the rolling update starts. Once new pods are ready, old ReplicaSet\ncan be scaled down further, followed by scaling up the new ReplicaSet, ensuring\nthat the total number of pods available at all times during the update is at\nleast 70% of desired pods." + x-kubernetes-int-or-string: true + type: "object" + type: + description: "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate." + type: "string" + type: "object" + type: "object" + disabledFeatures: + description: "DisabledFeatures defines an array of resources that will be ignored by\ncontour reconciler." + items: + enum: + - "grpcroutes" + - "tlsroutes" + - "extensionservices" + - "backendtlspolicies" + type: "string" + maxItems: 42 + minItems: 1 + type: "array" + kubernetesLogLevel: + description: "KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset,\ndefaults to 0." + maximum: 9.0 + minimum: 0.0 + type: "integer" + logLevel: + description: "LogLevel sets the log level for Contour\nAllowed values are \"info\", \"debug\"." + type: "string" + nodePlacement: + description: "NodePlacement describes node scheduling configuration of Contour pods." + properties: + nodeSelector: + additionalProperties: + type: "string" + description: "NodeSelector is the simplest recommended form of node selection constraint\nand specifies a map of key-value pairs. For the pod to be eligible\nto run on a node, the node must have each of the indicated key-value pairs\nas labels (it can have additional labels as well).\nIf unset, the pod(s) will be scheduled to any available node." + type: "object" + tolerations: + description: "Tolerations work with taints to ensure that pods are not scheduled\nonto inappropriate nodes. One or more taints are applied to a node; this\nmarks that the node should not accept any pods that do not tolerate the\ntaints.\nThe default is an empty list.\nSee https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/\nfor additional details." + items: + description: "The pod this Toleration is attached to tolerates any taint that matches\nthe triple using the matching operator ." + properties: + effect: + description: "Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute." + type: "string" + key: + description: "Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys." + type: "string" + operator: + description: "Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category." + type: "string" + tolerationSeconds: + description: "TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system." + format: "int64" + type: "integer" + value: + description: "Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string." + type: "string" + type: "object" + type: "array" + type: "object" + podAnnotations: + additionalProperties: + type: "string" + description: "PodAnnotations defines annotations to add to the Contour pods.\nthe annotations for Prometheus will be appended or overwritten with predefined value." + type: "object" + replicas: + description: "Deprecated: Use `DeploymentSettings.Replicas` instead.\nReplicas is the desired number of Contour replicas. If if unset,\ndefaults to 2.\nif both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`." + format: "int32" + minimum: 0.0 + type: "integer" + resources: + description: "Compute Resources required by contour container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + properties: + claims: + description: "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\nThis is an alpha field and requires enabling the\nDynamicResourceAllocation feature gate.\nThis field is immutable. It can only be set for containers." + items: + description: "ResourceClaim references one entry in PodSpec.ResourceClaims." + properties: + name: + description: "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container." + type: "string" + required: + - "name" + type: "object" + type: "array" + x-kubernetes-list-map-keys: + - "name" + x-kubernetes-list-type: "map" + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + type: "object" + watchNamespaces: + description: "WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance\nto only watch this subset of namespaces." + items: + description: "Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.\nThis validation is based off of the corresponding Kubernetes validation:\nhttps://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187\nThis is used for Namespace name validation here:\nhttps://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63\nValid values include:\n* \"example\"\nInvalid values include:\n* \"example.com\" - \".\" is an invalid character" + maxLength: 63 + minLength: 1 + pattern: "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + type: "string" + maxItems: 42 + minItems: 1 + type: "array" + type: "object" + envoy: + description: "Envoy specifies deployment-time settings for the Envoy\npart of the installation, i.e. the xDS client/data plane\nand associated resources, including things like the workload\ntype to use (DaemonSet or Deployment), node placement constraints\nfor the pods, and various options for the Envoy service." + properties: + baseID: + description: "The base ID to use when allocating shared memory regions.\nif Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID\nso that the shared memory regions do not conflict.\ndefaults to 0." + format: "int32" + minimum: 0.0 + type: "integer" + daemonSet: + description: "DaemonSet describes the settings for running envoy as a `DaemonSet`.\nif `WorkloadType` is `Deployment`,it's must be nil" + properties: + updateStrategy: + description: "Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods." + properties: + rollingUpdate: + description: "Rolling update config params. Present only if type = \"RollingUpdate\".\n---\nTODO: Update this to follow our convention for oneOf, whatever we decide it\nto be. Same as Deployment `strategy.rollingUpdate`.\nSee https://github.com/kubernetes/kubernetes/issues/35345" + properties: + maxSurge: + anyOf: + - type: "integer" + - type: "string" + description: "The maximum number of nodes with an existing available DaemonSet pod that\ncan have an updated DaemonSet pod during during an update.\nValue can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).\nThis can not be 0 if MaxUnavailable is 0.\nAbsolute number is calculated from percentage by rounding up to a minimum of 1.\nDefault value is 0.\nExample: when this is set to 30%, at most 30% of the total number of nodes\nthat should be running the daemon pod (i.e. status.desiredNumberScheduled)\ncan have their a new pod created before the old pod is marked as deleted.\nThe update starts by launching new pods on 30% of nodes. Once an updated\npod is available (Ready for at least minReadySeconds) the old DaemonSet pod\non that node is marked deleted. If the old pod becomes unavailable for any\nreason (Ready transitions to false, is evicted, or is drained) an updated\npod is immediatedly created on that node without considering surge limits.\nAllowing surge implies the possibility that the resources consumed by the\ndaemonset on any given node can double if the readiness check fails, and\nso resource intensive daemonsets should take into account that they may\ncause evictions during disruption." + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: "integer" + - type: "string" + description: "The maximum number of DaemonSet pods that can be unavailable during the\nupdate. Value can be an absolute number (ex: 5) or a percentage of total\nnumber of DaemonSet pods at the start of the update (ex: 10%). Absolute\nnumber is calculated from percentage by rounding up.\nThis cannot be 0 if MaxSurge is 0\nDefault value is 1.\nExample: when this is set to 30%, at most 30% of the total number of nodes\nthat should be running the daemon pod (i.e. status.desiredNumberScheduled)\ncan have their pods stopped for an update at any given time. The update\nstarts by stopping at most 30% of those DaemonSet pods and then brings\nup new DaemonSet pods in their place. Once the new pods are available,\nit then proceeds onto other DaemonSet pods, thus ensuring that at least\n70% of original number of DaemonSet pods are available at all times during\nthe update." + x-kubernetes-int-or-string: true + type: "object" + type: + description: "Type of daemon set update. Can be \"RollingUpdate\" or \"OnDelete\". Default is RollingUpdate." + type: "string" + type: "object" + type: "object" + deployment: + description: "Deployment describes the settings for running envoy as a `Deployment`.\nif `WorkloadType` is `DaemonSet`,it's must be nil" + properties: + replicas: + description: "Replicas is the desired number of replicas." + format: "int32" + minimum: 0.0 + type: "integer" + strategy: + description: "Strategy describes the deployment strategy to use to replace existing pods with new pods." + properties: + rollingUpdate: + description: "Rolling update config params. Present only if DeploymentStrategyType =\nRollingUpdate.\n---\nTODO: Update this to follow our convention for oneOf, whatever we decide it\nto be." + properties: + maxSurge: + anyOf: + - type: "integer" + - type: "string" + description: "The maximum number of pods that can be scheduled above the desired number of\npods.\nValue can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).\nThis can not be 0 if MaxUnavailable is 0.\nAbsolute number is calculated from percentage by rounding up.\nDefaults to 25%.\nExample: when this is set to 30%, the new ReplicaSet can be scaled up immediately when\nthe rolling update starts, such that the total number of old and new pods do not exceed\n130% of desired pods. Once old pods have been killed,\nnew ReplicaSet can be scaled up further, ensuring that total number of pods running\nat any time during the update is at most 130% of desired pods." + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: "integer" + - type: "string" + description: "The maximum number of pods that can be unavailable during the update.\nValue can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).\nAbsolute number is calculated from percentage by rounding down.\nThis can not be 0 if MaxSurge is 0.\nDefaults to 25%.\nExample: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods\nimmediately when the rolling update starts. Once new pods are ready, old ReplicaSet\ncan be scaled down further, followed by scaling up the new ReplicaSet, ensuring\nthat the total number of pods available at all times during the update is at\nleast 70% of desired pods." + x-kubernetes-int-or-string: true + type: "object" + type: + description: "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate." + type: "string" + type: "object" + type: "object" + extraVolumeMounts: + description: "ExtraVolumeMounts holds the extra volume mounts to add (normally used with extraVolumes)." + items: + description: "VolumeMount describes a mounting of a Volume within a container." + properties: + mountPath: + description: "Path within the container at which the volume should be mounted. Must\nnot contain ':'." + type: "string" + mountPropagation: + description: "mountPropagation determines how mounts are propagated from the host\nto container and the other way around.\nWhen not set, MountPropagationNone is used.\nThis field is beta in 1.10." + type: "string" + name: + description: "This must match the Name of a Volume." + type: "string" + readOnly: + description: "Mounted read-only if true, read-write otherwise (false or unspecified).\nDefaults to false." + type: "boolean" + subPath: + description: "Path within the volume from which the container's volume should be mounted.\nDefaults to \"\" (volume's root)." + type: "string" + subPathExpr: + description: "Expanded path within the volume from which the container's volume should be mounted.\nBehaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.\nDefaults to \"\" (volume's root).\nSubPathExpr and SubPath are mutually exclusive." + type: "string" + required: + - "mountPath" + - "name" + type: "object" + type: "array" + extraVolumes: + description: "ExtraVolumes holds the extra volumes to add." + items: + description: "Volume represents a named volume in a pod that may be accessed by any container in the pod." + properties: + awsElasticBlockStore: + description: "awsElasticBlockStore represents an AWS Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + properties: + fsType: + description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore\nTODO: how do we prevent errors in the filesystem from compromising the machine" + type: "string" + partition: + description: "partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty)." + format: "int32" + type: "integer" + readOnly: + description: "readOnly value true will force the readOnly setting in VolumeMounts.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + type: "boolean" + volumeID: + description: "volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + type: "string" + required: + - "volumeID" + type: "object" + azureDisk: + description: "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + properties: + cachingMode: + description: "cachingMode is the Host Caching mode: None, Read Only, Read Write." + type: "string" + diskName: + description: "diskName is the Name of the data disk in the blob storage" + type: "string" + diskURI: + description: "diskURI is the URI of data disk in the blob storage" + type: "string" + fsType: + description: "fsType is Filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified." + type: "string" + kind: + description: "kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared" + type: "string" + readOnly: + description: "readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts." + type: "boolean" + required: + - "diskName" + - "diskURI" + type: "object" + azureFile: + description: "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + properties: + readOnly: + description: "readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts." + type: "boolean" + secretName: + description: "secretName is the name of secret that contains Azure Storage Account Name and Key" + type: "string" + shareName: + description: "shareName is the azure share Name" + type: "string" + required: + - "secretName" + - "shareName" + type: "object" + cephfs: + description: "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + properties: + monitors: + description: "monitors is Required: Monitors is a collection of Ceph monitors\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it" + items: + type: "string" + type: "array" + path: + description: "path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /" + type: "string" + readOnly: + description: "readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it" + type: "boolean" + secretFile: + description: "secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it" + type: "string" + secretRef: + description: "secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it" + properties: + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + user: + description: "user is optional: User is the rados user name, default is admin\nMore info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it" + type: "string" + required: + - "monitors" + type: "object" + cinder: + description: "cinder represents a cinder volume attached and mounted on kubelets host machine.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md" + properties: + fsType: + description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md" + type: "string" + readOnly: + description: "readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md" + type: "boolean" + secretRef: + description: "secretRef is optional: points to a secret object containing parameters used to connect\nto OpenStack." + properties: + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + volumeID: + description: "volumeID used to identify the volume in cinder.\nMore info: https://examples.k8s.io/mysql-cinder-pd/README.md" + type: "string" + required: + - "volumeID" + type: "object" + configMap: + description: "configMap represents a configMap that should populate this volume" + properties: + defaultMode: + description: "defaultMode is optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + items: + description: "items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'." + items: + description: "Maps a string key to a path within a volume." + properties: + key: + description: "key is the key to project." + type: "string" + mode: + description: "mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + path: + description: "path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'." + type: "string" + required: + - "key" + - "path" + type: "object" + type: "array" + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + optional: + description: "optional specify whether the ConfigMap or its keys must be defined" + type: "boolean" + type: "object" + x-kubernetes-map-type: "atomic" + csi: + description: "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + properties: + driver: + description: "driver is the name of the CSI driver that handles this volume.\nConsult with your admin for the correct name as registered in the cluster." + type: "string" + fsType: + description: "fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\".\nIf not provided, the empty value is passed to the associated CSI driver\nwhich will determine the default filesystem to apply." + type: "string" + nodePublishSecretRef: + description: "nodePublishSecretRef is a reference to the secret object containing\nsensitive information to pass to the CSI driver to complete the CSI\nNodePublishVolume and NodeUnpublishVolume calls.\nThis field is optional, and may be empty if no secret is required. If the\nsecret object contains more than one secret, all secret references are passed." + properties: + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + readOnly: + description: "readOnly specifies a read-only configuration for the volume.\nDefaults to false (read/write)." + type: "boolean" + volumeAttributes: + additionalProperties: + type: "string" + description: "volumeAttributes stores driver-specific properties that are passed to the CSI\ndriver. Consult your driver's documentation for supported values." + type: "object" + required: + - "driver" + type: "object" + downwardAPI: + description: "downwardAPI represents downward API about the pod that should populate this volume" + properties: + defaultMode: + description: "Optional: mode bits to use on created files by default. Must be a\nOptional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDefaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + items: + description: "Items is a list of downward API volume file" + items: + description: "DownwardAPIVolumeFile represents information to create the file containing the pod field" + properties: + fieldRef: + description: "Required: Selects a field of the pod: only annotations, labels, name and namespace are supported." + properties: + apiVersion: + description: "Version of the schema the FieldPath is written in terms of, defaults to \"v1\"." + type: "string" + fieldPath: + description: "Path of the field to select in the specified API version." + type: "string" + required: + - "fieldPath" + type: "object" + x-kubernetes-map-type: "atomic" + mode: + description: "Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + path: + description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'" + type: "string" + resourceFieldRef: + description: "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported." + properties: + containerName: + description: "Container name: required for volumes, optional for env vars" + type: "string" + divisor: + anyOf: + - type: "integer" + - type: "string" + description: "Specifies the output format of the exposed resources, defaults to \"1\"" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + resource: + description: "Required: resource to select" + type: "string" + required: + - "resource" + type: "object" + x-kubernetes-map-type: "atomic" + required: + - "path" + type: "object" + type: "array" + type: "object" + emptyDir: + description: "emptyDir represents a temporary directory that shares a pod's lifetime.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir" + properties: + medium: + description: "medium represents what type of storage medium should back this directory.\nThe default is \"\" which means to use the node's default medium.\nMust be an empty string (default) or Memory.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir" + type: "string" + sizeLimit: + anyOf: + - type: "integer" + - type: "string" + description: "sizeLimit is the total amount of local storage required for this EmptyDir volume.\nThe size limit is also applicable for memory medium.\nThe maximum usage on memory medium EmptyDir would be the minimum value between\nthe SizeLimit specified here and the sum of memory limits of all containers in a pod.\nThe default is nil which means that the limit is undefined.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + type: "object" + ephemeral: + description: "ephemeral represents a volume that is handled by a cluster storage driver.\nThe volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,\nand deleted when the pod is removed.\nUse this if:\na) the volume is only needed while the pod runs,\nb) features of normal volumes like restoring from snapshot or capacity\n tracking are needed,\nc) the storage driver is specified through a storage class, and\nd) the storage driver supports dynamic volume provisioning through\n a PersistentVolumeClaim (see EphemeralVolumeSource for more\n information on the connection between this volume type\n and PersistentVolumeClaim).\nUse PersistentVolumeClaim or one of the vendor-specific\nAPIs for volumes that persist for longer than the lifecycle\nof an individual pod.\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to\nbe used that way - see the documentation of the driver for\nmore information.\nA pod can use both types of ephemeral volumes and\npersistent volumes at the same time." + properties: + volumeClaimTemplate: + description: "Will be used to create a stand-alone PVC to provision the volume.\nThe pod in which this EphemeralVolumeSource is embedded will be the\nowner of the PVC, i.e. the PVC will be deleted together with the\npod. The name of the PVC will be `-` where\n`` is the name from the `PodSpec.Volumes` array\nentry. Pod validation will reject the pod if the concatenated name\nis not valid for a PVC (for example, too long).\nAn existing PVC with that name that is not owned by the pod\nwill *not* be used for the pod to avoid using an unrelated\nvolume by mistake. Starting the pod is then blocked until\nthe unrelated PVC is removed. If such a pre-created PVC is\nmeant to be used by the pod, the PVC has to updated with an\nowner reference to the pod once the pod exists. Normally\nthis should not be necessary, but it may be useful when\nmanually reconstructing a broken cluster.\nThis field is read-only and no changes will be made by Kubernetes\nto the PVC after it has been created.\nRequired, must not be nil." + properties: + metadata: + description: "May contain labels and annotations that will be copied into the PVC\nwhen creating it. No other fields are allowed and will be rejected during\nvalidation." + type: "object" + spec: + description: "The specification for the PersistentVolumeClaim. The entire content is\ncopied unchanged into the PVC that gets created from this\ntemplate. The same fields as in a PersistentVolumeClaim\nare also valid here." + properties: + accessModes: + description: "accessModes contains the desired access modes the volume should have.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1" + items: + type: "string" + type: "array" + dataSource: + description: "dataSource field can be used to specify either:\n* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)\n* An existing PVC (PersistentVolumeClaim)\nIf the provisioner or an external controller can support the specified data source,\nit will create a new volume based on the contents of the specified data source.\nWhen the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,\nand dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.\nIf the namespace is specified, then dataSourceRef will not be copied to dataSource." + properties: + apiGroup: + description: "APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required." + type: "string" + kind: + description: "Kind is the type of resource being referenced" + type: "string" + name: + description: "Name is the name of resource being referenced" + type: "string" + required: + - "kind" + - "name" + type: "object" + x-kubernetes-map-type: "atomic" + dataSourceRef: + description: "dataSourceRef specifies the object from which to populate the volume with data, if a non-empty\nvolume is desired. This may be any object from a non-empty API group (non\ncore object) or a PersistentVolumeClaim object.\nWhen this field is specified, volume binding will only succeed if the type of\nthe specified object matches some installed volume populator or dynamic\nprovisioner.\nThis field will replace the functionality of the dataSource field and as such\nif both fields are non-empty, they must have the same value. For backwards\ncompatibility, when namespace isn't specified in dataSourceRef,\nboth fields (dataSource and dataSourceRef) will be set to the same\nvalue automatically if one of them is empty and the other is non-empty.\nWhen namespace is specified in dataSourceRef,\ndataSource isn't set to the same value and must be empty.\nThere are three important differences between dataSource and dataSourceRef:\n* While dataSource only allows two specific types of objects, dataSourceRef\n allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n preserves all values, and generates an error if a disallowed value is\n specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.\n(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled." + properties: + apiGroup: + description: "APIGroup is the group for the resource being referenced.\nIf APIGroup is not specified, the specified Kind must be in the core API group.\nFor any other third-party types, APIGroup is required." + type: "string" + kind: + description: "Kind is the type of resource being referenced" + type: "string" + name: + description: "Name is the name of resource being referenced" + type: "string" + namespace: + description: "Namespace is the namespace of resource being referenced\nNote that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.\n(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled." + type: "string" + required: + - "kind" + - "name" + type: "object" + resources: + description: "resources represents the minimum resources the volume should have.\nIf RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements\nthat are lower than previous value but must still be higher than capacity recorded in the\nstatus field of the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources" + properties: + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + type: "object" + selector: + description: "selector is a label query over volumes to consider for binding." + properties: + matchExpressions: + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: + description: "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values." + properties: + key: + description: "key is the label key that the selector applies to." + type: "string" + operator: + description: "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + values: + description: "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch." + items: + type: "string" + type: "array" + required: + - "key" + - "operator" + type: "object" + type: "array" + matchLabels: + additionalProperties: + type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + storageClassName: + description: "storageClassName is the name of the StorageClass required by the claim.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1" + type: "string" + volumeAttributesClassName: + description: "volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.\nIf specified, the CSI driver will create or update the volume with the attributes defined\nin the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,\nit can be changed after the claim is created. An empty string value means that no VolumeAttributesClass\nwill be applied to the claim but it's not allowed to reset this field to empty string once it is set.\nIf unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass\nwill be set by the persistentvolume controller if it exists.\nIf the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be\nset to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource\nexists.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass\n(Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled." + type: "string" + volumeMode: + description: "volumeMode defines what type of volume is required by the claim.\nValue of Filesystem is implied when not included in claim spec." + type: "string" + volumeName: + description: "volumeName is the binding reference to the PersistentVolume backing this claim." + type: "string" + type: "object" + required: + - "spec" + type: "object" + type: "object" + fc: + description: "fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod." + properties: + fsType: + description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nTODO: how do we prevent errors in the filesystem from compromising the machine" + type: "string" + lun: + description: "lun is Optional: FC target lun number" + format: "int32" + type: "integer" + readOnly: + description: "readOnly is Optional: Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts." + type: "boolean" + targetWWNs: + description: "targetWWNs is Optional: FC target worldwide names (WWNs)" + items: + type: "string" + type: "array" + wwids: + description: "wwids Optional: FC volume world wide identifiers (wwids)\nEither wwids or combination of targetWWNs and lun must be set, but not both simultaneously." + items: + type: "string" + type: "array" + type: "object" + flexVolume: + description: "flexVolume represents a generic volume resource that is\nprovisioned/attached using an exec based plugin." + properties: + driver: + description: "driver is the name of the driver to use for this volume." + type: "string" + fsType: + description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script." + type: "string" + options: + additionalProperties: + type: "string" + description: "options is Optional: this field holds extra command options if any." + type: "object" + readOnly: + description: "readOnly is Optional: defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts." + type: "boolean" + secretRef: + description: "secretRef is Optional: secretRef is reference to the secret object containing\nsensitive information to pass to the plugin scripts. This may be\nempty if no secret object is specified. If the secret object\ncontains more than one secret, all secrets are passed to the plugin\nscripts." + properties: + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + required: + - "driver" + type: "object" + flocker: + description: "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + properties: + datasetName: + description: "datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker\nshould be considered as deprecated" + type: "string" + datasetUUID: + description: "datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset" + type: "string" + type: "object" + gcePersistentDisk: + description: "gcePersistentDisk represents a GCE Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + properties: + fsType: + description: "fsType is filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk\nTODO: how do we prevent errors in the filesystem from compromising the machine" + type: "string" + partition: + description: "partition is the partition in the volume that you want to mount.\nIf omitted, the default is to mount by volume name.\nExamples: For volume /dev/sda1, you specify the partition as \"1\".\nSimilarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + format: "int32" + type: "integer" + pdName: + description: "pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + type: "string" + readOnly: + description: "readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + type: "boolean" + required: + - "pdName" + type: "object" + gitRepo: + description: "gitRepo represents a git repository at a particular revision.\nDEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an\nEmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir\ninto the Pod's container." + properties: + directory: + description: "directory is the target directory name.\nMust not contain or start with '..'. If '.' is supplied, the volume directory will be the\ngit repository. Otherwise, if specified, the volume will contain the git repository in\nthe subdirectory with the given name." + type: "string" + repository: + description: "repository is the URL" + type: "string" + revision: + description: "revision is the commit hash for the specified revision." + type: "string" + required: + - "repository" + type: "object" + glusterfs: + description: "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md" + properties: + endpoints: + description: "endpoints is the endpoint name that details Glusterfs topology.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod" + type: "string" + path: + description: "path is the Glusterfs volume path.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod" + type: "string" + readOnly: + description: "readOnly here will force the Glusterfs volume to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod" + type: "boolean" + required: + - "endpoints" + - "path" + type: "object" + hostPath: + description: "hostPath represents a pre-existing file or directory on the host\nmachine that is directly exposed to the container. This is generally\nused for system agents or other privileged things that are allowed\nto see the host machine. Most containers will NOT need this.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath\n---\nTODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not\nmount host directories as read/write." + properties: + path: + description: "path of the directory on the host.\nIf the path is a symlink, it will follow the link to the real path.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath" + type: "string" + type: + description: "type for HostPath Volume\nDefaults to \"\"\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath" + type: "string" + required: + - "path" + type: "object" + iscsi: + description: "iscsi represents an ISCSI Disk resource that is attached to a\nkubelet's host machine and then exposed to the pod.\nMore info: https://examples.k8s.io/volumes/iscsi/README.md" + properties: + chapAuthDiscovery: + description: "chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication" + type: "boolean" + chapAuthSession: + description: "chapAuthSession defines whether support iSCSI Session CHAP authentication" + type: "boolean" + fsType: + description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi\nTODO: how do we prevent errors in the filesystem from compromising the machine" + type: "string" + initiatorName: + description: "initiatorName is the custom iSCSI Initiator Name.\nIf initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface\n: will be created for the connection." + type: "string" + iqn: + description: "iqn is the target iSCSI Qualified Name." + type: "string" + iscsiInterface: + description: "iscsiInterface is the interface Name that uses an iSCSI transport.\nDefaults to 'default' (tcp)." + type: "string" + lun: + description: "lun represents iSCSI Target Lun number." + format: "int32" + type: "integer" + portals: + description: "portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260)." + items: + type: "string" + type: "array" + readOnly: + description: "readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false." + type: "boolean" + secretRef: + description: "secretRef is the CHAP Secret for iSCSI target and initiator authentication" + properties: + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + targetPortal: + description: "targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port\nis other than default (typically TCP ports 860 and 3260)." + type: "string" + required: + - "iqn" + - "lun" + - "targetPortal" + type: "object" + name: + description: "name of the volume.\nMust be a DNS_LABEL and unique within the pod.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + type: "string" + nfs: + description: "nfs represents an NFS mount on the host that shares a pod's lifetime\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs" + properties: + path: + description: "path that is exported by the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs" + type: "string" + readOnly: + description: "readOnly here will force the NFS export to be mounted with read-only permissions.\nDefaults to false.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs" + type: "boolean" + server: + description: "server is the hostname or IP address of the NFS server.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#nfs" + type: "string" + required: + - "path" + - "server" + type: "object" + persistentVolumeClaim: + description: "persistentVolumeClaimVolumeSource represents a reference to a\nPersistentVolumeClaim in the same namespace.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims" + properties: + claimName: + description: "claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims" + type: "string" + readOnly: + description: "readOnly Will force the ReadOnly setting in VolumeMounts.\nDefault false." + type: "boolean" + required: + - "claimName" + type: "object" + photonPersistentDisk: + description: "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + properties: + fsType: + description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified." + type: "string" + pdID: + description: "pdID is the ID that identifies Photon Controller persistent disk" + type: "string" + required: + - "pdID" + type: "object" + portworxVolume: + description: "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + properties: + fsType: + description: "fSType represents the filesystem type to mount\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified." + type: "string" + readOnly: + description: "readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts." + type: "boolean" + volumeID: + description: "volumeID uniquely identifies a Portworx volume" + type: "string" + required: + - "volumeID" + type: "object" + projected: + description: "projected items for all in one resources secrets, configmaps, and downward API" + properties: + defaultMode: + description: "defaultMode are the mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + sources: + description: "sources is the list of volume projections" + items: + description: "Projection that may be projected along with other supported volume types" + properties: + clusterTrustBundle: + description: "ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field\nof ClusterTrustBundle objects in an auto-updating file.\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\nClusterTrustBundle objects can either be selected by name, or by the\ncombination of signer name and a label selector.\nKubelet performs aggressive normalization of the PEM contents written\ninto the pod filesystem. Esoteric PEM features such as inter-block\ncomments and block headers are stripped. Certificates are deduplicated.\nThe ordering of certificates within the file is arbitrary, and Kubelet\nmay change the order over time." + properties: + labelSelector: + description: "Select all ClusterTrustBundles that match this label selector. Only has\neffect if signerName is set. Mutually-exclusive with name. If unset,\ninterpreted as \"match nothing\". If set but empty, interpreted as \"match\neverything\"." + properties: + matchExpressions: + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: + description: "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values." + properties: + key: + description: "key is the label key that the selector applies to." + type: "string" + operator: + description: "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + values: + description: "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch." + items: + type: "string" + type: "array" + required: + - "key" + - "operator" + type: "object" + type: "array" + matchLabels: + additionalProperties: + type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + type: "object" + x-kubernetes-map-type: "atomic" + name: + description: "Select a single ClusterTrustBundle by object name. Mutually-exclusive\nwith signerName and labelSelector." + type: "string" + optional: + description: "If true, don't block pod startup if the referenced ClusterTrustBundle(s)\naren't available. If using name, then the named ClusterTrustBundle is\nallowed not to exist. If using signerName, then the combination of\nsignerName and labelSelector is allowed to match zero\nClusterTrustBundles." + type: "boolean" + path: + description: "Relative path from the volume root to write the bundle." + type: "string" + signerName: + description: "Select all ClusterTrustBundles that match this signer name.\nMutually-exclusive with name. The contents of all selected\nClusterTrustBundles will be unified and deduplicated." + type: "string" + required: + - "path" + type: "object" + configMap: + description: "configMap information about the configMap data to project" + properties: + items: + description: "items if unspecified, each key-value pair in the Data field of the referenced\nConfigMap will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the ConfigMap,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'." + items: + description: "Maps a string key to a path within a volume." + properties: + key: + description: "key is the key to project." + type: "string" + mode: + description: "mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + path: + description: "path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'." + type: "string" + required: + - "key" + - "path" + type: "object" + type: "array" + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + optional: + description: "optional specify whether the ConfigMap or its keys must be defined" + type: "boolean" + type: "object" + x-kubernetes-map-type: "atomic" + downwardAPI: + description: "downwardAPI information about the downwardAPI data to project" + properties: + items: + description: "Items is a list of DownwardAPIVolume file" + items: + description: "DownwardAPIVolumeFile represents information to create the file containing the pod field" + properties: + fieldRef: + description: "Required: Selects a field of the pod: only annotations, labels, name and namespace are supported." + properties: + apiVersion: + description: "Version of the schema the FieldPath is written in terms of, defaults to \"v1\"." + type: "string" + fieldPath: + description: "Path of the field to select in the specified API version." + type: "string" + required: + - "fieldPath" + type: "object" + x-kubernetes-map-type: "atomic" + mode: + description: "Optional: mode bits used to set permissions on this file, must be an octal value\nbetween 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + path: + description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'" + type: "string" + resourceFieldRef: + description: "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported." + properties: + containerName: + description: "Container name: required for volumes, optional for env vars" + type: "string" + divisor: + anyOf: + - type: "integer" + - type: "string" + description: "Specifies the output format of the exposed resources, defaults to \"1\"" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + resource: + description: "Required: resource to select" + type: "string" + required: + - "resource" + type: "object" + x-kubernetes-map-type: "atomic" + required: + - "path" + type: "object" + type: "array" + type: "object" + secret: + description: "secret information about the secret data to project" + properties: + items: + description: "items if unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'." + items: + description: "Maps a string key to a path within a volume." + properties: + key: + description: "key is the key to project." + type: "string" + mode: + description: "mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + path: + description: "path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'." + type: "string" + required: + - "key" + - "path" + type: "object" + type: "array" + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + optional: + description: "optional field specify whether the Secret or its key must be defined" + type: "boolean" + type: "object" + x-kubernetes-map-type: "atomic" + serviceAccountToken: + description: "serviceAccountToken is information about the serviceAccountToken data to project" + properties: + audience: + description: "audience is the intended audience of the token. A recipient of a token\nmust identify itself with an identifier specified in the audience of the\ntoken, and otherwise should reject the token. The audience defaults to the\nidentifier of the apiserver." + type: "string" + expirationSeconds: + description: "expirationSeconds is the requested duration of validity of the service\naccount token. As the token approaches expiration, the kubelet volume\nplugin will proactively rotate the service account token. The kubelet will\nstart trying to rotate the token if the token is older than 80 percent of\nits time to live or if the token is older than 24 hours.Defaults to 1 hour\nand must be at least 10 minutes." + format: "int64" + type: "integer" + path: + description: "path is the path relative to the mount point of the file to project the\ntoken into." + type: "string" + required: + - "path" + type: "object" + type: "object" + type: "array" + type: "object" + quobyte: + description: "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + properties: + group: + description: "group to map volume access to\nDefault is no group" + type: "string" + readOnly: + description: "readOnly here will force the Quobyte volume to be mounted with read-only permissions.\nDefaults to false." + type: "boolean" + registry: + description: "registry represents a single or multiple Quobyte Registry services\nspecified as a string as host:port pair (multiple entries are separated with commas)\nwhich acts as the central registry for volumes" + type: "string" + tenant: + description: "tenant owning the given Quobyte volume in the Backend\nUsed with dynamically provisioned Quobyte volumes, value is set by the plugin" + type: "string" + user: + description: "user to map volume access to\nDefaults to serivceaccount user" + type: "string" + volume: + description: "volume is a string that references an already created Quobyte volume by name." + type: "string" + required: + - "registry" + - "volume" + type: "object" + rbd: + description: "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.\nMore info: https://examples.k8s.io/volumes/rbd/README.md" + properties: + fsType: + description: "fsType is the filesystem type of the volume that you want to mount.\nTip: Ensure that the filesystem type is supported by the host operating system.\nExamples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#rbd\nTODO: how do we prevent errors in the filesystem from compromising the machine" + type: "string" + image: + description: "image is the rados image name.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" + type: "string" + keyring: + description: "keyring is the path to key ring for RBDUser.\nDefault is /etc/ceph/keyring.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" + type: "string" + monitors: + description: "monitors is a collection of Ceph monitors.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" + items: + type: "string" + type: "array" + pool: + description: "pool is the rados pool name.\nDefault is rbd.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" + type: "string" + readOnly: + description: "readOnly here will force the ReadOnly setting in VolumeMounts.\nDefaults to false.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" + type: "boolean" + secretRef: + description: "secretRef is name of the authentication secret for RBDUser. If provided\noverrides keyring.\nDefault is nil.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" + properties: + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + user: + description: "user is the rados user name.\nDefault is admin.\nMore info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it" + type: "string" + required: + - "image" + - "monitors" + type: "object" + scaleIO: + description: "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + properties: + fsType: + description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\".\nDefault is \"xfs\"." + type: "string" + gateway: + description: "gateway is the host address of the ScaleIO API Gateway." + type: "string" + protectionDomain: + description: "protectionDomain is the name of the ScaleIO Protection Domain for the configured storage." + type: "string" + readOnly: + description: "readOnly Defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts." + type: "boolean" + secretRef: + description: "secretRef references to the secret for ScaleIO user and other\nsensitive information. If this is not provided, Login operation will fail." + properties: + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + sslEnabled: + description: "sslEnabled Flag enable/disable SSL communication with Gateway, default false" + type: "boolean" + storageMode: + description: "storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.\nDefault is ThinProvisioned." + type: "string" + storagePool: + description: "storagePool is the ScaleIO Storage Pool associated with the protection domain." + type: "string" + system: + description: "system is the name of the storage system as configured in ScaleIO." + type: "string" + volumeName: + description: "volumeName is the name of a volume already created in the ScaleIO system\nthat is associated with this volume source." + type: "string" + required: + - "gateway" + - "secretRef" + - "system" + type: "object" + secret: + description: "secret represents a secret that should populate this volume.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret" + properties: + defaultMode: + description: "defaultMode is Optional: mode bits used to set permissions on created files by default.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values\nfor mode bits. Defaults to 0644.\nDirectories within the path are not affected by this setting.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + items: + description: "items If unspecified, each key-value pair in the Data field of the referenced\nSecret will be projected into the volume as a file whose name is the\nkey and content is the value. If specified, the listed keys will be\nprojected into the specified paths, and unlisted keys will not be\npresent. If a key is specified which is not present in the Secret,\nthe volume setup will error unless it is marked optional. Paths must be\nrelative and may not contain the '..' path or start with '..'." + items: + description: "Maps a string key to a path within a volume." + properties: + key: + description: "key is the key to project." + type: "string" + mode: + description: "mode is Optional: mode bits used to set permissions on this file.\nMust be an octal value between 0000 and 0777 or a decimal value between 0 and 511.\nYAML accepts both octal and decimal values, JSON requires decimal values for mode bits.\nIf not specified, the volume defaultMode will be used.\nThis might be in conflict with other options that affect the file\nmode, like fsGroup, and the result can be other mode bits set." + format: "int32" + type: "integer" + path: + description: "path is the relative path of the file to map the key to.\nMay not be an absolute path.\nMay not contain the path element '..'.\nMay not start with the string '..'." + type: "string" + required: + - "key" + - "path" + type: "object" + type: "array" + optional: + description: "optional field specify whether the Secret or its keys must be defined" + type: "boolean" + secretName: + description: "secretName is the name of the secret in the pod's namespace to use.\nMore info: https://kubernetes.io/docs/concepts/storage/volumes#secret" + type: "string" + type: "object" + storageos: + description: "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + properties: + fsType: + description: "fsType is the filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified." + type: "string" + readOnly: + description: "readOnly defaults to false (read/write). ReadOnly here will force\nthe ReadOnly setting in VolumeMounts." + type: "boolean" + secretRef: + description: "secretRef specifies the secret to use for obtaining the StorageOS API\ncredentials. If not specified, default values will be attempted." + properties: + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + type: "object" + x-kubernetes-map-type: "atomic" + volumeName: + description: "volumeName is the human-readable name of the StorageOS volume. Volume\nnames are only unique within a namespace." + type: "string" + volumeNamespace: + description: "volumeNamespace specifies the scope of the volume within StorageOS. If no\nnamespace is specified then the Pod's namespace will be used. This allows the\nKubernetes name scoping to be mirrored within StorageOS for tighter integration.\nSet VolumeName to any name to override the default behaviour.\nSet to \"default\" if you are not using namespaces within StorageOS.\nNamespaces that do not pre-exist within StorageOS will be created." + type: "string" + type: "object" + vsphereVolume: + description: "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + properties: + fsType: + description: "fsType is filesystem type to mount.\nMust be a filesystem type supported by the host operating system.\nEx. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified." + type: "string" + storagePolicyID: + description: "storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName." + type: "string" + storagePolicyName: + description: "storagePolicyName is the storage Policy Based Management (SPBM) profile name." + type: "string" + volumePath: + description: "volumePath is the path that identifies vSphere volume vmdk" + type: "string" + required: + - "volumePath" + type: "object" + required: + - "name" + type: "object" + type: "array" + logLevel: + description: "LogLevel sets the log level for Envoy.\nAllowed values are \"trace\", \"debug\", \"info\", \"warn\", \"error\", \"critical\", \"off\"." + type: "string" + networkPublishing: + description: "NetworkPublishing defines how to expose Envoy to a network." + properties: + externalTrafficPolicy: + description: "ExternalTrafficPolicy describes how nodes distribute service traffic they\nreceive on one of the Service's \"externally-facing\" addresses (NodePorts, ExternalIPs,\nand LoadBalancer IPs).\nIf unset, defaults to \"Local\"." + type: "string" + ipFamilyPolicy: + description: "IPFamilyPolicy represents the dual-stack-ness requested or required by\nthis Service. If there is no value provided, then this field will be set\nto SingleStack. Services can be \"SingleStack\" (a single IP family),\n\"PreferDualStack\" (two IP families on dual-stack configured clusters or\na single IP family on single-stack clusters), or \"RequireDualStack\"\n(two IP families on dual-stack configured clusters, otherwise fail)." + type: "string" + serviceAnnotations: + additionalProperties: + type: "string" + description: "ServiceAnnotations is the annotations to add to\nthe provisioned Envoy service." + type: "object" + type: + description: "NetworkPublishingType is the type of publishing strategy to use. Valid values are:\n* LoadBalancerService\nIn this configuration, network endpoints for Envoy use container networking.\nA Kubernetes LoadBalancer Service is created to publish Envoy network\nendpoints.\nSee: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer\n* NodePortService\nPublishes Envoy network endpoints using a Kubernetes NodePort Service.\nIn this configuration, Envoy network endpoints use container networking. A Kubernetes\nNodePort Service is created to publish the network endpoints.\nSee: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport\nNOTE:\nWhen provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate\nthe Service's node port values, there's no way to auto-allocate them.\nSee: https://github.com/projectcontour/contour/issues/4499\n* ClusterIPService\nPublishes Envoy network endpoints using a Kubernetes ClusterIP Service.\nIn this configuration, Envoy network endpoints use container networking. A Kubernetes\nClusterIP Service is created to publish the network endpoints.\nSee: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types\nIf unset, defaults to LoadBalancerService." + type: "string" + type: "object" + nodePlacement: + description: "NodePlacement describes node scheduling configuration of Envoy pods." + properties: + nodeSelector: + additionalProperties: + type: "string" + description: "NodeSelector is the simplest recommended form of node selection constraint\nand specifies a map of key-value pairs. For the pod to be eligible\nto run on a node, the node must have each of the indicated key-value pairs\nas labels (it can have additional labels as well).\nIf unset, the pod(s) will be scheduled to any available node." + type: "object" + tolerations: + description: "Tolerations work with taints to ensure that pods are not scheduled\nonto inappropriate nodes. One or more taints are applied to a node; this\nmarks that the node should not accept any pods that do not tolerate the\ntaints.\nThe default is an empty list.\nSee https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/\nfor additional details." + items: + description: "The pod this Toleration is attached to tolerates any taint that matches\nthe triple using the matching operator ." + properties: + effect: + description: "Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute." + type: "string" + key: + description: "Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys." + type: "string" + operator: + description: "Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category." + type: "string" + tolerationSeconds: + description: "TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system." + format: "int64" + type: "integer" + value: + description: "Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string." + type: "string" + type: "object" + type: "array" + type: "object" + overloadMaxHeapSize: + description: "OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager.\nWhen the value is greater than 0, the overload manager is enabled,\nand when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation,\nWhen it reaches 98% of the maximum heap size, Envoy Will stop accepting requests.\nMore info: https://projectcontour.io/docs/main/config/overload-manager/" + format: "int64" + type: "integer" + podAnnotations: + additionalProperties: + type: "string" + description: "PodAnnotations defines annotations to add to the Envoy pods.\nthe annotations for Prometheus will be appended or overwritten with predefined value." + type: "object" + replicas: + description: "Deprecated: Use `DeploymentSettings.Replicas` instead.\nReplicas is the desired number of Envoy replicas. If WorkloadType\nis not \"Deployment\", this field is ignored. Otherwise, if unset,\ndefaults to 2.\nif both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`." + format: "int32" + minimum: 0.0 + type: "integer" + resources: + description: "Compute Resources required by envoy container.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + properties: + claims: + description: "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\nThis is an alpha field and requires enabling the\nDynamicResourceAllocation feature gate.\nThis field is immutable. It can only be set for containers." + items: + description: "ResourceClaim references one entry in PodSpec.ResourceClaims." + properties: + name: + description: "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container." + type: "string" + required: + - "name" + type: "object" + type: "array" + x-kubernetes-list-map-keys: + - "name" + x-kubernetes-list-type: "map" + limits: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + requests: + additionalProperties: + anyOf: + - type: "integer" + - type: "string" + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + x-kubernetes-int-or-string: true + description: "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: "object" + type: "object" + workloadType: + description: "WorkloadType is the type of workload to install Envoy\nas. Choices are DaemonSet and Deployment. If unset, defaults\nto DaemonSet." + type: "string" + type: "object" + resourceLabels: + additionalProperties: + type: "string" + description: "ResourceLabels is a set of labels to add to the provisioned Contour resources.\nDeprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be\nremoved in a future release." + type: "object" + runtimeSettings: + description: "RuntimeSettings is a ContourConfiguration spec to be used when\nprovisioning a Contour instance that will influence aspects of\nthe Contour instance's runtime behavior." + properties: + debug: + description: "Debug contains parameters to enable debug logging\nand debug interfaces inside Contour." + properties: + address: + description: "Defines the Contour debug address interface.\nContour's default is \"127.0.0.1\"." + type: "string" + port: + description: "Defines the Contour debug address port.\nContour's default is 6060." + type: "integer" + type: "object" + enableExternalNameService: + description: "EnableExternalNameService allows processing of ExternalNameServices\nContour's default is false for security reasons." + type: "boolean" + envoy: + description: "Envoy contains parameters for Envoy as well\nas how to optionally configure a managed Envoy fleet." + properties: + clientCertificate: + description: "ClientCertificate defines the namespace/name of the Kubernetes\nsecret containing the client certificate and private key\nto be used when establishing TLS connection to upstream\ncluster." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + cluster: + description: "Cluster holds various configurable Envoy cluster values that can\nbe set in the config file." + properties: + circuitBreakers: + description: "GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.\nIf defined, this will be used as the default for all services." + properties: + maxConnections: + description: "The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024." + format: "int32" + type: "integer" + maxPendingRequests: + description: "The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024." + format: "int32" + type: "integer" + maxRequests: + description: "The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024" + format: "int32" + type: "integer" + maxRetries: + description: "The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3." + format: "int32" + type: "integer" + type: "object" + dnsLookupFamily: + description: "DNSLookupFamily defines how external names are looked up\nWhen configured as V4, the DNS resolver will only perform a lookup\nfor addresses in the IPv4 family. If V6 is configured, the DNS resolver\nwill only perform a lookup for addresses in the IPv6 family.\nIf AUTO is configured, the DNS resolver will first perform a lookup\nfor addresses in the IPv6 family and fallback to a lookup for addresses\nin the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for\nboth IPv4 and IPv6 families, and return all resolved addresses.\nWhen this is used, Happy Eyeballs will be enabled for upstream connections.\nRefer to Happy Eyeballs Support for more information.\nNote: This only applies to externalName clusters.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily\nfor more information.\nValues: `auto` (default), `v4`, `v6`, `all`.\nOther values will produce an error." + type: "string" + maxRequestsPerConnection: + description: "Defines the maximum requests for upstream connections. If not specified, there is no limit.\nsee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions\nfor more information." + format: "int32" + minimum: 1.0 + type: "integer" + per-connection-buffer-limit-bytes: + description: "Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.\nIf unspecified, an implementation defined default is applied (1MiB).\nsee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes\nfor more information." + format: "int32" + minimum: 1.0 + type: "integer" + upstreamTLS: + description: "UpstreamTLS contains the TLS policy parameters for upstream connections" + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to be supported by Envoy TLS\nlisteners when negotiating TLS 1.2. Ciphers are validated against the\nset that Envoy supports by default. This parameter should only be used\nby advanced users. Note that these will be ignored when TLS 1.3 is in\nuse.\nThis field is optional; when it is undefined, a Contour-managed ciphersuite list\nwill be used, which may be updated to keep it secure.\nContour's default list is:\n - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"\n - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"\n - \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n - \"ECDHE-RSA-AES256-GCM-SHA384\"\nCiphers provided are validated against the following list:\n - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"\n - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"\n - \"ECDHE-ECDSA-AES128-GCM-SHA256\"\n - \"ECDHE-RSA-AES128-GCM-SHA256\"\n - \"ECDHE-ECDSA-AES128-SHA\"\n - \"ECDHE-RSA-AES128-SHA\"\n - \"AES128-GCM-SHA256\"\n - \"AES128-SHA\"\n - \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n - \"ECDHE-RSA-AES256-GCM-SHA384\"\n - \"ECDHE-ECDSA-AES256-SHA\"\n - \"ECDHE-RSA-AES256-SHA\"\n - \"AES256-GCM-SHA384\"\n - \"AES256-SHA\"\nContour recommends leaving this undefined unless you are sure you must.\nSee: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters\nNote: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS." + items: + type: "string" + type: "array" + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS version this vhost should\nnegotiate.\nValues: `1.2`, `1.3`(default).\nOther values will produce an error." + type: "string" + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS version this vhost should\nnegotiate.\nValues: `1.2` (default), `1.3`.\nOther values will produce an error." + type: "string" + type: "object" + type: "object" + defaultHTTPVersions: + description: "DefaultHTTPVersions defines the default set of HTTPS\nversions the proxy should accept. HTTP versions are\nstrings of the form \"HTTP/xx\". Supported versions are\n\"HTTP/1.1\" and \"HTTP/2\".\nValues: `HTTP/1.1`, `HTTP/2` (default: both).\nOther values will produce an error." + items: + description: "HTTPVersionType is the name of a supported HTTP version." + type: "string" + type: "array" + health: + description: "Health defines the endpoint Envoy uses to serve health checks.\nContour's default is { address: \"0.0.0.0\", port: 8002 }." + properties: + address: + description: "Defines the health address interface." + minLength: 1 + type: "string" + port: + description: "Defines the health port." + type: "integer" + type: "object" + http: + description: "Defines the HTTP Listener for Envoy.\nContour's default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" }." + properties: + accessLog: + description: "AccessLog defines where Envoy logs are outputted for this listener." + type: "string" + address: + description: "Defines an Envoy Listener Address." + minLength: 1 + type: "string" + port: + description: "Defines an Envoy listener Port." + type: "integer" + type: "object" + https: + description: "Defines the HTTPS Listener for Envoy.\nContour's default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" }." + properties: + accessLog: + description: "AccessLog defines where Envoy logs are outputted for this listener." + type: "string" + address: + description: "Defines an Envoy Listener Address." + minLength: 1 + type: "string" + port: + description: "Defines an Envoy listener Port." + type: "integer" + type: "object" + listener: + description: "Listener hold various configurable Envoy listener values." + properties: + connectionBalancer: + description: "ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig\nfor more information.\nValues: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.\nOther values will produce an error." + type: "string" + disableAllowChunkedLength: + description: "DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to\nstrip the \"Content-Length\" header if \"Transfer-Encoding: chunked\" is\nalso set. This is an emergency off-switch to revert back to Envoy's\ndefault behavior in case of failures. Please file an issue if failures\nare encountered.\nSee: https://github.com/projectcontour/contour/issues/3221\nContour's default is false." + type: "boolean" + disableMergeSlashes: + description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option\nwhich strips duplicate slashes from request URL paths.\nContour's default is false." + type: "boolean" + httpMaxConcurrentStreams: + description: "Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the\nSETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed\nfor a peer on a single HTTP/2 connection. It is recommended to not set this lower\nthan 100 but this field can be used to bound resource usage by HTTP/2 connections\nand mitigate attacks like CVE-2023-44487. The default value when this is not set is\nunlimited." + format: "int32" + minimum: 1.0 + type: "integer" + maxConnectionsPerListener: + description: "Defines the limit on number of active connections to a listener. The limit is applied\nper listener. The default value when this is not set is unlimited." + format: "int32" + minimum: 1.0 + type: "integer" + maxRequestsPerConnection: + description: "Defines the maximum requests for downstream connections. If not specified, there is no limit.\nsee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions\nfor more information." + format: "int32" + minimum: 1.0 + type: "integer" + maxRequestsPerIOCycle: + description: "Defines the limit on number of HTTP requests that Envoy will process from a single\nconnection in a single I/O cycle. Requests over this limit are processed in subsequent\nI/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is\ndetected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default\nvalue when this is not set is no limit." + format: "int32" + minimum: 1.0 + type: "integer" + per-connection-buffer-limit-bytes: + description: "Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.\nIf unspecified, an implementation defined default is applied (1MiB).\nsee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes\nfor more information." + format: "int32" + minimum: 1.0 + type: "integer" + serverHeaderTransformation: + description: "Defines the action to be applied to the Server header on the response path.\nWhen configured as overwrite, overwrites any Server header with \"envoy\".\nWhen configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\".\nWhen configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.\nValues: `overwrite` (default), `append_if_absent`, `pass_through`\nOther values will produce an error.\nContour's default is overwrite." + type: "string" + socketOptions: + description: "SocketOptions defines configurable socket options for the listeners.\nSingle set of options are applied to all listeners." + properties: + tos: + description: "Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.\nSingle value is applied to all listeners.\nIf listeners are bound to IPv6-only addresses, setting this option will cause an error." + format: "int32" + maximum: 255.0 + minimum: 0.0 + type: "integer" + trafficClass: + description: "Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.\nSingle value is applied to all listeners.\nIf listeners are bound to IPv4-only addresses, setting this option will cause an error." + format: "int32" + maximum: 255.0 + minimum: 0.0 + type: "integer" + type: "object" + tls: + description: "TLS holds various configurable Envoy TLS listener values." + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to be supported by Envoy TLS\nlisteners when negotiating TLS 1.2. Ciphers are validated against the\nset that Envoy supports by default. This parameter should only be used\nby advanced users. Note that these will be ignored when TLS 1.3 is in\nuse.\nThis field is optional; when it is undefined, a Contour-managed ciphersuite list\nwill be used, which may be updated to keep it secure.\nContour's default list is:\n - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"\n - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"\n - \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n - \"ECDHE-RSA-AES256-GCM-SHA384\"\nCiphers provided are validated against the following list:\n - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"\n - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"\n - \"ECDHE-ECDSA-AES128-GCM-SHA256\"\n - \"ECDHE-RSA-AES128-GCM-SHA256\"\n - \"ECDHE-ECDSA-AES128-SHA\"\n - \"ECDHE-RSA-AES128-SHA\"\n - \"AES128-GCM-SHA256\"\n - \"AES128-SHA\"\n - \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n - \"ECDHE-RSA-AES256-GCM-SHA384\"\n - \"ECDHE-ECDSA-AES256-SHA\"\n - \"ECDHE-RSA-AES256-SHA\"\n - \"AES256-GCM-SHA384\"\n - \"AES256-SHA\"\nContour recommends leaving this undefined unless you are sure you must.\nSee: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters\nNote: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS." + items: + type: "string" + type: "array" + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS version this vhost should\nnegotiate.\nValues: `1.2`, `1.3`(default).\nOther values will produce an error." + type: "string" + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS version this vhost should\nnegotiate.\nValues: `1.2` (default), `1.3`.\nOther values will produce an error." + type: "string" + type: "object" + useProxyProtocol: + description: "Use PROXY protocol for all listeners.\nContour's default is false." + type: "boolean" + type: "object" + logging: + description: "Logging defines how Envoy's logs can be configured." + properties: + accessLogFormat: + description: "AccessLogFormat sets the global access log format.\nValues: `envoy` (default), `json`.\nOther values will produce an error." + type: "string" + accessLogFormatString: + description: "AccessLogFormatString sets the access log format when format is set to `envoy`.\nWhen empty, Envoy's default format is used." + type: "string" + accessLogJSONFields: + description: "AccessLogJSONFields sets the fields that JSON logging will\noutput when AccessLogFormat is json." + items: + type: "string" + type: "array" + accessLogLevel: + description: "AccessLogLevel sets the verbosity level of the access log.\nValues: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.\nOther values will produce an error." + type: "string" + type: "object" + metrics: + description: "Metrics defines the endpoint Envoy uses to serve metrics.\nContour's default is { address: \"0.0.0.0\", port: 8002 }." + properties: + address: + description: "Defines the metrics address interface." + maxLength: 253 + minLength: 1 + type: "string" + port: + description: "Defines the metrics port." + type: "integer" + tls: + description: "TLS holds TLS file config details.\nMetrics and health endpoints cannot have same port number when metrics is served over HTTPS." + properties: + caFile: + description: "CA filename." + type: "string" + certFile: + description: "Client certificate filename." + type: "string" + keyFile: + description: "Client key filename." + type: "string" + type: "object" + type: "object" + network: + description: "Network holds various configurable Envoy network values." + properties: + adminPort: + description: "Configure the port used to access the Envoy Admin interface.\nIf configured to port \"0\" then the admin interface is disabled.\nContour's default is 9001." + type: "integer" + numTrustedHops: + description: "XffNumTrustedHops defines the number of additional ingress proxy hops from the\nright side of the x-forwarded-for HTTP header to trust when determining the origin\nclient’s IP address.\nSee https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops\nfor more information.\nContour's default is 0." + format: "int32" + type: "integer" + type: "object" + service: + description: "Service holds Envoy service parameters for setting Ingress status.\nContour's default is { namespace: \"projectcontour\", name: \"envoy\" }." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + timeouts: + description: "Timeouts holds various configurable timeouts that can\nbe set in the config file." + properties: + connectTimeout: + description: "ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.\nIf not set, a default value of 2 seconds will be used.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout\nfor more information." + type: "string" + connectionIdleTimeout: + description: "ConnectionIdleTimeout defines how long the proxy should wait while there are\nno active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating\nan HTTP connection. Set to \"infinity\" to disable the timeout entirely.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout\nfor more information." + type: "string" + connectionShutdownGracePeriod: + description: "ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an\ninitial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.\nDuring this grace period, the proxy will continue to respond to new streams. After the final\nGOAWAY frame has been sent, the proxy will refuse new streams.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout\nfor more information." + type: "string" + delayedCloseTimeout: + description: "DelayedCloseTimeout defines how long envoy will wait, once connection\nclose processing has been initiated, for the downstream peer to close\nthe connection before Envoy closes the socket associated with the connection.\nSetting this timeout to 'infinity' will disable it, equivalent to setting it to '0'\nin Envoy. Leaving it unset will result in the Envoy default value being used.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout\nfor more information." + type: "string" + maxConnectionDuration: + description: "MaxConnectionDuration defines the maximum period of time after an HTTP connection\nhas been established from the client to the proxy before it is closed by the proxy,\nregardless of whether there has been activity or not. Omit or set to \"infinity\" for\nno max duration.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration\nfor more information." + type: "string" + requestTimeout: + description: "RequestTimeout sets the client request timeout globally for Contour. Note that\nthis is a timeout for the entire request, not an idle timeout. Omit or set to\n\"infinity\" to disable the timeout entirely.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout\nfor more information." + type: "string" + streamIdleTimeout: + description: "StreamIdleTimeout defines how long the proxy should wait while there is no\nrequest activity (for HTTP/1.1) or stream activity (for HTTP/2) before\nterminating the HTTP request or stream. Set to \"infinity\" to disable the\ntimeout entirely.\nSee https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout\nfor more information." + type: "string" + type: "object" + type: "object" + featureFlags: + description: "FeatureFlags defines toggle to enable new contour features.\nAvailable toggles are:\nuseEndpointSlices - configures contour to fetch endpoint data\nfrom k8s endpoint slices. defaults to false and reading endpoint\ndata from the k8s endpoints." + items: + type: "string" + type: "array" + gateway: + description: "Gateway contains parameters for the gateway-api Gateway that Contour\nis configured to serve traffic." + properties: + controllerName: + description: "ControllerName is used to determine whether Contour should reconcile a\nGatewayClass. The string takes the form of \"projectcontour.io//contour\".\nIf unset, the gatewayclass controller will not be started.\nExactly one of ControllerName or GatewayRef must be set.\nDeprecated: users should use GatewayRef, or the Gateway provisioner,\nin place of this field. This field will be removed in a future release." + type: "string" + gatewayRef: + description: "GatewayRef defines a specific Gateway that this Contour\ninstance corresponds to. If set, Contour will reconcile\nonly this gateway, and will not reconcile any gateway\nclasses.\nExactly one of ControllerName or GatewayRef must be set." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + type: "object" + globalExtAuth: + description: "GlobalExternalAuthorization allows envoys external authorization filter\nto be enabled for all virtual hosts." + properties: + authPolicy: + description: "AuthPolicy sets a default authorization policy for client requests.\nThis policy will be used unless overridden by individual routes." + properties: + context: + additionalProperties: + type: "string" + description: "Context is a set of key/value pairs that are sent to the\nauthentication server in the check request. If a context\nis provided at an enclosing scope, the entries are merged\nsuch that the inner scope overrides matching keys from the\nouter scope." + type: "object" + disabled: + description: "When true, this field disables client request authentication\nfor the scope of the policy." + type: "boolean" + type: "object" + extensionRef: + description: "ExtensionServiceRef specifies the extension resource that will authorize client requests." + properties: + apiVersion: + description: "API version of the referent.\nIf this field is not specified, the default \"projectcontour.io/v1alpha1\" will be used" + minLength: 1 + type: "string" + name: + description: "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: "string" + namespace: + description: "Namespace of the referent.\nIf this field is not specifies, the namespace of the resource that targets the referent will be used.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: "string" + type: "object" + failOpen: + description: "If FailOpen is true, the client request is forwarded to the upstream service\neven if the authorization server fails to respond. This field should not be\nset in most cases. It is intended for use only while migrating applications\nfrom internal authorization to Contour external authorization." + type: "boolean" + responseTimeout: + description: "ResponseTimeout configures maximum time to wait for a check response from the authorization server.\nTimeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\nThe string \"infinity\" is also a valid input and specifies no timeout." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + withRequestBody: + description: "WithRequestBody specifies configuration for sending the client request's body to authorization server." + properties: + allowPartialMessage: + description: "If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached." + type: "boolean" + maxRequestBytes: + default: 1024 + description: "MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory." + format: "int32" + minimum: 1.0 + type: "integer" + packAsBytes: + description: "If PackAsBytes is true, the body sent to Authorization Server is in raw bytes." + type: "boolean" + type: "object" + type: "object" + health: + description: "Health defines the endpoints Contour uses to serve health checks.\nContour's default is { address: \"0.0.0.0\", port: 8000 }." + properties: + address: + description: "Defines the health address interface." + minLength: 1 + type: "string" + port: + description: "Defines the health port." + type: "integer" + type: "object" + httpproxy: + description: "HTTPProxy defines parameters on HTTPProxy." + properties: + disablePermitInsecure: + description: "DisablePermitInsecure disables the use of the\npermitInsecure field in HTTPProxy.\nContour's default is false." + type: "boolean" + fallbackCertificate: + description: "FallbackCertificate defines the namespace/name of the Kubernetes secret to\nuse as fallback when a non-SNI request is received." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + rootNamespaces: + description: "Restrict Contour to searching these namespaces for root ingress routes." + items: + type: "string" + type: "array" + type: "object" + ingress: + description: "Ingress contains parameters for ingress options." + properties: + classNames: + description: "Ingress Class Names Contour should use." + items: + type: "string" + type: "array" + statusAddress: + description: "Address to set in Ingress object status." + type: "string" + type: "object" + metrics: + description: "Metrics defines the endpoint Contour uses to serve metrics.\nContour's default is { address: \"0.0.0.0\", port: 8000 }." + properties: + address: + description: "Defines the metrics address interface." + maxLength: 253 + minLength: 1 + type: "string" + port: + description: "Defines the metrics port." + type: "integer" + tls: + description: "TLS holds TLS file config details.\nMetrics and health endpoints cannot have same port number when metrics is served over HTTPS." + properties: + caFile: + description: "CA filename." + type: "string" + certFile: + description: "Client certificate filename." + type: "string" + keyFile: + description: "Client key filename." + type: "string" + type: "object" + type: "object" + policy: + description: "Policy specifies default policy applied if not overridden by the user" + properties: + applyToIngress: + description: "ApplyToIngress determines if the Policies will apply to ingress objects\nContour's default is false." + type: "boolean" + requestHeaders: + description: "RequestHeadersPolicy defines the request headers set/removed on all routes" + properties: + remove: + items: + type: "string" + type: "array" + set: + additionalProperties: + type: "string" + type: "object" + type: "object" + responseHeaders: + description: "ResponseHeadersPolicy defines the response headers set/removed on all routes" + properties: + remove: + items: + type: "string" + type: "array" + set: + additionalProperties: + type: "string" + type: "object" + type: "object" + type: "object" + rateLimitService: + description: "RateLimitService optionally holds properties of the Rate Limit Service\nto be used for global rate limiting." + properties: + defaultGlobalRateLimitPolicy: + description: "DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.\nHTTPProxy can overwrite this configuration." + properties: + descriptors: + description: "Descriptors defines the list of descriptors that will\nbe generated and sent to the rate limit service. Each\ndescriptor contains 1+ key-value pair entries." + items: + description: "RateLimitDescriptor defines a list of key-value pair generators." + properties: + entries: + description: "Entries is the list of key-value pair generators." + items: + description: "RateLimitDescriptorEntry is a key-value pair generator. Exactly\none field on this struct must be non-nil." + properties: + genericKey: + description: "GenericKey defines a descriptor entry with a static key and value." + properties: + key: + description: "Key defines the key of the descriptor entry. If not set, the\nkey is set to \"generic_key\"." + type: "string" + value: + description: "Value defines the value of the descriptor entry." + minLength: 1 + type: "string" + type: "object" + remoteAddress: + description: "RemoteAddress defines a descriptor entry with a key of \"remote_address\"\nand a value equal to the client's IP address (from x-forwarded-for)." + type: "object" + requestHeader: + description: "RequestHeader defines a descriptor entry that's populated only if\na given header is present on the request. The descriptor key is static,\nand the descriptor value is equal to the value of the header." + properties: + descriptorKey: + description: "DescriptorKey defines the key to use on the descriptor entry." + minLength: 1 + type: "string" + headerName: + description: "HeaderName defines the name of the header to look for on the request." + minLength: 1 + type: "string" + type: "object" + requestHeaderValueMatch: + description: "RequestHeaderValueMatch defines a descriptor entry that's populated\nif the request's headers match a set of 1+ match criteria. The\ndescriptor key is \"header_match\", and the descriptor value is static." + properties: + expectMatch: + default: true + description: "ExpectMatch defines whether the request must positively match the match\ncriteria in order to generate a descriptor entry (i.e. true), or not\nmatch the match criteria in order to generate a descriptor entry (i.e. false).\nThe default is true." + type: "boolean" + headers: + description: "Headers is a list of 1+ match criteria to apply against the request\nto determine whether to populate the descriptor entry or not." + items: + description: "HeaderMatchCondition specifies how to conditionally match against HTTP\nheaders. The Name field is required, only one of Present, NotPresent,\nContains, NotContains, Exact, NotExact and Regex can be set.\nFor negative matching rules only (e.g. NotContains or NotExact) you can set\nTreatMissingAsEmpty.\nIgnoreCase has no effect for Regex." + properties: + contains: + description: "Contains specifies a substring that must be present in\nthe header value." + type: "string" + exact: + description: "Exact specifies a string that the header value must be equal to." + type: "string" + ignoreCase: + description: "IgnoreCase specifies that string matching should be case insensitive.\nNote that this has no effect on the Regex parameter." + type: "boolean" + name: + description: "Name is the name of the header to match against. Name is required.\nHeader names are case insensitive." + type: "string" + notcontains: + description: "NotContains specifies a substring that must not be present\nin the header value." + type: "string" + notexact: + description: "NoExact specifies a string that the header value must not be\nequal to. The condition is true if the header has any other value." + type: "string" + notpresent: + description: "NotPresent specifies that condition is true when the named header\nis not present. Note that setting NotPresent to false does not\nmake the condition true if the named header is present." + type: "boolean" + present: + description: "Present specifies that condition is true when the named header\nis present, regardless of its value. Note that setting Present\nto false does not make the condition true if the named header\nis absent." + type: "boolean" + regex: + description: "Regex specifies a regular expression pattern that must match the header\nvalue." + type: "string" + treatMissingAsEmpty: + description: "TreatMissingAsEmpty specifies if the header match rule specified header\ndoes not exist, this header value will be treated as empty. Defaults to false.\nUnlike the underlying Envoy implementation this is **only** supported for\nnegative matches (e.g. NotContains, NotExact)." + type: "boolean" + required: + - "name" + type: "object" + minItems: 1 + type: "array" + value: + description: "Value defines the value of the descriptor entry." + minLength: 1 + type: "string" + type: "object" + type: "object" + minItems: 1 + type: "array" + type: "object" + minItems: 1 + type: "array" + disabled: + description: "Disabled configures the HTTPProxy to not use\nthe default global rate limit policy defined by the Contour configuration." + type: "boolean" + type: "object" + domain: + description: "Domain is passed to the Rate Limit Service." + type: "string" + enableResourceExhaustedCode: + description: "EnableResourceExhaustedCode enables translating error code 429 to\ngrpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE" + type: "boolean" + enableXRateLimitHeaders: + description: "EnableXRateLimitHeaders defines whether to include the X-RateLimit\nheaders X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset\n(as defined by the IETF Internet-Draft linked below), on responses\nto clients when the Rate Limit Service is consulted for a request.\nref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + type: "boolean" + extensionService: + description: "ExtensionService identifies the extension service defining the RLS." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + failOpen: + description: "FailOpen defines whether to allow requests to proceed when the\nRate Limit Service fails to respond with a valid rate limit\ndecision within the timeout defined on the extension service." + type: "boolean" + required: + - "extensionService" + type: "object" + tracing: + description: "Tracing defines properties for exporting trace data to OpenTelemetry." + properties: + customTags: + description: "CustomTags defines a list of custom tags with unique tag name." + items: + description: "CustomTag defines custom tags with unique tag name\nto create tags for the active span." + properties: + literal: + description: "Literal is a static custom tag value.\nPrecisely one of Literal, RequestHeaderName must be set." + type: "string" + requestHeaderName: + description: "RequestHeaderName indicates which request header\nthe label value is obtained from.\nPrecisely one of Literal, RequestHeaderName must be set." + type: "string" + tagName: + description: "TagName is the unique name of the custom tag." + type: "string" + required: + - "tagName" + type: "object" + type: "array" + extensionService: + description: "ExtensionService identifies the extension service defining the otel-collector." + properties: + name: + type: "string" + namespace: + type: "string" + required: + - "name" + - "namespace" + type: "object" + includePodDetail: + description: "IncludePodDetail defines a flag.\nIf it is true, contour will add the pod name and namespace to the span of the trace.\nthe default is true.\nNote: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly." + type: "boolean" + maxPathTagLength: + description: "MaxPathTagLength defines maximum length of the request path\nto extract and include in the HttpUrl tag.\ncontour's default is 256." + format: "int32" + type: "integer" + overallSampling: + description: "OverallSampling defines the sampling rate of trace data.\ncontour's default is 100." + type: "string" + serviceName: + description: "ServiceName defines the name for the service.\ncontour's default is contour." + type: "string" + required: + - "extensionService" + type: "object" + xdsServer: + description: "XDSServer contains parameters for the xDS server." + properties: + address: + description: "Defines the xDS gRPC API address which Contour will serve.\nContour's default is \"0.0.0.0\"." + minLength: 1 + type: "string" + port: + description: "Defines the xDS gRPC API port which Contour will serve.\nContour's default is 8001." + type: "integer" + tls: + description: "TLS holds TLS file config details.\nContour's default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", keyFile: \"/certs/tls.key\", insecure: false }." + properties: + caFile: + description: "CA filename." + type: "string" + certFile: + description: "Client certificate filename." + type: "string" + insecure: + description: "Allow serving the xDS gRPC API without TLS." + type: "boolean" + keyFile: + description: "Client key filename." + type: "string" + type: "object" + type: + description: "Defines the XDSServer to use for `contour serve`.\nValues: `contour` (default), `envoy`.\nOther values will produce an error." + type: "string" + type: "object" + type: "object" + type: "object" + status: + description: "ContourDeploymentStatus defines the observed state of a ContourDeployment resource." + properties: + conditions: + description: "Conditions describe the current conditions of the ContourDeployment resource." + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." + format: "date-time" + type: "string" + message: + description: "message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + observedGeneration: + description: "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance." + format: "int64" + minimum: 0.0 + type: "integer" + reason: + description: "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "lastTransitionTime" + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + x-kubernetes-list-map-keys: + - "type" + x-kubernetes-list-type: "map" + type: "object" + type: "object" + served: true + storage: true + subresources: + status: {} diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.args b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.args new file mode 100644 index 000000000..7ab47510b --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.args @@ -0,0 +1 @@ +--derive=PartialEq diff --git a/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml new file mode 100644 index 000000000..ecd1f1e96 --- /dev/null +++ b/crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml @@ -0,0 +1,276 @@ +apiVersion: "apiextensions.k8s.io/v1" +kind: "CustomResourceDefinition" +metadata: + annotations: + controller-gen.kubebuilder.io/version: "v0.14.0" + name: "extensionservices.projectcontour.io" +spec: + group: "projectcontour.io" + names: + kind: "ExtensionService" + listKind: "ExtensionServiceList" + plural: "extensionservices" + shortNames: + - "extensionservice" + - "extensionservices" + singular: "extensionservice" + preserveUnknownFields: false + scope: "Namespaced" + versions: + - name: "v1alpha1" + schema: + openAPIV3Schema: + description: "ExtensionService is the schema for the Contour extension services API.\nAn ExtensionService resource binds a network service to the Contour\nAPI so that Contour API features can be implemented by collaborating\ncomponents." + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + kind: + description: "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + metadata: + type: "object" + spec: + description: "ExtensionServiceSpec defines the desired state of an ExtensionService resource." + properties: + loadBalancerPolicy: + description: "The policy for load balancing GRPC service requests. Note that the\n`Cookie` and `RequestHash` load balancing strategies cannot be used\nhere." + properties: + requestHashPolicies: + description: "RequestHashPolicies contains a list of hash policies to apply when the\n`RequestHash` load balancing strategy is chosen. If an element of the\nsupplied list of hash policies is invalid, it will be ignored. If the\nlist of hash policies is empty after validation, the load balancing\nstrategy will fall back to the default `RoundRobin`." + items: + description: "RequestHashPolicy contains configuration for an individual hash policy\non a request attribute." + properties: + hashSourceIP: + description: "HashSourceIP should be set to true when request source IP hash based\nload balancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + type: "boolean" + headerHashOptions: + description: "HeaderHashOptions should be set when request header hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + properties: + headerName: + description: "HeaderName is the name of the HTTP request header that will be used to\ncalculate the hash key. If the header specified is not present on a\nrequest, no hash will be produced." + minLength: 1 + type: "string" + type: "object" + queryParameterHashOptions: + description: "QueryParameterHashOptions should be set when request query parameter hash based load\nbalancing is desired. It must be the only hash option field set,\notherwise this request hash policy object will be ignored." + properties: + parameterName: + description: "ParameterName is the name of the HTTP request query parameter that will be used to\ncalculate the hash key. If the query parameter specified is not present on a\nrequest, no hash will be produced." + minLength: 1 + type: "string" + type: "object" + terminal: + description: "Terminal is a flag that allows for short-circuiting computing of a hash\nfor a given request. If set to true, and the request attribute specified\nin the attribute hash options is present, no further hash policies will\nbe used to calculate a hash for the request." + type: "boolean" + type: "object" + type: "array" + strategy: + description: "Strategy specifies the policy used to balance requests\nacross the pool of backend pods. Valid policy names are\n`Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,\nand `RequestHash`. If an unknown strategy name is specified\nor no policy is supplied, the default `RoundRobin` policy\nis used." + type: "string" + type: "object" + protocol: + description: "Protocol may be used to specify (or override) the protocol used to reach this Service.\nValues may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations." + enum: + - "h2" + - "h2c" + type: "string" + protocolVersion: + description: "This field sets the version of the GRPC protocol that Envoy uses to\nsend requests to the extension service. Since Contour always uses the\nv3 Envoy API, this is currently fixed at \"v3\". However, other\nprotocol options will be available in future." + enum: + - "v3" + type: "string" + services: + description: "Services specifies the set of Kubernetes Service resources that\nreceive GRPC extension API requests.\nIf no weights are specified for any of the entries in\nthis array, traffic will be spread evenly across all the\nservices.\nOtherwise, traffic is balanced proportionally to the\nWeight field in each entry." + items: + description: "ExtensionServiceTarget defines an Kubernetes Service to target with\nextension service traffic." + properties: + name: + description: "Name is the name of Kubernetes service that will accept service\ntraffic." + type: "string" + port: + description: "Port (defined as Integer) to proxy traffic to since a service can have multiple defined." + exclusiveMaximum: true + maximum: 65536.0 + minimum: 1.0 + type: "integer" + weight: + description: "Weight defines proportion of traffic to balance to the Kubernetes Service." + format: "int32" + type: "integer" + required: + - "name" + - "port" + type: "object" + minItems: 1 + type: "array" + timeoutPolicy: + description: "The timeout policy for requests to the services." + properties: + idle: + description: "Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).\nTimeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.\nIf not specified, there is no per-route idle timeout, though a connection manager-wide\nstream_idle_timeout default of 5m still applies." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + idleConnection: + description: "Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.\nIf not supplied, Envoy's default value of 1h applies." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + response: + description: "Timeout for receiving a response from the server after processing a request from client.\nIf not supplied, Envoy's default value of 15s applies." + pattern: "^(((\\d*(\\.\\d*)?h)|(\\d*(\\.\\d*)?m)|(\\d*(\\.\\d*)?s)|(\\d*(\\.\\d*)?ms)|(\\d*(\\.\\d*)?us)|(\\d*(\\.\\d*)?µs)|(\\d*(\\.\\d*)?ns))+|infinity|infinite)$" + type: "string" + type: "object" + validation: + description: "UpstreamValidation defines how to verify the backend service's certificate" + properties: + caSecret: + description: "Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.\nThe secret must contain key named ca.crt.\nThe name can be optionally prefixed with namespace \"namespace/name\".\nWhen cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.\nMax length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)" + maxLength: 317 + minLength: 1 + type: "string" + subjectName: + description: "Key which is expected to be present in the 'subjectAltName' of the presented certificate.\nDeprecated: migrate to using the plural field subjectNames." + maxLength: 250 + minLength: 1 + type: "string" + subjectNames: + description: "List of keys, of which at least one is expected to be present in the 'subjectAltName of the\npresented certificate." + items: + type: "string" + maxItems: 8 + minItems: 1 + type: "array" + required: + - "caSecret" + - "subjectName" + type: "object" + x-kubernetes-validations: + - message: "subjectNames[0] must equal subjectName if set" + rule: "has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true" + required: + - "services" + type: "object" + status: + description: "ExtensionServiceStatus defines the observed state of an\nExtensionService resource." + properties: + conditions: + description: "Conditions contains the current status of the ExtensionService resource.\nContour will update a single condition, `Valid`, that is in normal-true polarity.\nContour will not modify any other Conditions set in this block,\nin case some other controller wants to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes conditions, with two extra\nfields to hold sub-conditions, which provide more detailed reasons for the state (True or False)\nof the condition.\n`errors` holds information about sub-conditions which are fatal to that condition and render its state False.\n`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.\nRemember that Conditions have a type, a status, and a reason.\nThe type is the type of the condition, the most important one in this CRD set is `Valid`.\n`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.\nIn more detail, `status: true` means that the object is has been ingested into Contour with no errors.\n`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`\nslice in this case.\n`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.\nThe details of the errors will be present under the `errors` field. There must be at least one error in the `errors`\nslice if `status` is `false`.\nFor DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.\nWhen they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.\nWhen they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.\nIn either case, there may be entries in the `warnings` slice.\nRegardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason\n(if there is one and only one entry in total across both the `errors` and `warnings` slices), or\n`MultipleReasons` if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions for this object.\nSubconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.\nAn empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.\nIt contains a subset of the Condition fields.\nIt is intended for warnings and errors, so `type` names should use abnormal-true polarity,\nthat is, they should be of the form \"ErrorPresent: true\".\nThe expected lifecycle for these errors is that they should only be present when the error or warning is,\nand should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + reason: + description: "Reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "Status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.\nThis must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + lastTransitionTime: + description: "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable." + format: "date-time" + type: "string" + message: + description: "message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + observedGeneration: + description: "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance." + format: "int64" + minimum: 0.0 + type: "integer" + reason: + description: "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + warnings: + description: "Warnings contains a slice of relevant warning subconditions for this object.\nSubconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.\nAn empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.\nIt contains a subset of the Condition fields.\nIt is intended for warnings and errors, so `type` names should use abnormal-true polarity,\nthat is, they should be of the form \"ErrorPresent: true\".\nThe expected lifecycle for these errors is that they should only be present when the error or warning is,\nand should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating details about the transition.\nThis may be an empty string." + maxLength: 32768 + type: "string" + reason: + description: "Reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty." + maxLength: 1024 + minLength: 1 + pattern: "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + type: "string" + status: + description: "Status of the condition, one of True, False, Unknown." + enum: + - "True" + - "False" + - "Unknown" + type: "string" + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.\nThis must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + type: "string" + required: + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + required: + - "lastTransitionTime" + - "message" + - "reason" + - "status" + - "type" + type: "object" + type: "array" + x-kubernetes-list-map-keys: + - "type" + x-kubernetes-list-type: "map" + type: "object" + type: "object" + served: true + storage: true + subresources: + status: {} diff --git a/kube-custom-resources-rs/Cargo.toml b/kube-custom-resources-rs/Cargo.toml index 28fdf415d..d60b8adc6 100644 --- a/kube-custom-resources-rs/Cargo.toml +++ b/kube-custom-resources-rs/Cargo.toml @@ -234,6 +234,7 @@ policy_clusterpedia_io = [] policy_karmada_io = [] postgres_operator_crunchydata_com = [] postgresql_cnpg_io = [] +projectcontour_io = [] prometheusservice_services_k8s_aws = [] quay_redhat_com = [] quota_openshift_io = [] diff --git a/kube-custom-resources-rs/src/lib.rs b/kube-custom-resources-rs/src/lib.rs index 3242feeba..679f4ab23 100644 --- a/kube-custom-resources-rs/src/lib.rs +++ b/kube-custom-resources-rs/src/lib.rs @@ -1895,6 +1895,17 @@ apiVersion `postgresql.cnpg.io/v1`: - `Pooler` - `ScheduledBackup` +## projectcontour_io + +apiVersion `projectcontour.io/v1`: +- `HTTPProxy` +- `TLSCertificateDelegation` + +apiVersion `projectcontour.io/v1alpha1`: +- `ContourConfiguration` +- `ContourDeployment` +- `ExtensionService` + ## prometheusservice_services_k8s_aws apiVersion `prometheusservice.services.k8s.aws/v1alpha1`: @@ -2817,6 +2828,8 @@ pub mod policy_karmada_io; pub mod postgres_operator_crunchydata_com; #[cfg(feature = "postgresql_cnpg_io")] pub mod postgresql_cnpg_io; +#[cfg(feature = "projectcontour_io")] +pub mod projectcontour_io; #[cfg(feature = "prometheusservice_services_k8s_aws")] pub mod prometheusservice_services_k8s_aws; #[cfg(feature = "quay_redhat_com")] diff --git a/kube-custom-resources-rs/src/projectcontour_io/mod.rs b/kube-custom-resources-rs/src/projectcontour_io/mod.rs new file mode 100644 index 000000000..21c0fbff9 --- /dev/null +++ b/kube-custom-resources-rs/src/projectcontour_io/mod.rs @@ -0,0 +1,2 @@ +pub mod v1; +pub mod v1alpha1; diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1/httpproxies.rs b/kube-custom-resources-rs/src/projectcontour_io/v1/httpproxies.rs new file mode 100644 index 000000000..d49d4b8e9 --- /dev/null +++ b/kube-custom-resources-rs/src/projectcontour_io/v1/httpproxies.rs @@ -0,0 +1,2432 @@ +// WARNING: generated by kopium - manual changes will be overwritten +// kopium command: kopium --docs --filename=./crd-catalog/projectcontour/contour/projectcontour.io/v1/httpproxies.yaml --derive=PartialEq +// kopium version: 0.16.5 + +use kube::CustomResource; +use serde::{Serialize, Deserialize}; +use std::collections::BTreeMap; + +/// HTTPProxySpec defines the spec of the CRD. +#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, PartialEq)] +#[kube(group = "projectcontour.io", version = "v1", kind = "HTTPProxy", plural = "httpproxies")] +#[kube(namespaced)] +#[kube(status = "HTTPProxyStatus")] +#[kube(schema = "disabled")] +pub struct HTTPProxySpec { + /// Includes allow for specific routing configuration to be included from another HTTPProxy, + /// possibly in another namespace. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub includes: Option>, + /// IngressClassName optionally specifies the ingress class to use for this + /// HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + /// annotation. For backwards compatibility, when that annotation is set, it + /// is given precedence over this field. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ingressClassName")] + pub ingress_class_name: Option, + /// Routes are the ingress routes. If TCPProxy is present, Routes is ignored. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub routes: Option>, + /// TCPProxy holds TCP proxy information. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tcpproxy: Option, + /// Virtualhost appears at most once. If it is present, the object is considered + /// to be a "root" HTTPProxy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub virtualhost: Option, +} + +/// Include describes a set of policies that can be applied to an HTTPProxy in a namespace. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyIncludes { + /// Conditions are a set of rules that are applied to included HTTPProxies. + /// In effect, they are added onto the Conditions of included HTTPProxy Route + /// structs. + /// When applied, they are merged using AND, with one exception: + /// There can be only one Prefix MatchCondition per Conditions slice. + /// More than one Prefix, or contradictory Conditions, will make the + /// include invalid. Exact and Regex match conditions are not allowed + /// on includes. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub conditions: Option>, + /// Name of the HTTPProxy + pub name: String, + /// Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +/// MatchCondition are a general holder for matching rules for HTTPProxies. +/// One of Prefix, Exact, Regex, Header or QueryParameter must be provided. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyIncludesConditions { + /// Exact defines a exact match for a request. + /// This field is not allowed in include match conditions. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// Header specifies the header condition to match. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub header: Option, + /// Prefix defines a prefix match for a request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, + /// QueryParameter specifies the query parameter condition to match. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryParameter")] + pub query_parameter: Option, + /// Regex defines a regex match for a request. + /// This field is not allowed in include match conditions. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, +} + +/// Header specifies the header condition to match. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyIncludesConditionsHeader { + /// Contains specifies a substring that must be present in + /// the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contains: Option, + /// Exact specifies a string that the header value must be equal to. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// IgnoreCase specifies that string matching should be case insensitive. + /// Note that this has no effect on the Regex parameter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreCase")] + pub ignore_case: Option, + /// Name is the name of the header to match against. Name is required. + /// Header names are case insensitive. + pub name: String, + /// NotContains specifies a substring that must not be present + /// in the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notcontains: Option, + /// NoExact specifies a string that the header value must not be + /// equal to. The condition is true if the header has any other value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notexact: Option, + /// NotPresent specifies that condition is true when the named header + /// is not present. Note that setting NotPresent to false does not + /// make the condition true if the named header is present. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notpresent: Option, + /// Present specifies that condition is true when the named header + /// is present, regardless of its value. Note that setting Present + /// to false does not make the condition true if the named header + /// is absent. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub present: Option, + /// Regex specifies a regular expression pattern that must match the header + /// value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, + /// TreatMissingAsEmpty specifies if the header match rule specified header + /// does not exist, this header value will be treated as empty. Defaults to false. + /// Unlike the underlying Envoy implementation this is **only** supported for + /// negative matches (e.g. NotContains, NotExact). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "treatMissingAsEmpty")] + pub treat_missing_as_empty: Option, +} + +/// QueryParameter specifies the query parameter condition to match. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyIncludesConditionsQueryParameter { + /// Contains specifies a substring that must be present in + /// the query parameter value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contains: Option, + /// Exact specifies a string that the query parameter value must be equal to. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// IgnoreCase specifies that string matching should be case insensitive. + /// Note that this has no effect on the Regex parameter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreCase")] + pub ignore_case: Option, + /// Name is the name of the query parameter to match against. Name is required. + /// Query parameter names are case insensitive. + pub name: String, + /// Prefix defines a prefix match for the query parameter value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, + /// Present specifies that condition is true when the named query parameter + /// is present, regardless of its value. Note that setting Present + /// to false does not make the condition true if the named query parameter + /// is absent. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub present: Option, + /// Regex specifies a regular expression pattern that must match the query + /// parameter value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, + /// Suffix defines a suffix match for a query parameter value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub suffix: Option, +} + +/// Route contains the set of routes for a virtual host. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutes { + /// AuthPolicy updates the authorization policy that was set + /// on the root HTTPProxy object for client requests that + /// match this route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authPolicy")] + pub auth_policy: Option, + /// Conditions are a set of rules that are applied to a Route. + /// When applied, they are merged using AND, with one exception: + /// There can be only one Prefix, Exact or Regex MatchCondition + /// per Conditions slice. More than one of these condition types, + /// or contradictory Conditions, will make the route invalid. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub conditions: Option>, + /// The policies for rewriting Set-Cookie header attributes. Note that + /// rewritten cookie names must be unique in this list. Order rewrite + /// policies are specified in does not matter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cookieRewritePolicies")] + pub cookie_rewrite_policies: Option>, + /// DirectResponsePolicy returns an arbitrary HTTP response directly. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "directResponsePolicy")] + pub direct_response_policy: Option, + /// Enables websocket support for the route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableWebsockets")] + pub enable_websockets: Option, + /// The health check policy for this route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "healthCheckPolicy")] + pub health_check_policy: Option, + /// The policy to define when to handle redirects responses internally. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "internalRedirectPolicy")] + pub internal_redirect_policy: Option, + /// IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + /// requests should be allowed. All other requests will be denied. + /// Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + /// The rules defined here override any rules set on the root HTTPProxy. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipAllowPolicy")] + pub ip_allow_policy: Option>, + /// IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + /// requests should be denied. All other requests will be allowed. + /// Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + /// The rules defined here override any rules set on the root HTTPProxy. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipDenyPolicy")] + pub ip_deny_policy: Option>, + /// The policy for verifying JWTs for requests to this route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "jwtVerificationPolicy")] + pub jwt_verification_policy: Option, + /// The load balancing policy for this route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "loadBalancerPolicy")] + pub load_balancer_policy: Option, + /// The policy for rewriting the path of the request URL + /// after the request has been routed to a Service. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "pathRewritePolicy")] + pub path_rewrite_policy: Option, + /// Allow this path to respond to insecure requests over HTTP which are normally + /// not permitted when a `virtualhost.tls` block is present. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "permitInsecure")] + pub permit_insecure: Option, + /// The policy for rate limiting on the route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rateLimitPolicy")] + pub rate_limit_policy: Option, + /// The policy for managing request headers during proxying. + /// You may dynamically rewrite the Host header to be forwarded + /// upstream to the content of a request header using + /// the below format "%REQ(X-Header-Name)%". If the value of the header + /// is empty, it is ignored. + /// *NOTE: Pay attention to the potential security implications of using this option. + /// Provided header must come from trusted source. + /// **NOTE: The header rewrite is only done while forwarding and has no bearing + /// on the routing decision. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeadersPolicy")] + pub request_headers_policy: Option, + /// RequestRedirectPolicy defines an HTTP redirection. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestRedirectPolicy")] + pub request_redirect_policy: Option, + /// The policy for managing response headers during proxying. + /// Rewriting the 'Host' header is not supported. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseHeadersPolicy")] + pub response_headers_policy: Option, + /// The retry policy for this route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "retryPolicy")] + pub retry_policy: Option, + /// Services are the services to proxy traffic. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub services: Option>, + /// The timeout policy for this route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "timeoutPolicy")] + pub timeout_policy: Option, +} + +/// AuthPolicy updates the authorization policy that was set +/// on the root HTTPProxy object for client requests that +/// match this route. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesAuthPolicy { + /// Context is a set of key/value pairs that are sent to the + /// authentication server in the check request. If a context + /// is provided at an enclosing scope, the entries are merged + /// such that the inner scope overrides matching keys from the + /// outer scope. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub context: Option>, + /// When true, this field disables client request authentication + /// for the scope of the policy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, +} + +/// MatchCondition are a general holder for matching rules for HTTPProxies. +/// One of Prefix, Exact, Regex, Header or QueryParameter must be provided. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesConditions { + /// Exact defines a exact match for a request. + /// This field is not allowed in include match conditions. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// Header specifies the header condition to match. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub header: Option, + /// Prefix defines a prefix match for a request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, + /// QueryParameter specifies the query parameter condition to match. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryParameter")] + pub query_parameter: Option, + /// Regex defines a regex match for a request. + /// This field is not allowed in include match conditions. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, +} + +/// Header specifies the header condition to match. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesConditionsHeader { + /// Contains specifies a substring that must be present in + /// the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contains: Option, + /// Exact specifies a string that the header value must be equal to. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// IgnoreCase specifies that string matching should be case insensitive. + /// Note that this has no effect on the Regex parameter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreCase")] + pub ignore_case: Option, + /// Name is the name of the header to match against. Name is required. + /// Header names are case insensitive. + pub name: String, + /// NotContains specifies a substring that must not be present + /// in the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notcontains: Option, + /// NoExact specifies a string that the header value must not be + /// equal to. The condition is true if the header has any other value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notexact: Option, + /// NotPresent specifies that condition is true when the named header + /// is not present. Note that setting NotPresent to false does not + /// make the condition true if the named header is present. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notpresent: Option, + /// Present specifies that condition is true when the named header + /// is present, regardless of its value. Note that setting Present + /// to false does not make the condition true if the named header + /// is absent. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub present: Option, + /// Regex specifies a regular expression pattern that must match the header + /// value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, + /// TreatMissingAsEmpty specifies if the header match rule specified header + /// does not exist, this header value will be treated as empty. Defaults to false. + /// Unlike the underlying Envoy implementation this is **only** supported for + /// negative matches (e.g. NotContains, NotExact). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "treatMissingAsEmpty")] + pub treat_missing_as_empty: Option, +} + +/// QueryParameter specifies the query parameter condition to match. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesConditionsQueryParameter { + /// Contains specifies a substring that must be present in + /// the query parameter value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contains: Option, + /// Exact specifies a string that the query parameter value must be equal to. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// IgnoreCase specifies that string matching should be case insensitive. + /// Note that this has no effect on the Regex parameter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreCase")] + pub ignore_case: Option, + /// Name is the name of the query parameter to match against. Name is required. + /// Query parameter names are case insensitive. + pub name: String, + /// Prefix defines a prefix match for the query parameter value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, + /// Present specifies that condition is true when the named query parameter + /// is present, regardless of its value. Note that setting Present + /// to false does not make the condition true if the named query parameter + /// is absent. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub present: Option, + /// Regex specifies a regular expression pattern that must match the query + /// parameter value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, + /// Suffix defines a suffix match for a query parameter value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub suffix: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesCookieRewritePolicies { + /// DomainRewrite enables rewriting the Set-Cookie Domain element. + /// If not set, Domain will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "domainRewrite")] + pub domain_rewrite: Option, + /// Name is the name of the cookie for which attributes will be rewritten. + pub name: String, + /// PathRewrite enables rewriting the Set-Cookie Path element. + /// If not set, Path will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "pathRewrite")] + pub path_rewrite: Option, + /// SameSite enables rewriting the Set-Cookie SameSite element. + /// If not set, SameSite attribute will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sameSite")] + pub same_site: Option, + /// Secure enables rewriting the Set-Cookie Secure element. + /// If not set, Secure attribute will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub secure: Option, +} + +/// DomainRewrite enables rewriting the Set-Cookie Domain element. +/// If not set, Domain will not be rewritten. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesCookieRewritePoliciesDomainRewrite { + /// Value is the value to rewrite the Domain attribute to. + /// For now this is required. + pub value: String, +} + +/// PathRewrite enables rewriting the Set-Cookie Path element. +/// If not set, Path will not be rewritten. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesCookieRewritePoliciesPathRewrite { + /// Value is the value to rewrite the Path attribute to. + /// For now this is required. + pub value: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesCookieRewritePoliciesSameSite { + Strict, + Lax, + None, +} + +/// DirectResponsePolicy returns an arbitrary HTTP response directly. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesDirectResponsePolicy { + /// Body is the content of the response body. + /// If this setting is omitted, no body is included in the generated response. + /// Note: Body is not recommended to set too long + /// otherwise it can have significant resource usage impacts. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub body: Option, + /// StatusCode is the HTTP response status to be returned. + #[serde(rename = "statusCode")] + pub status_code: i64, +} + +/// The health check policy for this route. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesHealthCheckPolicy { + /// The ranges of HTTP response statuses considered healthy. Follow half-open + /// semantics, i.e. for each range the start is inclusive and the end is exclusive. + /// Must be within the range [100,600). If not specified, only a 200 response status + /// is considered healthy. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "expectedStatuses")] + pub expected_statuses: Option>, + /// The number of healthy health checks required before a host is marked healthy + #[serde(default, skip_serializing_if = "Option::is_none", rename = "healthyThresholdCount")] + pub healthy_threshold_count: Option, + /// The value of the host header in the HTTP health check request. + /// If left empty (default value), the name "contour-envoy-healthcheck" + /// will be used. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub host: Option, + /// The interval (seconds) between health checks + #[serde(default, skip_serializing_if = "Option::is_none", rename = "intervalSeconds")] + pub interval_seconds: Option, + /// HTTP endpoint used to perform health checks on upstream service + pub path: String, + /// The time to wait (seconds) for a health check response + #[serde(default, skip_serializing_if = "Option::is_none", rename = "timeoutSeconds")] + pub timeout_seconds: Option, + /// The number of unhealthy health checks required before a host is marked unhealthy + #[serde(default, skip_serializing_if = "Option::is_none", rename = "unhealthyThresholdCount")] + pub unhealthy_threshold_count: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesHealthCheckPolicyExpectedStatuses { + /// The end (exclusive) of a range of HTTP status codes. + pub end: i64, + /// The start (inclusive) of a range of HTTP status codes. + pub start: i64, +} + +/// The policy to define when to handle redirects responses internally. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesInternalRedirectPolicy { + /// AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + /// than the value of x-forwarded-proto. + /// SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + /// scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + /// is HTTP, only HTTP redirect targets are allowed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allowCrossSchemeRedirect")] + pub allow_cross_scheme_redirect: Option, + /// If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + /// been followed by a previous redirect from the current route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "denyRepeatedRouteRedirect")] + pub deny_repeated_route_redirect: Option, + /// MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + /// redirects that a downstream request has encountered is lower than this value. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxInternalRedirects")] + pub max_internal_redirects: Option, + /// RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + /// Only 301, 302, 303, 307 and 308 are valid values. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "redirectResponseCodes")] + pub redirect_response_codes: Option>, +} + +/// The policy to define when to handle redirects responses internally. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesInternalRedirectPolicyAllowCrossSchemeRedirect { + Always, + Never, + SafeOnly, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesIpAllowPolicy { + /// CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + /// a bare IP address (without a mask) to filter on exactly one address. + pub cidr: String, + /// Source indicates how to determine the ip address to filter on, and can be + /// one of two values: + /// - `Remote` filters on the ip address of the client, accounting for PROXY and + /// X-Forwarded-For as needed. + /// - `Peer` filters on the ip of the network request, ignoring PROXY and + /// X-Forwarded-For. + pub source: HTTPProxyRoutesIpAllowPolicySource, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesIpAllowPolicySource { + Peer, + Remote, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesIpDenyPolicy { + /// CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + /// a bare IP address (without a mask) to filter on exactly one address. + pub cidr: String, + /// Source indicates how to determine the ip address to filter on, and can be + /// one of two values: + /// - `Remote` filters on the ip address of the client, accounting for PROXY and + /// X-Forwarded-For as needed. + /// - `Peer` filters on the ip of the network request, ignoring PROXY and + /// X-Forwarded-For. + pub source: HTTPProxyRoutesIpDenyPolicySource, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesIpDenyPolicySource { + Peer, + Remote, +} + +/// The policy for verifying JWTs for requests to this route. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesJwtVerificationPolicy { + /// Disabled defines whether to disable all JWT verification for this + /// route. This can be used to opt specific routes out of the default + /// JWT provider for the HTTPProxy. At most one of this field or the + /// "require" field can be specified. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, + /// Require names a specific JWT provider (defined in the virtual host) + /// to require for the route. If specified, this field overrides the + /// default provider if one exists. If this field is not specified, + /// the default provider will be required if one exists. At most one of + /// this field or the "disabled" field can be specified. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub require: Option, +} + +/// The load balancing policy for this route. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesLoadBalancerPolicy { + /// RequestHashPolicies contains a list of hash policies to apply when the + /// `RequestHash` load balancing strategy is chosen. If an element of the + /// supplied list of hash policies is invalid, it will be ignored. If the + /// list of hash policies is empty after validation, the load balancing + /// strategy will fall back to the default `RoundRobin`. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHashPolicies")] + pub request_hash_policies: Option>, + /// Strategy specifies the policy used to balance requests + /// across the pool of backend pods. Valid policy names are + /// `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + /// and `RequestHash`. If an unknown strategy name is specified + /// or no policy is supplied, the default `RoundRobin` policy + /// is used. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub strategy: Option, +} + +/// RequestHashPolicy contains configuration for an individual hash policy +/// on a request attribute. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesLoadBalancerPolicyRequestHashPolicies { + /// HashSourceIP should be set to true when request source IP hash based + /// load balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "hashSourceIP")] + pub hash_source_ip: Option, + /// HeaderHashOptions should be set when request header hash based load + /// balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerHashOptions")] + pub header_hash_options: Option, + /// QueryParameterHashOptions should be set when request query parameter hash based load + /// balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryParameterHashOptions")] + pub query_parameter_hash_options: Option, + /// Terminal is a flag that allows for short-circuiting computing of a hash + /// for a given request. If set to true, and the request attribute specified + /// in the attribute hash options is present, no further hash policies will + /// be used to calculate a hash for the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub terminal: Option, +} + +/// HeaderHashOptions should be set when request header hash based load +/// balancing is desired. It must be the only hash option field set, +/// otherwise this request hash policy object will be ignored. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesLoadBalancerPolicyRequestHashPoliciesHeaderHashOptions { + /// HeaderName is the name of the HTTP request header that will be used to + /// calculate the hash key. If the header specified is not present on a + /// request, no hash will be produced. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] + pub header_name: Option, +} + +/// QueryParameterHashOptions should be set when request query parameter hash based load +/// balancing is desired. It must be the only hash option field set, +/// otherwise this request hash policy object will be ignored. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesLoadBalancerPolicyRequestHashPoliciesQueryParameterHashOptions { + /// ParameterName is the name of the HTTP request query parameter that will be used to + /// calculate the hash key. If the query parameter specified is not present on a + /// request, no hash will be produced. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "parameterName")] + pub parameter_name: Option, +} + +/// The policy for rewriting the path of the request URL +/// after the request has been routed to a Service. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesPathRewritePolicy { + /// ReplacePrefix describes how the path prefix should be replaced. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "replacePrefix")] + pub replace_prefix: Option>, +} + +/// ReplacePrefix describes a path prefix replacement. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesPathRewritePolicyReplacePrefix { + /// Prefix specifies the URL path prefix to be replaced. + /// If Prefix is specified, it must exactly match the MatchCondition + /// prefix that is rendered by the chain of including HTTPProxies + /// and only that path prefix will be replaced by Replacement. + /// This allows HTTPProxies that are included through multiple + /// roots to only replace specific path prefixes, leaving others + /// unmodified. + /// If Prefix is not specified, all routing prefixes rendered + /// by the include chain will be replaced. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, + /// Replacement is the string that the routing path prefix + /// will be replaced with. This must not be empty. + pub replacement: String, +} + +/// The policy for rate limiting on the route. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicy { + /// Global defines global rate limiting parameters, i.e. parameters + /// defining descriptors that are sent to an external rate limit + /// service (RLS) for a rate limit decision on each request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub global: Option, + /// Local defines local rate limiting parameters, i.e. parameters + /// for rate limiting that occurs within each Envoy pod as requests + /// are handled. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub local: Option, +} + +/// Global defines global rate limiting parameters, i.e. parameters +/// defining descriptors that are sent to an external rate limit +/// service (RLS) for a rate limit decision on each request. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyGlobal { + /// Descriptors defines the list of descriptors that will + /// be generated and sent to the rate limit service. Each + /// descriptor contains 1+ key-value pair entries. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub descriptors: Option>, + /// Disabled configures the HTTPProxy to not use + /// the default global rate limit policy defined by the Contour configuration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, +} + +/// RateLimitDescriptor defines a list of key-value pair generators. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptors { + /// Entries is the list of key-value pair generators. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub entries: Option>, +} + +/// RateLimitDescriptorEntry is a key-value pair generator. Exactly +/// one field on this struct must be non-nil. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntries { + /// GenericKey defines a descriptor entry with a static key and value. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "genericKey")] + pub generic_key: Option, + /// RemoteAddress defines a descriptor entry with a key of "remote_address" + /// and a value equal to the client's IP address (from x-forwarded-for). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteAddress")] + pub remote_address: Option, + /// RequestHeader defines a descriptor entry that's populated only if + /// a given header is present on the request. The descriptor key is static, + /// and the descriptor value is equal to the value of the header. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeader")] + pub request_header: Option, + /// RequestHeaderValueMatch defines a descriptor entry that's populated + /// if the request's headers match a set of 1+ match criteria. The + /// descriptor key is "header_match", and the descriptor value is static. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeaderValueMatch")] + pub request_header_value_match: Option, +} + +/// GenericKey defines a descriptor entry with a static key and value. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesGenericKey { + /// Key defines the key of the descriptor entry. If not set, the + /// key is set to "generic_key". + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Value defines the value of the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// RemoteAddress defines a descriptor entry with a key of "remote_address" +/// and a value equal to the client's IP address (from x-forwarded-for). +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesRemoteAddress { +} + +/// RequestHeader defines a descriptor entry that's populated only if +/// a given header is present on the request. The descriptor key is static, +/// and the descriptor value is equal to the value of the header. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesRequestHeader { + /// DescriptorKey defines the key to use on the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "descriptorKey")] + pub descriptor_key: Option, + /// HeaderName defines the name of the header to look for on the request. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] + pub header_name: Option, +} + +/// RequestHeaderValueMatch defines a descriptor entry that's populated +/// if the request's headers match a set of 1+ match criteria. The +/// descriptor key is "header_match", and the descriptor value is static. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesRequestHeaderValueMatch { + /// ExpectMatch defines whether the request must positively match the match + /// criteria in order to generate a descriptor entry (i.e. true), or not + /// match the match criteria in order to generate a descriptor entry (i.e. false). + /// The default is true. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "expectMatch")] + pub expect_match: Option, + /// Headers is a list of 1+ match criteria to apply against the request + /// to determine whether to populate the descriptor entry or not. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// Value defines the value of the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HeaderMatchCondition specifies how to conditionally match against HTTP +/// headers. The Name field is required, only one of Present, NotPresent, +/// Contains, NotContains, Exact, NotExact and Regex can be set. +/// For negative matching rules only (e.g. NotContains or NotExact) you can set +/// TreatMissingAsEmpty. +/// IgnoreCase has no effect for Regex. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyGlobalDescriptorsEntriesRequestHeaderValueMatchHeaders { + /// Contains specifies a substring that must be present in + /// the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contains: Option, + /// Exact specifies a string that the header value must be equal to. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// IgnoreCase specifies that string matching should be case insensitive. + /// Note that this has no effect on the Regex parameter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreCase")] + pub ignore_case: Option, + /// Name is the name of the header to match against. Name is required. + /// Header names are case insensitive. + pub name: String, + /// NotContains specifies a substring that must not be present + /// in the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notcontains: Option, + /// NoExact specifies a string that the header value must not be + /// equal to. The condition is true if the header has any other value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notexact: Option, + /// NotPresent specifies that condition is true when the named header + /// is not present. Note that setting NotPresent to false does not + /// make the condition true if the named header is present. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notpresent: Option, + /// Present specifies that condition is true when the named header + /// is present, regardless of its value. Note that setting Present + /// to false does not make the condition true if the named header + /// is absent. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub present: Option, + /// Regex specifies a regular expression pattern that must match the header + /// value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, + /// TreatMissingAsEmpty specifies if the header match rule specified header + /// does not exist, this header value will be treated as empty. Defaults to false. + /// Unlike the underlying Envoy implementation this is **only** supported for + /// negative matches (e.g. NotContains, NotExact). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "treatMissingAsEmpty")] + pub treat_missing_as_empty: Option, +} + +/// Local defines local rate limiting parameters, i.e. parameters +/// for rate limiting that occurs within each Envoy pod as requests +/// are handled. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyLocal { + /// Burst defines the number of requests above the requests per + /// unit that should be allowed within a short period of time. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub burst: Option, + /// Requests defines how many requests per unit of time should + /// be allowed before rate limiting occurs. + pub requests: i32, + /// ResponseHeadersToAdd is an optional list of response headers to + /// set when a request is rate-limited. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseHeadersToAdd")] + pub response_headers_to_add: Option>, + /// ResponseStatusCode is the HTTP status code to use for responses + /// to rate-limited requests. Codes must be in the 400-599 range + /// (inclusive). If not specified, the Envoy default of 429 (Too + /// Many Requests) is used. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseStatusCode")] + pub response_status_code: Option, + /// Unit defines the period of time within which requests + /// over the limit will be rate limited. Valid values are + /// "second", "minute" and "hour". + pub unit: HTTPProxyRoutesRateLimitPolicyLocalUnit, +} + +/// HeaderValue represents a header name/value pair +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRateLimitPolicyLocalResponseHeadersToAdd { + /// Name represents a key of a header + pub name: String, + /// Value represents the value of a header specified by a key + pub value: String, +} + +/// Local defines local rate limiting parameters, i.e. parameters +/// for rate limiting that occurs within each Envoy pod as requests +/// are handled. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesRateLimitPolicyLocalUnit { + #[serde(rename = "second")] + Second, + #[serde(rename = "minute")] + Minute, + #[serde(rename = "hour")] + Hour, +} + +/// The policy for managing request headers during proxying. +/// You may dynamically rewrite the Host header to be forwarded +/// upstream to the content of a request header using +/// the below format "%REQ(X-Header-Name)%". If the value of the header +/// is empty, it is ignored. +/// *NOTE: Pay attention to the potential security implications of using this option. +/// Provided header must come from trusted source. +/// **NOTE: The header rewrite is only done while forwarding and has no bearing +/// on the routing decision. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRequestHeadersPolicy { + /// Remove specifies a list of HTTP header names to remove. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + /// Set specifies a list of HTTP header values that will be set in the HTTP header. + /// If the header does not exist it will be added, otherwise it will be overwritten with the new value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// HeaderValue represents a header name/value pair +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRequestHeadersPolicySet { + /// Name represents a key of a header + pub name: String, + /// Value represents the value of a header specified by a key + pub value: String, +} + +/// RequestRedirectPolicy defines an HTTP redirection. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRequestRedirectPolicy { + /// Hostname is the precise hostname to be used in the value of the `Location` + /// header in the response. + /// When empty, the hostname of the request is used. + /// No wildcards are allowed. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hostname: Option, + /// Path allows for redirection to a different path from the + /// original on the request. The path must start with a + /// leading slash. + /// Note: Only one of Path or Prefix can be defined. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub path: Option, + /// Port is the port to be used in the value of the `Location` + /// header in the response. + /// When empty, port (if specified) of the request is used. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// Prefix defines the value to swap the matched prefix or path with. + /// The prefix must start with a leading slash. + /// Note: Only one of Path or Prefix can be defined. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prefix: Option, + /// Scheme is the scheme to be used in the value of the `Location` + /// header in the response. + /// When empty, the scheme of the request is used. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub scheme: Option, + /// StatusCode is the HTTP status code to be used in response. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "statusCode")] + pub status_code: Option, +} + +/// RequestRedirectPolicy defines an HTTP redirection. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesRequestRedirectPolicyScheme { + #[serde(rename = "http")] + Http, + #[serde(rename = "https")] + Https, +} + +/// RequestRedirectPolicy defines an HTTP redirection. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesRequestRedirectPolicyStatusCode { + #[serde(rename = "301")] + r#_301, + #[serde(rename = "302")] + r#_302, +} + +/// The policy for managing response headers during proxying. +/// Rewriting the 'Host' header is not supported. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesResponseHeadersPolicy { + /// Remove specifies a list of HTTP header names to remove. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + /// Set specifies a list of HTTP header values that will be set in the HTTP header. + /// If the header does not exist it will be added, otherwise it will be overwritten with the new value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// HeaderValue represents a header name/value pair +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesResponseHeadersPolicySet { + /// Name represents a key of a header + pub name: String, + /// Value represents the value of a header specified by a key + pub value: String, +} + +/// The retry policy for this route. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesRetryPolicy { + /// NumRetries is maximum allowed number of retries. + /// If set to -1, then retries are disabled. + /// If set to 0 or not supplied, the value is set + /// to the Envoy default of 1. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub count: Option, + /// PerTryTimeout specifies the timeout per retry attempt. + /// Ignored if NumRetries is not supplied. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "perTryTimeout")] + pub per_try_timeout: Option, + /// RetriableStatusCodes specifies the HTTP status codes that should be retried. + /// This field is only respected when you include `retriable-status-codes` in the `RetryOn` field. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "retriableStatusCodes")] + pub retriable_status_codes: Option>, + /// RetryOn specifies the conditions on which to retry a request. + /// Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + /// - `5xx` + /// - `gateway-error` + /// - `reset` + /// - `connect-failure` + /// - `retriable-4xx` + /// - `refused-stream` + /// - `retriable-status-codes` + /// - `retriable-headers` + /// Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + /// - `cancelled` + /// - `deadline-exceeded` + /// - `internal` + /// - `resource-exhausted` + /// - `unavailable` + #[serde(default, skip_serializing_if = "Option::is_none", rename = "retryOn")] + pub retry_on: Option>, +} + +/// Service defines an Kubernetes Service to proxy traffic. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServices { + /// The policies for rewriting Set-Cookie header attributes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cookieRewritePolicies")] + pub cookie_rewrite_policies: Option>, + /// HealthPort is the port for this service healthcheck. + /// If not specified, Port is used for service healthchecks. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "healthPort")] + pub health_port: Option, + /// If Mirror is true the Service will receive a read only mirror of the traffic for this route. + /// If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + /// field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + /// NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + /// occurs since we cannot distinguish omitted fields from those explicitly set to their default + /// values + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mirror: Option, + /// Name is the name of Kubernetes service to proxy traffic. + /// Names defined here will be used to look up corresponding endpoints which contain the ips to route. + pub name: String, + /// Port (defined as Integer) to proxy traffic to since a service can have multiple defined. + pub port: i64, + /// Protocol may be used to specify (or override) the protocol used to reach this Service. + /// Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub protocol: Option, + /// The policy for managing request headers during proxying. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeadersPolicy")] + pub request_headers_policy: Option, + /// The policy for managing response headers during proxying. + /// Rewriting the 'Host' header is not supported. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseHeadersPolicy")] + pub response_headers_policy: Option, + /// Slow start will gradually increase amount of traffic to a newly added endpoint. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "slowStartPolicy")] + pub slow_start_policy: Option, + /// UpstreamValidation defines how to verify the backend service's certificate + #[serde(default, skip_serializing_if = "Option::is_none")] + pub validation: Option, + /// Weight defines percentage of traffic to balance traffic + #[serde(default, skip_serializing_if = "Option::is_none")] + pub weight: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesCookieRewritePolicies { + /// DomainRewrite enables rewriting the Set-Cookie Domain element. + /// If not set, Domain will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "domainRewrite")] + pub domain_rewrite: Option, + /// Name is the name of the cookie for which attributes will be rewritten. + pub name: String, + /// PathRewrite enables rewriting the Set-Cookie Path element. + /// If not set, Path will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "pathRewrite")] + pub path_rewrite: Option, + /// SameSite enables rewriting the Set-Cookie SameSite element. + /// If not set, SameSite attribute will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sameSite")] + pub same_site: Option, + /// Secure enables rewriting the Set-Cookie Secure element. + /// If not set, Secure attribute will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub secure: Option, +} + +/// DomainRewrite enables rewriting the Set-Cookie Domain element. +/// If not set, Domain will not be rewritten. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesCookieRewritePoliciesDomainRewrite { + /// Value is the value to rewrite the Domain attribute to. + /// For now this is required. + pub value: String, +} + +/// PathRewrite enables rewriting the Set-Cookie Path element. +/// If not set, Path will not be rewritten. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesCookieRewritePoliciesPathRewrite { + /// Value is the value to rewrite the Path attribute to. + /// For now this is required. + pub value: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesServicesCookieRewritePoliciesSameSite { + Strict, + Lax, + None, +} + +/// Service defines an Kubernetes Service to proxy traffic. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyRoutesServicesProtocol { + #[serde(rename = "h2")] + H2, + #[serde(rename = "h2c")] + H2c, + #[serde(rename = "tls")] + Tls, +} + +/// The policy for managing request headers during proxying. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesRequestHeadersPolicy { + /// Remove specifies a list of HTTP header names to remove. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + /// Set specifies a list of HTTP header values that will be set in the HTTP header. + /// If the header does not exist it will be added, otherwise it will be overwritten with the new value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// HeaderValue represents a header name/value pair +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesRequestHeadersPolicySet { + /// Name represents a key of a header + pub name: String, + /// Value represents the value of a header specified by a key + pub value: String, +} + +/// The policy for managing response headers during proxying. +/// Rewriting the 'Host' header is not supported. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesResponseHeadersPolicy { + /// Remove specifies a list of HTTP header names to remove. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + /// Set specifies a list of HTTP header values that will be set in the HTTP header. + /// If the header does not exist it will be added, otherwise it will be overwritten with the new value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// HeaderValue represents a header name/value pair +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesResponseHeadersPolicySet { + /// Name represents a key of a header + pub name: String, + /// Value represents the value of a header specified by a key + pub value: String, +} + +/// Slow start will gradually increase amount of traffic to a newly added endpoint. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesSlowStartPolicy { + /// The speed of traffic increase over the slow start window. + /// Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + /// When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + /// The value of aggression parameter should be greater than 0.0. + /// More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start + #[serde(default, skip_serializing_if = "Option::is_none")] + pub aggression: Option, + /// The minimum or starting percentage of traffic to send to new endpoints. + /// A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + /// If not specified, the default is 10%. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "minWeightPercent")] + pub min_weight_percent: Option, + /// The duration of slow start window. + /// Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + /// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + pub window: String, +} + +/// UpstreamValidation defines how to verify the backend service's certificate +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesServicesValidation { + /// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + /// The secret must contain key named ca.crt. + /// The name can be optionally prefixed with namespace "namespace/name". + /// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + /// Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + #[serde(rename = "caSecret")] + pub ca_secret: String, + /// Key which is expected to be present in the 'subjectAltName' of the presented certificate. + /// Deprecated: migrate to using the plural field subjectNames. + #[serde(rename = "subjectName")] + pub subject_name: String, + /// List of keys, of which at least one is expected to be present in the 'subjectAltName of the + /// presented certificate. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "subjectNames")] + pub subject_names: Option>, +} + +/// The timeout policy for this route. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyRoutesTimeoutPolicy { + /// Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + /// Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + /// If not specified, there is no per-route idle timeout, though a connection manager-wide + /// stream_idle_timeout default of 5m still applies. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub idle: Option, + /// Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + /// If not supplied, Envoy's default value of 1h applies. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "idleConnection")] + pub idle_connection: Option, + /// Timeout for receiving a response from the server after processing a request from client. + /// If not supplied, Envoy's default value of 15s applies. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub response: Option, +} + +/// TCPProxy holds TCP proxy information. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxy { + /// The health check policy for this tcp proxy + #[serde(default, skip_serializing_if = "Option::is_none", rename = "healthCheckPolicy")] + pub health_check_policy: Option, + /// Include specifies that this tcpproxy should be delegated to another HTTPProxy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include: Option, + /// IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. + /// Exists due to a mistake when developing HTTPProxy and the field was marked plural + /// when it should have been singular. This field should stay to not break backwards compatibility to v1 users. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub includes: Option, + /// The load balancing policy for the backend services. Note that the + /// `Cookie` and `RequestHash` load balancing strategies cannot be used + /// here. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "loadBalancerPolicy")] + pub load_balancer_policy: Option, + /// Services are the services to proxy traffic + #[serde(default, skip_serializing_if = "Option::is_none")] + pub services: Option>, +} + +/// The health check policy for this tcp proxy +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyHealthCheckPolicy { + /// The number of healthy health checks required before a host is marked healthy + #[serde(default, skip_serializing_if = "Option::is_none", rename = "healthyThresholdCount")] + pub healthy_threshold_count: Option, + /// The interval (seconds) between health checks + #[serde(default, skip_serializing_if = "Option::is_none", rename = "intervalSeconds")] + pub interval_seconds: Option, + /// The time to wait (seconds) for a health check response + #[serde(default, skip_serializing_if = "Option::is_none", rename = "timeoutSeconds")] + pub timeout_seconds: Option, + /// The number of unhealthy health checks required before a host is marked unhealthy + #[serde(default, skip_serializing_if = "Option::is_none", rename = "unhealthyThresholdCount")] + pub unhealthy_threshold_count: Option, +} + +/// Include specifies that this tcpproxy should be delegated to another HTTPProxy. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyInclude { + /// Name of the child HTTPProxy + pub name: String, + /// Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +/// IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. +/// Exists due to a mistake when developing HTTPProxy and the field was marked plural +/// when it should have been singular. This field should stay to not break backwards compatibility to v1 users. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyIncludes { + /// Name of the child HTTPProxy + pub name: String, + /// Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +/// The load balancing policy for the backend services. Note that the +/// `Cookie` and `RequestHash` load balancing strategies cannot be used +/// here. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyLoadBalancerPolicy { + /// RequestHashPolicies contains a list of hash policies to apply when the + /// `RequestHash` load balancing strategy is chosen. If an element of the + /// supplied list of hash policies is invalid, it will be ignored. If the + /// list of hash policies is empty after validation, the load balancing + /// strategy will fall back to the default `RoundRobin`. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHashPolicies")] + pub request_hash_policies: Option>, + /// Strategy specifies the policy used to balance requests + /// across the pool of backend pods. Valid policy names are + /// `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + /// and `RequestHash`. If an unknown strategy name is specified + /// or no policy is supplied, the default `RoundRobin` policy + /// is used. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub strategy: Option, +} + +/// RequestHashPolicy contains configuration for an individual hash policy +/// on a request attribute. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyLoadBalancerPolicyRequestHashPolicies { + /// HashSourceIP should be set to true when request source IP hash based + /// load balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "hashSourceIP")] + pub hash_source_ip: Option, + /// HeaderHashOptions should be set when request header hash based load + /// balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerHashOptions")] + pub header_hash_options: Option, + /// QueryParameterHashOptions should be set when request query parameter hash based load + /// balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryParameterHashOptions")] + pub query_parameter_hash_options: Option, + /// Terminal is a flag that allows for short-circuiting computing of a hash + /// for a given request. If set to true, and the request attribute specified + /// in the attribute hash options is present, no further hash policies will + /// be used to calculate a hash for the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub terminal: Option, +} + +/// HeaderHashOptions should be set when request header hash based load +/// balancing is desired. It must be the only hash option field set, +/// otherwise this request hash policy object will be ignored. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyLoadBalancerPolicyRequestHashPoliciesHeaderHashOptions { + /// HeaderName is the name of the HTTP request header that will be used to + /// calculate the hash key. If the header specified is not present on a + /// request, no hash will be produced. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] + pub header_name: Option, +} + +/// QueryParameterHashOptions should be set when request query parameter hash based load +/// balancing is desired. It must be the only hash option field set, +/// otherwise this request hash policy object will be ignored. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyLoadBalancerPolicyRequestHashPoliciesQueryParameterHashOptions { + /// ParameterName is the name of the HTTP request query parameter that will be used to + /// calculate the hash key. If the query parameter specified is not present on a + /// request, no hash will be produced. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "parameterName")] + pub parameter_name: Option, +} + +/// Service defines an Kubernetes Service to proxy traffic. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServices { + /// The policies for rewriting Set-Cookie header attributes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cookieRewritePolicies")] + pub cookie_rewrite_policies: Option>, + /// HealthPort is the port for this service healthcheck. + /// If not specified, Port is used for service healthchecks. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "healthPort")] + pub health_port: Option, + /// If Mirror is true the Service will receive a read only mirror of the traffic for this route. + /// If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + /// field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + /// NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + /// occurs since we cannot distinguish omitted fields from those explicitly set to their default + /// values + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mirror: Option, + /// Name is the name of Kubernetes service to proxy traffic. + /// Names defined here will be used to look up corresponding endpoints which contain the ips to route. + pub name: String, + /// Port (defined as Integer) to proxy traffic to since a service can have multiple defined. + pub port: i64, + /// Protocol may be used to specify (or override) the protocol used to reach this Service. + /// Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub protocol: Option, + /// The policy for managing request headers during proxying. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeadersPolicy")] + pub request_headers_policy: Option, + /// The policy for managing response headers during proxying. + /// Rewriting the 'Host' header is not supported. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseHeadersPolicy")] + pub response_headers_policy: Option, + /// Slow start will gradually increase amount of traffic to a newly added endpoint. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "slowStartPolicy")] + pub slow_start_policy: Option, + /// UpstreamValidation defines how to verify the backend service's certificate + #[serde(default, skip_serializing_if = "Option::is_none")] + pub validation: Option, + /// Weight defines percentage of traffic to balance traffic + #[serde(default, skip_serializing_if = "Option::is_none")] + pub weight: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesCookieRewritePolicies { + /// DomainRewrite enables rewriting the Set-Cookie Domain element. + /// If not set, Domain will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "domainRewrite")] + pub domain_rewrite: Option, + /// Name is the name of the cookie for which attributes will be rewritten. + pub name: String, + /// PathRewrite enables rewriting the Set-Cookie Path element. + /// If not set, Path will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "pathRewrite")] + pub path_rewrite: Option, + /// SameSite enables rewriting the Set-Cookie SameSite element. + /// If not set, SameSite attribute will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sameSite")] + pub same_site: Option, + /// Secure enables rewriting the Set-Cookie Secure element. + /// If not set, Secure attribute will not be rewritten. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub secure: Option, +} + +/// DomainRewrite enables rewriting the Set-Cookie Domain element. +/// If not set, Domain will not be rewritten. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesCookieRewritePoliciesDomainRewrite { + /// Value is the value to rewrite the Domain attribute to. + /// For now this is required. + pub value: String, +} + +/// PathRewrite enables rewriting the Set-Cookie Path element. +/// If not set, Path will not be rewritten. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesCookieRewritePoliciesPathRewrite { + /// Value is the value to rewrite the Path attribute to. + /// For now this is required. + pub value: String, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyTcpproxyServicesCookieRewritePoliciesSameSite { + Strict, + Lax, + None, +} + +/// Service defines an Kubernetes Service to proxy traffic. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyTcpproxyServicesProtocol { + #[serde(rename = "h2")] + H2, + #[serde(rename = "h2c")] + H2c, + #[serde(rename = "tls")] + Tls, +} + +/// The policy for managing request headers during proxying. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesRequestHeadersPolicy { + /// Remove specifies a list of HTTP header names to remove. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + /// Set specifies a list of HTTP header values that will be set in the HTTP header. + /// If the header does not exist it will be added, otherwise it will be overwritten with the new value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// HeaderValue represents a header name/value pair +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesRequestHeadersPolicySet { + /// Name represents a key of a header + pub name: String, + /// Value represents the value of a header specified by a key + pub value: String, +} + +/// The policy for managing response headers during proxying. +/// Rewriting the 'Host' header is not supported. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesResponseHeadersPolicy { + /// Remove specifies a list of HTTP header names to remove. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + /// Set specifies a list of HTTP header values that will be set in the HTTP header. + /// If the header does not exist it will be added, otherwise it will be overwritten with the new value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// HeaderValue represents a header name/value pair +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesResponseHeadersPolicySet { + /// Name represents a key of a header + pub name: String, + /// Value represents the value of a header specified by a key + pub value: String, +} + +/// Slow start will gradually increase amount of traffic to a newly added endpoint. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesSlowStartPolicy { + /// The speed of traffic increase over the slow start window. + /// Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + /// When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + /// The value of aggression parameter should be greater than 0.0. + /// More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start + #[serde(default, skip_serializing_if = "Option::is_none")] + pub aggression: Option, + /// The minimum or starting percentage of traffic to send to new endpoints. + /// A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + /// If not specified, the default is 10%. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "minWeightPercent")] + pub min_weight_percent: Option, + /// The duration of slow start window. + /// Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + /// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + pub window: String, +} + +/// UpstreamValidation defines how to verify the backend service's certificate +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyTcpproxyServicesValidation { + /// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + /// The secret must contain key named ca.crt. + /// The name can be optionally prefixed with namespace "namespace/name". + /// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + /// Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + #[serde(rename = "caSecret")] + pub ca_secret: String, + /// Key which is expected to be present in the 'subjectAltName' of the presented certificate. + /// Deprecated: migrate to using the plural field subjectNames. + #[serde(rename = "subjectName")] + pub subject_name: String, + /// List of keys, of which at least one is expected to be present in the 'subjectAltName of the + /// presented certificate. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "subjectNames")] + pub subject_names: Option>, +} + +/// Virtualhost appears at most once. If it is present, the object is considered +/// to be a "root" HTTPProxy. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhost { + /// This field configures an extension service to perform + /// authorization for this virtual host. Authorization can + /// only be configured on virtual hosts that have TLS enabled. + /// If the TLS configuration requires client certificate + /// validation, the client certificate is always included in the + /// authentication check request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authorization: Option, + /// Specifies the cross-origin policy to apply to the VirtualHost. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "corsPolicy")] + pub cors_policy: Option, + /// The fully qualified domain name of the root of the ingress tree + /// all leaves of the DAG rooted at this object relate to the fqdn. + pub fqdn: String, + /// IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + /// requests should be allowed. All other requests will be denied. + /// Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + /// The rules defined here may be overridden in a Route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipAllowPolicy")] + pub ip_allow_policy: Option>, + /// IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + /// requests should be denied. All other requests will be allowed. + /// Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + /// The rules defined here may be overridden in a Route. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipDenyPolicy")] + pub ip_deny_policy: Option>, + /// Providers to use for verifying JSON Web Tokens (JWTs) on the virtual host. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "jwtProviders")] + pub jwt_providers: Option>, + /// The policy for rate limiting on the virtual host. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rateLimitPolicy")] + pub rate_limit_policy: Option, + /// If present the fields describes TLS properties of the virtual + /// host. The SNI names that will be matched on are described in fqdn, + /// the tls.secretName secret must contain a certificate that itself + /// contains a name that matches the FQDN. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, +} + +/// This field configures an extension service to perform +/// authorization for this virtual host. Authorization can +/// only be configured on virtual hosts that have TLS enabled. +/// If the TLS configuration requires client certificate +/// validation, the client certificate is always included in the +/// authentication check request. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostAuthorization { + /// AuthPolicy sets a default authorization policy for client requests. + /// This policy will be used unless overridden by individual routes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authPolicy")] + pub auth_policy: Option, + /// ExtensionServiceRef specifies the extension resource that will authorize client requests. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extensionRef")] + pub extension_ref: Option, + /// If FailOpen is true, the client request is forwarded to the upstream service + /// even if the authorization server fails to respond. This field should not be + /// set in most cases. It is intended for use only while migrating applications + /// from internal authorization to Contour external authorization. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "failOpen")] + pub fail_open: Option, + /// ResponseTimeout configures maximum time to wait for a check response from the authorization server. + /// Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + /// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + /// The string "infinity" is also a valid input and specifies no timeout. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseTimeout")] + pub response_timeout: Option, + /// WithRequestBody specifies configuration for sending the client request's body to authorization server. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "withRequestBody")] + pub with_request_body: Option, +} + +/// AuthPolicy sets a default authorization policy for client requests. +/// This policy will be used unless overridden by individual routes. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostAuthorizationAuthPolicy { + /// Context is a set of key/value pairs that are sent to the + /// authentication server in the check request. If a context + /// is provided at an enclosing scope, the entries are merged + /// such that the inner scope overrides matching keys from the + /// outer scope. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub context: Option>, + /// When true, this field disables client request authentication + /// for the scope of the policy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, +} + +/// ExtensionServiceRef specifies the extension resource that will authorize client requests. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostAuthorizationExtensionRef { + /// API version of the referent. + /// If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiVersion")] + pub api_version: Option, + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// Namespace of the referent. + /// If this field is not specifies, the namespace of the resource that targets the referent will be used. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +/// WithRequestBody specifies configuration for sending the client request's body to authorization server. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostAuthorizationWithRequestBody { + /// If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allowPartialMessage")] + pub allow_partial_message: Option, + /// MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestBytes")] + pub max_request_bytes: Option, + /// If PackAsBytes is true, the body sent to Authorization Server is in raw bytes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "packAsBytes")] + pub pack_as_bytes: Option, +} + +/// Specifies the cross-origin policy to apply to the VirtualHost. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostCorsPolicy { + /// Specifies whether the resource allows credentials. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allowCredentials")] + pub allow_credentials: Option, + /// AllowHeaders specifies the content for the *access-control-allow-headers* header. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allowHeaders")] + pub allow_headers: Option>, + /// AllowMethods specifies the content for the *access-control-allow-methods* header. + #[serde(rename = "allowMethods")] + pub allow_methods: Vec, + /// AllowOrigin specifies the origins that will be allowed to do CORS requests. + /// Allowed values include "*" which signifies any origin is allowed, an exact + /// origin of the form "scheme://host[:port]" (where port is optional), or a valid + /// regex pattern. + /// Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com) + /// will be rejected or produce unexpected matches when applied as a regex. + #[serde(rename = "allowOrigin")] + pub allow_origin: Vec, + /// AllowPrivateNetwork specifies whether to allow private network requests. + /// See https://developer.chrome.com/blog/private-network-access-preflight. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allowPrivateNetwork")] + pub allow_private_network: Option, + /// ExposeHeaders Specifies the content for the *access-control-expose-headers* header. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "exposeHeaders")] + pub expose_headers: Option>, + /// MaxAge indicates for how long the results of a preflight request can be cached. + /// MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + /// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + /// Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + /// check for all cross-origin requests. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxAge")] + pub max_age: Option, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostIpAllowPolicy { + /// CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + /// a bare IP address (without a mask) to filter on exactly one address. + pub cidr: String, + /// Source indicates how to determine the ip address to filter on, and can be + /// one of two values: + /// - `Remote` filters on the ip address of the client, accounting for PROXY and + /// X-Forwarded-For as needed. + /// - `Peer` filters on the ip of the network request, ignoring PROXY and + /// X-Forwarded-For. + pub source: HTTPProxyVirtualhostIpAllowPolicySource, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyVirtualhostIpAllowPolicySource { + Peer, + Remote, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostIpDenyPolicy { + /// CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + /// a bare IP address (without a mask) to filter on exactly one address. + pub cidr: String, + /// Source indicates how to determine the ip address to filter on, and can be + /// one of two values: + /// - `Remote` filters on the ip address of the client, accounting for PROXY and + /// X-Forwarded-For as needed. + /// - `Peer` filters on the ip of the network request, ignoring PROXY and + /// X-Forwarded-For. + pub source: HTTPProxyVirtualhostIpDenyPolicySource, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyVirtualhostIpDenyPolicySource { + Peer, + Remote, +} + +/// JWTProvider defines how to verify JWTs on requests. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostJwtProviders { + /// Audiences that JWTs are allowed to have in the "aud" field. + /// If not provided, JWT audiences are not checked. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub audiences: Option>, + /// Whether the provider should apply to all + /// routes in the HTTPProxy/its includes by + /// default. At most one provider can be marked + /// as the default. If no provider is marked + /// as the default, individual routes must explicitly + /// identify the provider they require. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub default: Option, + /// Whether the JWT should be forwarded to the backend + /// service after successful verification. By default, + /// the JWT is not forwarded. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "forwardJWT")] + pub forward_jwt: Option, + /// Issuer that JWTs are required to have in the "iss" field. + /// If not provided, JWT issuers are not checked. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub issuer: Option, + /// Unique name for the provider. + pub name: String, + /// Remote JWKS to use for verifying JWT signatures. + #[serde(rename = "remoteJWKS")] + pub remote_jwks: HTTPProxyVirtualhostJwtProvidersRemoteJwks, +} + +/// Remote JWKS to use for verifying JWT signatures. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostJwtProvidersRemoteJwks { + /// How long to cache the JWKS locally. If not specified, + /// Envoy's default of 5m applies. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cacheDuration")] + pub cache_duration: Option, + /// The DNS IP address resolution policy for the JWKS URI. + /// When configured as "v4", the DNS resolver will only perform a lookup + /// for addresses in the IPv4 family. If "v6" is configured, the DNS resolver + /// will only perform a lookup for addresses in the IPv6 family. + /// If "all" is configured, the DNS resolver + /// will perform a lookup for addresses in both the IPv4 and IPv6 family. + /// If "auto" is configured, the DNS resolver will first perform a lookup + /// for addresses in the IPv6 family and fallback to a lookup for addresses + /// in the IPv4 family. If not specified, the Contour-wide setting defined + /// in the config file or ContourConfiguration applies (defaults to "auto"). + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsLookupFamily")] + pub dns_lookup_family: Option, + /// How long to wait for a response from the URI. + /// If not specified, a default of 1s applies. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub timeout: Option, + /// The URI for the JWKS. + pub uri: String, + /// UpstreamValidation defines how to verify the JWKS's TLS certificate. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub validation: Option, +} + +/// Remote JWKS to use for verifying JWT signatures. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyVirtualhostJwtProvidersRemoteJwksDnsLookupFamily { + #[serde(rename = "auto")] + Auto, + #[serde(rename = "v4")] + V4, + #[serde(rename = "v6")] + V6, +} + +/// UpstreamValidation defines how to verify the JWKS's TLS certificate. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostJwtProvidersRemoteJwksValidation { + /// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + /// The secret must contain key named ca.crt. + /// The name can be optionally prefixed with namespace "namespace/name". + /// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + /// Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + #[serde(rename = "caSecret")] + pub ca_secret: String, + /// Key which is expected to be present in the 'subjectAltName' of the presented certificate. + /// Deprecated: migrate to using the plural field subjectNames. + #[serde(rename = "subjectName")] + pub subject_name: String, + /// List of keys, of which at least one is expected to be present in the 'subjectAltName of the + /// presented certificate. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "subjectNames")] + pub subject_names: Option>, +} + +/// The policy for rate limiting on the virtual host. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicy { + /// Global defines global rate limiting parameters, i.e. parameters + /// defining descriptors that are sent to an external rate limit + /// service (RLS) for a rate limit decision on each request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub global: Option, + /// Local defines local rate limiting parameters, i.e. parameters + /// for rate limiting that occurs within each Envoy pod as requests + /// are handled. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub local: Option, +} + +/// Global defines global rate limiting parameters, i.e. parameters +/// defining descriptors that are sent to an external rate limit +/// service (RLS) for a rate limit decision on each request. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyGlobal { + /// Descriptors defines the list of descriptors that will + /// be generated and sent to the rate limit service. Each + /// descriptor contains 1+ key-value pair entries. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub descriptors: Option>, + /// Disabled configures the HTTPProxy to not use + /// the default global rate limit policy defined by the Contour configuration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, +} + +/// RateLimitDescriptor defines a list of key-value pair generators. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptors { + /// Entries is the list of key-value pair generators. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub entries: Option>, +} + +/// RateLimitDescriptorEntry is a key-value pair generator. Exactly +/// one field on this struct must be non-nil. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntries { + /// GenericKey defines a descriptor entry with a static key and value. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "genericKey")] + pub generic_key: Option, + /// RemoteAddress defines a descriptor entry with a key of "remote_address" + /// and a value equal to the client's IP address (from x-forwarded-for). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteAddress")] + pub remote_address: Option, + /// RequestHeader defines a descriptor entry that's populated only if + /// a given header is present on the request. The descriptor key is static, + /// and the descriptor value is equal to the value of the header. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeader")] + pub request_header: Option, + /// RequestHeaderValueMatch defines a descriptor entry that's populated + /// if the request's headers match a set of 1+ match criteria. The + /// descriptor key is "header_match", and the descriptor value is static. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeaderValueMatch")] + pub request_header_value_match: Option, +} + +/// GenericKey defines a descriptor entry with a static key and value. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesGenericKey { + /// Key defines the key of the descriptor entry. If not set, the + /// key is set to "generic_key". + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Value defines the value of the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// RemoteAddress defines a descriptor entry with a key of "remote_address" +/// and a value equal to the client's IP address (from x-forwarded-for). +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesRemoteAddress { +} + +/// RequestHeader defines a descriptor entry that's populated only if +/// a given header is present on the request. The descriptor key is static, +/// and the descriptor value is equal to the value of the header. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesRequestHeader { + /// DescriptorKey defines the key to use on the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "descriptorKey")] + pub descriptor_key: Option, + /// HeaderName defines the name of the header to look for on the request. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] + pub header_name: Option, +} + +/// RequestHeaderValueMatch defines a descriptor entry that's populated +/// if the request's headers match a set of 1+ match criteria. The +/// descriptor key is "header_match", and the descriptor value is static. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesRequestHeaderValueMatch { + /// ExpectMatch defines whether the request must positively match the match + /// criteria in order to generate a descriptor entry (i.e. true), or not + /// match the match criteria in order to generate a descriptor entry (i.e. false). + /// The default is true. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "expectMatch")] + pub expect_match: Option, + /// Headers is a list of 1+ match criteria to apply against the request + /// to determine whether to populate the descriptor entry or not. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// Value defines the value of the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HeaderMatchCondition specifies how to conditionally match against HTTP +/// headers. The Name field is required, only one of Present, NotPresent, +/// Contains, NotContains, Exact, NotExact and Regex can be set. +/// For negative matching rules only (e.g. NotContains or NotExact) you can set +/// TreatMissingAsEmpty. +/// IgnoreCase has no effect for Regex. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyGlobalDescriptorsEntriesRequestHeaderValueMatchHeaders { + /// Contains specifies a substring that must be present in + /// the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contains: Option, + /// Exact specifies a string that the header value must be equal to. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// IgnoreCase specifies that string matching should be case insensitive. + /// Note that this has no effect on the Regex parameter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreCase")] + pub ignore_case: Option, + /// Name is the name of the header to match against. Name is required. + /// Header names are case insensitive. + pub name: String, + /// NotContains specifies a substring that must not be present + /// in the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notcontains: Option, + /// NoExact specifies a string that the header value must not be + /// equal to. The condition is true if the header has any other value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notexact: Option, + /// NotPresent specifies that condition is true when the named header + /// is not present. Note that setting NotPresent to false does not + /// make the condition true if the named header is present. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notpresent: Option, + /// Present specifies that condition is true when the named header + /// is present, regardless of its value. Note that setting Present + /// to false does not make the condition true if the named header + /// is absent. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub present: Option, + /// Regex specifies a regular expression pattern that must match the header + /// value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, + /// TreatMissingAsEmpty specifies if the header match rule specified header + /// does not exist, this header value will be treated as empty. Defaults to false. + /// Unlike the underlying Envoy implementation this is **only** supported for + /// negative matches (e.g. NotContains, NotExact). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "treatMissingAsEmpty")] + pub treat_missing_as_empty: Option, +} + +/// Local defines local rate limiting parameters, i.e. parameters +/// for rate limiting that occurs within each Envoy pod as requests +/// are handled. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyLocal { + /// Burst defines the number of requests above the requests per + /// unit that should be allowed within a short period of time. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub burst: Option, + /// Requests defines how many requests per unit of time should + /// be allowed before rate limiting occurs. + pub requests: i32, + /// ResponseHeadersToAdd is an optional list of response headers to + /// set when a request is rate-limited. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseHeadersToAdd")] + pub response_headers_to_add: Option>, + /// ResponseStatusCode is the HTTP status code to use for responses + /// to rate-limited requests. Codes must be in the 400-599 range + /// (inclusive). If not specified, the Envoy default of 429 (Too + /// Many Requests) is used. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseStatusCode")] + pub response_status_code: Option, + /// Unit defines the period of time within which requests + /// over the limit will be rate limited. Valid values are + /// "second", "minute" and "hour". + pub unit: HTTPProxyVirtualhostRateLimitPolicyLocalUnit, +} + +/// HeaderValue represents a header name/value pair +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostRateLimitPolicyLocalResponseHeadersToAdd { + /// Name represents a key of a header + pub name: String, + /// Value represents the value of a header specified by a key + pub value: String, +} + +/// Local defines local rate limiting parameters, i.e. parameters +/// for rate limiting that occurs within each Envoy pod as requests +/// are handled. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyVirtualhostRateLimitPolicyLocalUnit { + #[serde(rename = "second")] + Second, + #[serde(rename = "minute")] + Minute, + #[serde(rename = "hour")] + Hour, +} + +/// If present the fields describes TLS properties of the virtual +/// host. The SNI names that will be matched on are described in fqdn, +/// the tls.secretName secret must contain a certificate that itself +/// contains a name that matches the FQDN. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostTls { + /// ClientValidation defines how to verify the client certificate + /// when an external client establishes a TLS connection to Envoy. + /// This setting: + /// 1. Enables TLS client certificate validation. + /// 2. Specifies how the client certificate will be validated (i.e. + /// validation required or skipped). + /// Note: Setting client certificate validation to be skipped should + /// be only used in conjunction with an external authorization server that + /// performs client validation as Contour will ensure client certificates + /// are passed along. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientValidation")] + pub client_validation: Option, + /// EnableFallbackCertificate defines if the vhost should allow a default certificate to + /// be applied which handles all requests which don't match the SNI defined in this vhost. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableFallbackCertificate")] + pub enable_fallback_certificate: Option, + /// MaximumProtocolVersion is the maximum TLS version this vhost should + /// negotiate. Valid options are `1.2` and `1.3` (default). Any other value + /// defaults to TLS 1.3. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maximumProtocolVersion")] + pub maximum_protocol_version: Option, + /// MinimumProtocolVersion is the minimum TLS version this vhost should + /// negotiate. Valid options are `1.2` (default) and `1.3`. Any other value + /// defaults to TLS 1.2. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "minimumProtocolVersion")] + pub minimum_protocol_version: Option, + /// Passthrough defines whether the encrypted TLS handshake will be + /// passed through to the backing cluster. Either Passthrough or + /// SecretName must be specified, but not both. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub passthrough: Option, + /// SecretName is the name of a TLS secret. + /// Either SecretName or Passthrough must be specified, but not both. + /// If specified, the named secret must contain a matching certificate + /// for the virtual host's FQDN. + /// The name can be optionally prefixed with namespace "namespace/name". + /// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretName")] + pub secret_name: Option, +} + +/// ClientValidation defines how to verify the client certificate +/// when an external client establishes a TLS connection to Envoy. +/// This setting: +/// 1. Enables TLS client certificate validation. +/// 2. Specifies how the client certificate will be validated (i.e. +/// validation required or skipped). +/// Note: Setting client certificate validation to be skipped should +/// be only used in conjunction with an external authorization server that +/// performs client validation as Contour will ensure client certificates +/// are passed along. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostTlsClientValidation { + /// Name of a Kubernetes secret that contains a CA certificate bundle. + /// The secret must contain key named ca.crt. + /// The client certificate must validate against the certificates in the bundle. + /// If specified and SkipClientCertValidation is true, client certificates will + /// be required on requests. + /// The name can be optionally prefixed with namespace "namespace/name". + /// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "caSecret")] + pub ca_secret: Option, + /// If this option is set to true, only the certificate at the end of the + /// certificate chain will be subject to validation by CRL. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "crlOnlyVerifyLeafCert")] + pub crl_only_verify_leaf_cert: Option, + /// Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + /// The secret must contain key named crl.pem. + /// This field will be used to verify that a client certificate has not been revoked. + /// CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + /// Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + /// The name can be optionally prefixed with namespace "namespace/name". + /// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "crlSecret")] + pub crl_secret: Option, + /// ForwardClientCertificate adds the selected data from the passed client TLS certificate + /// to the x-forwarded-client-cert header. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "forwardClientCertificate")] + pub forward_client_certificate: Option, + /// OptionalClientCertificate when set to true will request a client certificate + /// but allow the connection to continue if the client does not provide one. + /// If a client certificate is sent, it will be verified according to the + /// other properties, which includes disabling validation if + /// SkipClientCertValidation is set. Defaults to false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "optionalClientCertificate")] + pub optional_client_certificate: Option, + /// SkipClientCertValidation disables downstream client certificate + /// validation. Defaults to false. This field is intended to be used in + /// conjunction with external authorization in order to enable the external + /// authorization server to validate client certificates. When this field + /// is set to true, client certificates are requested but not verified by + /// Envoy. If CACertificate is specified, client certificates are required on + /// requests, but not verified. If external authorization is in use, they are + /// presented to the external authorization server. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "skipClientCertValidation")] + pub skip_client_cert_validation: Option, +} + +/// ForwardClientCertificate adds the selected data from the passed client TLS certificate +/// to the x-forwarded-client-cert header. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyVirtualhostTlsClientValidationForwardClientCertificate { + /// Client cert in URL encoded PEM format. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cert: Option, + /// Client cert chain (including the leaf cert) in URL encoded PEM format. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub chain: Option, + /// DNS type Subject Alternative Names of the client cert. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub dns: Option, + /// Subject of the client cert. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subject: Option, + /// URI type Subject Alternative Name of the client cert. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub uri: Option, +} + +/// Status is a container for computed information about the HTTPProxy. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyStatus { + /// Conditions contains information about the current status of the HTTPProxy, + /// in an upstream-friendly container. + /// Contour will update a single condition, `Valid`, that is in normal-true polarity. + /// That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + /// and vice versa. + /// Contour will leave untouched any other Conditions set in this block, + /// in case some other controller wants to add a Condition. + /// If you are another controller owner and wish to add a condition, you *should* + /// namespace your condition with a label, like `controller.domain.com/ConditionName`. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub conditions: Option>, + #[serde(default, skip_serializing_if = "Option::is_none", rename = "currentStatus")] + pub current_status: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub description: Option, + /// LoadBalancer contains the current status of the load balancer. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "loadBalancer")] + pub load_balancer: Option, +} + +/// DetailedCondition is an extension of the normal Kubernetes conditions, with two extra +/// fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) +/// of the condition. +/// `errors` holds information about sub-conditions which are fatal to that condition and render its state False. +/// `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. +/// Remember that Conditions have a type, a status, and a reason. +/// The type is the type of the condition, the most important one in this CRD set is `Valid`. +/// `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. +/// In more detail, `status: true` means that the object is has been ingested into Contour with no errors. +/// `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` +/// slice in this case. +/// `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. +/// The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` +/// slice if `status` is `false`. +/// For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. +/// When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. +/// When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. +/// In either case, there may be entries in the `warnings` slice. +/// Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason +/// (if there is one and only one entry in total across both the `errors` and `warnings` slices), or +/// `MultipleReasons` if there is more than one entry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyStatusConditions { + /// Errors contains a slice of relevant error subconditions for this object. + /// Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + /// An empty slice here indicates no errors. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub errors: Option>, + /// lastTransitionTime is the last time the condition transitioned from one status to another. + /// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + #[serde(rename = "lastTransitionTime")] + pub last_transition_time: String, + /// message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// observedGeneration represents the .metadata.generation that the condition was set based upon. + /// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + /// with respect to the current state of the instance. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "observedGeneration")] + pub observed_generation: Option, + /// reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// status of the condition, one of True, False, Unknown. + pub status: HTTPProxyStatusConditionsStatus, + /// type of condition in CamelCase or in foo.example.com/CamelCase. + /// --- + /// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + /// useful (see .node.status.conditions), the ability to deconflict is important. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, + /// Warnings contains a slice of relevant warning subconditions for this object. + /// Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + /// An empty slice here indicates no warnings. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub warnings: Option>, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyStatusConditionsErrors { + /// Message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// Reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// Status of the condition, one of True, False, Unknown. + pub status: HTTPProxyStatusConditionsErrorsStatus, + /// Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + /// This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyStatusConditionsErrorsStatus { + True, + False, + Unknown, +} + +/// DetailedCondition is an extension of the normal Kubernetes conditions, with two extra +/// fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) +/// of the condition. +/// `errors` holds information about sub-conditions which are fatal to that condition and render its state False. +/// `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. +/// Remember that Conditions have a type, a status, and a reason. +/// The type is the type of the condition, the most important one in this CRD set is `Valid`. +/// `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. +/// In more detail, `status: true` means that the object is has been ingested into Contour with no errors. +/// `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` +/// slice in this case. +/// `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. +/// The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` +/// slice if `status` is `false`. +/// For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. +/// When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. +/// When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. +/// In either case, there may be entries in the `warnings` slice. +/// Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason +/// (if there is one and only one entry in total across both the `errors` and `warnings` slices), or +/// `MultipleReasons` if there is more than one entry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyStatusConditionsStatus { + True, + False, + Unknown, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyStatusConditionsWarnings { + /// Message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// Reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// Status of the condition, one of True, False, Unknown. + pub status: HTTPProxyStatusConditionsWarningsStatus, + /// Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + /// This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum HTTPProxyStatusConditionsWarningsStatus { + True, + False, + Unknown, +} + +/// LoadBalancer contains the current status of the load balancer. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyStatusLoadBalancer { + /// Ingress is a list containing ingress points for the load-balancer. + /// Traffic intended for the service should be sent to these ingress points. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ingress: Option>, +} + +/// LoadBalancerIngress represents the status of a load-balancer ingress point: +/// traffic intended for the service should be sent to an ingress point. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyStatusLoadBalancerIngress { + /// Hostname is set for load-balancer ingress points that are DNS based + /// (typically AWS load-balancers) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hostname: Option, + /// IP is set for load-balancer ingress points that are IP based + /// (typically GCE or OpenStack load-balancers) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ip: Option, + /// IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + /// Setting this to "VIP" indicates that traffic is delivered to the node with + /// the destination set to the load-balancer's IP and port. + /// Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + /// the destination set to the node's IP and node port or the pod's IP and port. + /// Service implementations may use this information to adjust traffic routing. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipMode")] + pub ip_mode: Option, + /// Ports is a list of records of service ports + /// If used, every port defined in the service should have an entry in it + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ports: Option>, +} + +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct HTTPProxyStatusLoadBalancerIngressPorts { + /// Error is to record the problem with the service port + /// The format of the error shall comply with the following rules: + /// - built-in error values shall be specified in this file and those shall use + /// CamelCase names + /// - cloud provider specific error values must have names that comply with the + /// format foo.example.com/CamelCase. + /// --- + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(default, skip_serializing_if = "Option::is_none")] + pub error: Option, + /// Port is the port number of the service port of which status is recorded here + pub port: i32, + /// Protocol is the protocol of the service port of which status is recorded here + /// The supported values are: "TCP", "UDP", "SCTP" + pub protocol: String, +} + diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1/mod.rs b/kube-custom-resources-rs/src/projectcontour_io/v1/mod.rs new file mode 100644 index 000000000..3ab508e99 --- /dev/null +++ b/kube-custom-resources-rs/src/projectcontour_io/v1/mod.rs @@ -0,0 +1,2 @@ +pub mod httpproxies; +pub mod tlscertificatedelegations; diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1/tlscertificatedelegations.rs b/kube-custom-resources-rs/src/projectcontour_io/v1/tlscertificatedelegations.rs new file mode 100644 index 000000000..db348bef1 --- /dev/null +++ b/kube-custom-resources-rs/src/projectcontour_io/v1/tlscertificatedelegations.rs @@ -0,0 +1,218 @@ +// WARNING: generated by kopium - manual changes will be overwritten +// kopium command: kopium --docs --filename=./crd-catalog/projectcontour/contour/projectcontour.io/v1/tlscertificatedelegations.yaml --derive=PartialEq +// kopium version: 0.16.5 + +use kube::CustomResource; +use serde::{Serialize, Deserialize}; + +/// TLSCertificateDelegationSpec defines the spec of the CRD +#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, PartialEq)] +#[kube(group = "projectcontour.io", version = "v1", kind = "TLSCertificateDelegation", plural = "tlscertificatedelegations")] +#[kube(namespaced)] +#[kube(status = "TLSCertificateDelegationStatus")] +#[kube(schema = "disabled")] +pub struct TLSCertificateDelegationSpec { + pub delegations: Vec, +} + +/// CertificateDelegation maps the authority to reference a secret +/// in the current namespace to a set of namespaces. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct TLSCertificateDelegationDelegations { + /// required, the name of a secret in the current namespace. + #[serde(rename = "secretName")] + pub secret_name: String, + /// required, the namespaces the authority to reference the + /// secret will be delegated to. + /// If TargetNamespaces is nil or empty, the CertificateDelegation' + /// is ignored. If the TargetNamespace list contains the character, "*" + /// the secret will be delegated to all namespaces. + #[serde(rename = "targetNamespaces")] + pub target_namespaces: Vec, +} + +/// TLSCertificateDelegationStatus allows for the status of the delegation +/// to be presented to the user. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct TLSCertificateDelegationStatus { + /// Conditions contains information about the current status of the HTTPProxy, + /// in an upstream-friendly container. + /// Contour will update a single condition, `Valid`, that is in normal-true polarity. + /// That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + /// and vice versa. + /// Contour will leave untouched any other Conditions set in this block, + /// in case some other controller wants to add a Condition. + /// If you are another controller owner and wish to add a condition, you *should* + /// namespace your condition with a label, like `controller.domain.com\ConditionName`. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub conditions: Option>, +} + +/// DetailedCondition is an extension of the normal Kubernetes conditions, with two extra +/// fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) +/// of the condition. +/// `errors` holds information about sub-conditions which are fatal to that condition and render its state False. +/// `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. +/// Remember that Conditions have a type, a status, and a reason. +/// The type is the type of the condition, the most important one in this CRD set is `Valid`. +/// `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. +/// In more detail, `status: true` means that the object is has been ingested into Contour with no errors. +/// `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` +/// slice in this case. +/// `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. +/// The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` +/// slice if `status` is `false`. +/// For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. +/// When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. +/// When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. +/// In either case, there may be entries in the `warnings` slice. +/// Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason +/// (if there is one and only one entry in total across both the `errors` and `warnings` slices), or +/// `MultipleReasons` if there is more than one entry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct TLSCertificateDelegationStatusConditions { + /// Errors contains a slice of relevant error subconditions for this object. + /// Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + /// An empty slice here indicates no errors. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub errors: Option>, + /// lastTransitionTime is the last time the condition transitioned from one status to another. + /// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + #[serde(rename = "lastTransitionTime")] + pub last_transition_time: String, + /// message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// observedGeneration represents the .metadata.generation that the condition was set based upon. + /// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + /// with respect to the current state of the instance. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "observedGeneration")] + pub observed_generation: Option, + /// reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// status of the condition, one of True, False, Unknown. + pub status: TLSCertificateDelegationStatusConditionsStatus, + /// type of condition in CamelCase or in foo.example.com/CamelCase. + /// --- + /// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + /// useful (see .node.status.conditions), the ability to deconflict is important. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, + /// Warnings contains a slice of relevant warning subconditions for this object. + /// Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + /// An empty slice here indicates no warnings. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub warnings: Option>, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct TLSCertificateDelegationStatusConditionsErrors { + /// Message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// Reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// Status of the condition, one of True, False, Unknown. + pub status: TLSCertificateDelegationStatusConditionsErrorsStatus, + /// Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + /// This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum TLSCertificateDelegationStatusConditionsErrorsStatus { + True, + False, + Unknown, +} + +/// DetailedCondition is an extension of the normal Kubernetes conditions, with two extra +/// fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) +/// of the condition. +/// `errors` holds information about sub-conditions which are fatal to that condition and render its state False. +/// `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. +/// Remember that Conditions have a type, a status, and a reason. +/// The type is the type of the condition, the most important one in this CRD set is `Valid`. +/// `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. +/// In more detail, `status: true` means that the object is has been ingested into Contour with no errors. +/// `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` +/// slice in this case. +/// `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. +/// The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` +/// slice if `status` is `false`. +/// For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. +/// When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. +/// When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. +/// In either case, there may be entries in the `warnings` slice. +/// Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason +/// (if there is one and only one entry in total across both the `errors` and `warnings` slices), or +/// `MultipleReasons` if there is more than one entry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum TLSCertificateDelegationStatusConditionsStatus { + True, + False, + Unknown, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct TLSCertificateDelegationStatusConditionsWarnings { + /// Message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// Reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// Status of the condition, one of True, False, Unknown. + pub status: TLSCertificateDelegationStatusConditionsWarningsStatus, + /// Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + /// This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum TLSCertificateDelegationStatusConditionsWarningsStatus { + True, + False, + Unknown, +} + diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourconfigurations.rs b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourconfigurations.rs new file mode 100644 index 000000000..3ae48248a --- /dev/null +++ b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourconfigurations.rs @@ -0,0 +1,1268 @@ +// WARNING: generated by kopium - manual changes will be overwritten +// kopium command: kopium --docs --filename=./crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourconfigurations.yaml --derive=PartialEq +// kopium version: 0.16.5 + +use kube::CustomResource; +use serde::{Serialize, Deserialize}; +use std::collections::BTreeMap; + +/// ContourConfigurationSpec represents a configuration of a Contour controller. +/// It contains most of all the options that can be customized, the +/// other remaining options being command line flags. +#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, PartialEq)] +#[kube(group = "projectcontour.io", version = "v1alpha1", kind = "ContourConfiguration", plural = "contourconfigurations")] +#[kube(namespaced)] +#[kube(status = "ContourConfigurationStatus")] +#[kube(schema = "disabled")] +pub struct ContourConfigurationSpec { + /// Debug contains parameters to enable debug logging + /// and debug interfaces inside Contour. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub debug: Option, + /// EnableExternalNameService allows processing of ExternalNameServices + /// Contour's default is false for security reasons. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableExternalNameService")] + pub enable_external_name_service: Option, + /// Envoy contains parameters for Envoy as well + /// as how to optionally configure a managed Envoy fleet. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub envoy: Option, + /// FeatureFlags defines toggle to enable new contour features. + /// Available toggles are: + /// useEndpointSlices - configures contour to fetch endpoint data + /// from k8s endpoint slices. defaults to false and reading endpoint + /// data from the k8s endpoints. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "featureFlags")] + pub feature_flags: Option>, + /// Gateway contains parameters for the gateway-api Gateway that Contour + /// is configured to serve traffic. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub gateway: Option, + /// GlobalExternalAuthorization allows envoys external authorization filter + /// to be enabled for all virtual hosts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "globalExtAuth")] + pub global_ext_auth: Option, + /// Health defines the endpoints Contour uses to serve health checks. + /// Contour's default is { address: "0.0.0.0", port: 8000 }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub health: Option, + /// HTTPProxy defines parameters on HTTPProxy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub httpproxy: Option, + /// Ingress contains parameters for ingress options. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ingress: Option, + /// Metrics defines the endpoint Contour uses to serve metrics. + /// Contour's default is { address: "0.0.0.0", port: 8000 }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Policy specifies default policy applied if not overridden by the user + #[serde(default, skip_serializing_if = "Option::is_none")] + pub policy: Option, + /// RateLimitService optionally holds properties of the Rate Limit Service + /// to be used for global rate limiting. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rateLimitService")] + pub rate_limit_service: Option, + /// Tracing defines properties for exporting trace data to OpenTelemetry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tracing: Option, + /// XDSServer contains parameters for the xDS server. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "xdsServer")] + pub xds_server: Option, +} + +/// Debug contains parameters to enable debug logging +/// and debug interfaces inside Contour. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationDebug { + /// Defines the Contour debug address interface. + /// Contour's default is "127.0.0.1". + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the Contour debug address port. + /// Contour's default is 6060. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// Envoy contains parameters for Envoy as well +/// as how to optionally configure a managed Envoy fleet. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoy { + /// ClientCertificate defines the namespace/name of the Kubernetes + /// secret containing the client certificate and private key + /// to be used when establishing TLS connection to upstream + /// cluster. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientCertificate")] + pub client_certificate: Option, + /// Cluster holds various configurable Envoy cluster values that can + /// be set in the config file. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cluster: Option, + /// DefaultHTTPVersions defines the default set of HTTPS + /// versions the proxy should accept. HTTP versions are + /// strings of the form "HTTP/xx". Supported versions are + /// "HTTP/1.1" and "HTTP/2". + /// Values: `HTTP/1.1`, `HTTP/2` (default: both). + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultHTTPVersions")] + pub default_http_versions: Option>, + /// Health defines the endpoint Envoy uses to serve health checks. + /// Contour's default is { address: "0.0.0.0", port: 8002 }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub health: Option, + /// Defines the HTTP Listener for Envoy. + /// Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub http: Option, + /// Defines the HTTPS Listener for Envoy. + /// Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub https: Option, + /// Listener hold various configurable Envoy listener values. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub listener: Option, + /// Logging defines how Envoy's logs can be configured. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub logging: Option, + /// Metrics defines the endpoint Envoy uses to serve metrics. + /// Contour's default is { address: "0.0.0.0", port: 8002 }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Network holds various configurable Envoy network values. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub network: Option, + /// Service holds Envoy service parameters for setting Ingress status. + /// Contour's default is { namespace: "projectcontour", name: "envoy" }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub service: Option, + /// Timeouts holds various configurable timeouts that can + /// be set in the config file. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub timeouts: Option, +} + +/// ClientCertificate defines the namespace/name of the Kubernetes +/// secret containing the client certificate and private key +/// to be used when establishing TLS connection to upstream +/// cluster. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyClientCertificate { + pub name: String, + pub namespace: String, +} + +/// Cluster holds various configurable Envoy cluster values that can +/// be set in the config file. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyCluster { + /// GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + /// If defined, this will be used as the default for all services. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "circuitBreakers")] + pub circuit_breakers: Option, + /// DNSLookupFamily defines how external names are looked up + /// When configured as V4, the DNS resolver will only perform a lookup + /// for addresses in the IPv4 family. If V6 is configured, the DNS resolver + /// will only perform a lookup for addresses in the IPv6 family. + /// If AUTO is configured, the DNS resolver will first perform a lookup + /// for addresses in the IPv6 family and fallback to a lookup for addresses + /// in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + /// both IPv4 and IPv6 families, and return all resolved addresses. + /// When this is used, Happy Eyeballs will be enabled for upstream connections. + /// Refer to Happy Eyeballs Support for more information. + /// Note: This only applies to externalName clusters. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + /// for more information. + /// Values: `auto` (default), `v4`, `v6`, `all`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsLookupFamily")] + pub dns_lookup_family: Option, + /// Defines the maximum requests for upstream connections. If not specified, there is no limit. + /// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestsPerConnection")] + pub max_requests_per_connection: Option, + /// Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + /// If unspecified, an implementation defined default is applied (1MiB). + /// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "per-connection-buffer-limit-bytes")] + pub per_connection_buffer_limit_bytes: Option, + /// UpstreamTLS contains the TLS policy parameters for upstream connections + #[serde(default, skip_serializing_if = "Option::is_none", rename = "upstreamTLS")] + pub upstream_tls: Option, +} + +/// GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. +/// If defined, this will be used as the default for all services. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyClusterCircuitBreakers { + /// The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxConnections")] + pub max_connections: Option, + /// The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxPendingRequests")] + pub max_pending_requests: Option, + /// The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024 + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequests")] + pub max_requests: Option, + /// The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRetries")] + pub max_retries: Option, +} + +/// UpstreamTLS contains the TLS policy parameters for upstream connections +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyClusterUpstreamTls { + /// CipherSuites defines the TLS ciphers to be supported by Envoy TLS + /// listeners when negotiating TLS 1.2. Ciphers are validated against the + /// set that Envoy supports by default. This parameter should only be used + /// by advanced users. Note that these will be ignored when TLS 1.3 is in + /// use. + /// This field is optional; when it is undefined, a Contour-managed ciphersuite list + /// will be used, which may be updated to keep it secure. + /// Contour's default list is: + /// - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + /// - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + /// - "ECDHE-ECDSA-AES256-GCM-SHA384" + /// - "ECDHE-RSA-AES256-GCM-SHA384" + /// Ciphers provided are validated against the following list: + /// - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + /// - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + /// - "ECDHE-ECDSA-AES128-GCM-SHA256" + /// - "ECDHE-RSA-AES128-GCM-SHA256" + /// - "ECDHE-ECDSA-AES128-SHA" + /// - "ECDHE-RSA-AES128-SHA" + /// - "AES128-GCM-SHA256" + /// - "AES128-SHA" + /// - "ECDHE-ECDSA-AES256-GCM-SHA384" + /// - "ECDHE-RSA-AES256-GCM-SHA384" + /// - "ECDHE-ECDSA-AES256-SHA" + /// - "ECDHE-RSA-AES256-SHA" + /// - "AES256-GCM-SHA384" + /// - "AES256-SHA" + /// Contour recommends leaving this undefined unless you are sure you must. + /// See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + /// Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cipherSuites")] + pub cipher_suites: Option>, + /// MaximumProtocolVersion is the maximum TLS version this vhost should + /// negotiate. + /// Values: `1.2`, `1.3`(default). + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maximumProtocolVersion")] + pub maximum_protocol_version: Option, + /// MinimumProtocolVersion is the minimum TLS version this vhost should + /// negotiate. + /// Values: `1.2` (default), `1.3`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "minimumProtocolVersion")] + pub minimum_protocol_version: Option, +} + +/// Health defines the endpoint Envoy uses to serve health checks. +/// Contour's default is { address: "0.0.0.0", port: 8002 }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyHealth { + /// Defines the health address interface. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the health port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// Defines the HTTP Listener for Envoy. +/// Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyHttp { + /// AccessLog defines where Envoy logs are outputted for this listener. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLog")] + pub access_log: Option, + /// Defines an Envoy Listener Address. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines an Envoy listener Port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// Defines the HTTPS Listener for Envoy. +/// Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyHttps { + /// AccessLog defines where Envoy logs are outputted for this listener. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLog")] + pub access_log: Option, + /// Defines an Envoy Listener Address. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines an Envoy listener Port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// Listener hold various configurable Envoy listener values. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyListener { + /// ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + /// for more information. + /// Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "connectionBalancer")] + pub connection_balancer: Option, + /// DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + /// strip the "Content-Length" header if "Transfer-Encoding: chunked" is + /// also set. This is an emergency off-switch to revert back to Envoy's + /// default behavior in case of failures. Please file an issue if failures + /// are encountered. + /// See: https://github.com/projectcontour/contour/issues/3221 + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disableAllowChunkedLength")] + pub disable_allow_chunked_length: Option, + /// DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + /// which strips duplicate slashes from request URL paths. + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disableMergeSlashes")] + pub disable_merge_slashes: Option, + /// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + /// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + /// for a peer on a single HTTP/2 connection. It is recommended to not set this lower + /// than 100 but this field can be used to bound resource usage by HTTP/2 connections + /// and mitigate attacks like CVE-2023-44487. The default value when this is not set is + /// unlimited. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "httpMaxConcurrentStreams")] + pub http_max_concurrent_streams: Option, + /// Defines the limit on number of active connections to a listener. The limit is applied + /// per listener. The default value when this is not set is unlimited. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxConnectionsPerListener")] + pub max_connections_per_listener: Option, + /// Defines the maximum requests for downstream connections. If not specified, there is no limit. + /// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestsPerConnection")] + pub max_requests_per_connection: Option, + /// Defines the limit on number of HTTP requests that Envoy will process from a single + /// connection in a single I/O cycle. Requests over this limit are processed in subsequent + /// I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + /// detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + /// value when this is not set is no limit. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestsPerIOCycle")] + pub max_requests_per_io_cycle: Option, + /// Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + /// If unspecified, an implementation defined default is applied (1MiB). + /// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "per-connection-buffer-limit-bytes")] + pub per_connection_buffer_limit_bytes: Option, + /// Defines the action to be applied to the Server header on the response path. + /// When configured as overwrite, overwrites any Server header with "envoy". + /// When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + /// When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + /// Values: `overwrite` (default), `append_if_absent`, `pass_through` + /// Other values will produce an error. + /// Contour's default is overwrite. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "serverHeaderTransformation")] + pub server_header_transformation: Option, + /// SocketOptions defines configurable socket options for the listeners. + /// Single set of options are applied to all listeners. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "socketOptions")] + pub socket_options: Option, + /// TLS holds various configurable Envoy TLS listener values. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, + /// Use PROXY protocol for all listeners. + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "useProxyProtocol")] + pub use_proxy_protocol: Option, +} + +/// SocketOptions defines configurable socket options for the listeners. +/// Single set of options are applied to all listeners. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyListenerSocketOptions { + /// Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + /// Single value is applied to all listeners. + /// If listeners are bound to IPv6-only addresses, setting this option will cause an error. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tos: Option, + /// Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + /// Single value is applied to all listeners. + /// If listeners are bound to IPv4-only addresses, setting this option will cause an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "trafficClass")] + pub traffic_class: Option, +} + +/// TLS holds various configurable Envoy TLS listener values. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyListenerTls { + /// CipherSuites defines the TLS ciphers to be supported by Envoy TLS + /// listeners when negotiating TLS 1.2. Ciphers are validated against the + /// set that Envoy supports by default. This parameter should only be used + /// by advanced users. Note that these will be ignored when TLS 1.3 is in + /// use. + /// This field is optional; when it is undefined, a Contour-managed ciphersuite list + /// will be used, which may be updated to keep it secure. + /// Contour's default list is: + /// - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + /// - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + /// - "ECDHE-ECDSA-AES256-GCM-SHA384" + /// - "ECDHE-RSA-AES256-GCM-SHA384" + /// Ciphers provided are validated against the following list: + /// - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + /// - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + /// - "ECDHE-ECDSA-AES128-GCM-SHA256" + /// - "ECDHE-RSA-AES128-GCM-SHA256" + /// - "ECDHE-ECDSA-AES128-SHA" + /// - "ECDHE-RSA-AES128-SHA" + /// - "AES128-GCM-SHA256" + /// - "AES128-SHA" + /// - "ECDHE-ECDSA-AES256-GCM-SHA384" + /// - "ECDHE-RSA-AES256-GCM-SHA384" + /// - "ECDHE-ECDSA-AES256-SHA" + /// - "ECDHE-RSA-AES256-SHA" + /// - "AES256-GCM-SHA384" + /// - "AES256-SHA" + /// Contour recommends leaving this undefined unless you are sure you must. + /// See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + /// Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cipherSuites")] + pub cipher_suites: Option>, + /// MaximumProtocolVersion is the maximum TLS version this vhost should + /// negotiate. + /// Values: `1.2`, `1.3`(default). + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maximumProtocolVersion")] + pub maximum_protocol_version: Option, + /// MinimumProtocolVersion is the minimum TLS version this vhost should + /// negotiate. + /// Values: `1.2` (default), `1.3`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "minimumProtocolVersion")] + pub minimum_protocol_version: Option, +} + +/// Logging defines how Envoy's logs can be configured. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyLogging { + /// AccessLogFormat sets the global access log format. + /// Values: `envoy` (default), `json`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLogFormat")] + pub access_log_format: Option, + /// AccessLogFormatString sets the access log format when format is set to `envoy`. + /// When empty, Envoy's default format is used. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLogFormatString")] + pub access_log_format_string: Option, + /// AccessLogJSONFields sets the fields that JSON logging will + /// output when AccessLogFormat is json. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLogJSONFields")] + pub access_log_json_fields: Option>, + /// AccessLogLevel sets the verbosity level of the access log. + /// Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLogLevel")] + pub access_log_level: Option, +} + +/// Metrics defines the endpoint Envoy uses to serve metrics. +/// Contour's default is { address: "0.0.0.0", port: 8002 }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyMetrics { + /// Defines the metrics address interface. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the metrics port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// TLS holds TLS file config details. + /// Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, +} + +/// TLS holds TLS file config details. +/// Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyMetricsTls { + /// CA filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "caFile")] + pub ca_file: Option, + /// Client certificate filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "certFile")] + pub cert_file: Option, + /// Client key filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyFile")] + pub key_file: Option, +} + +/// Network holds various configurable Envoy network values. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyNetwork { + /// Configure the port used to access the Envoy Admin interface. + /// If configured to port "0" then the admin interface is disabled. + /// Contour's default is 9001. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "adminPort")] + pub admin_port: Option, + /// XffNumTrustedHops defines the number of additional ingress proxy hops from the + /// right side of the x-forwarded-for HTTP header to trust when determining the origin + /// client’s IP address. + /// See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + /// for more information. + /// Contour's default is 0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "numTrustedHops")] + pub num_trusted_hops: Option, +} + +/// Service holds Envoy service parameters for setting Ingress status. +/// Contour's default is { namespace: "projectcontour", name: "envoy" }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyService { + pub name: String, + pub namespace: String, +} + +/// Timeouts holds various configurable timeouts that can +/// be set in the config file. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationEnvoyTimeouts { + /// ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + /// If not set, a default value of 2 seconds will be used. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "connectTimeout")] + pub connect_timeout: Option, + /// ConnectionIdleTimeout defines how long the proxy should wait while there are + /// no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + /// an HTTP connection. Set to "infinity" to disable the timeout entirely. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "connectionIdleTimeout")] + pub connection_idle_timeout: Option, + /// ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + /// initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + /// During this grace period, the proxy will continue to respond to new streams. After the final + /// GOAWAY frame has been sent, the proxy will refuse new streams. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "connectionShutdownGracePeriod")] + pub connection_shutdown_grace_period: Option, + /// DelayedCloseTimeout defines how long envoy will wait, once connection + /// close processing has been initiated, for the downstream peer to close + /// the connection before Envoy closes the socket associated with the connection. + /// Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + /// in Envoy. Leaving it unset will result in the Envoy default value being used. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "delayedCloseTimeout")] + pub delayed_close_timeout: Option, + /// MaxConnectionDuration defines the maximum period of time after an HTTP connection + /// has been established from the client to the proxy before it is closed by the proxy, + /// regardless of whether there has been activity or not. Omit or set to "infinity" for + /// no max duration. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxConnectionDuration")] + pub max_connection_duration: Option, + /// RequestTimeout sets the client request timeout globally for Contour. Note that + /// this is a timeout for the entire request, not an idle timeout. Omit or set to + /// "infinity" to disable the timeout entirely. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestTimeout")] + pub request_timeout: Option, + /// StreamIdleTimeout defines how long the proxy should wait while there is no + /// request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + /// terminating the HTTP request or stream. Set to "infinity" to disable the + /// timeout entirely. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "streamIdleTimeout")] + pub stream_idle_timeout: Option, +} + +/// Gateway contains parameters for the gateway-api Gateway that Contour +/// is configured to serve traffic. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationGateway { + /// ControllerName is used to determine whether Contour should reconcile a + /// GatewayClass. The string takes the form of "projectcontour.io//contour". + /// If unset, the gatewayclass controller will not be started. + /// Exactly one of ControllerName or GatewayRef must be set. + /// Deprecated: users should use GatewayRef, or the Gateway provisioner, + /// in place of this field. This field will be removed in a future release. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "controllerName")] + pub controller_name: Option, + /// GatewayRef defines a specific Gateway that this Contour + /// instance corresponds to. If set, Contour will reconcile + /// only this gateway, and will not reconcile any gateway + /// classes. + /// Exactly one of ControllerName or GatewayRef must be set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "gatewayRef")] + pub gateway_ref: Option, +} + +/// GatewayRef defines a specific Gateway that this Contour +/// instance corresponds to. If set, Contour will reconcile +/// only this gateway, and will not reconcile any gateway +/// classes. +/// Exactly one of ControllerName or GatewayRef must be set. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationGatewayGatewayRef { + pub name: String, + pub namespace: String, +} + +/// GlobalExternalAuthorization allows envoys external authorization filter +/// to be enabled for all virtual hosts. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationGlobalExtAuth { + /// AuthPolicy sets a default authorization policy for client requests. + /// This policy will be used unless overridden by individual routes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authPolicy")] + pub auth_policy: Option, + /// ExtensionServiceRef specifies the extension resource that will authorize client requests. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extensionRef")] + pub extension_ref: Option, + /// If FailOpen is true, the client request is forwarded to the upstream service + /// even if the authorization server fails to respond. This field should not be + /// set in most cases. It is intended for use only while migrating applications + /// from internal authorization to Contour external authorization. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "failOpen")] + pub fail_open: Option, + /// ResponseTimeout configures maximum time to wait for a check response from the authorization server. + /// Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + /// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + /// The string "infinity" is also a valid input and specifies no timeout. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseTimeout")] + pub response_timeout: Option, + /// WithRequestBody specifies configuration for sending the client request's body to authorization server. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "withRequestBody")] + pub with_request_body: Option, +} + +/// AuthPolicy sets a default authorization policy for client requests. +/// This policy will be used unless overridden by individual routes. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationGlobalExtAuthAuthPolicy { + /// Context is a set of key/value pairs that are sent to the + /// authentication server in the check request. If a context + /// is provided at an enclosing scope, the entries are merged + /// such that the inner scope overrides matching keys from the + /// outer scope. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub context: Option>, + /// When true, this field disables client request authentication + /// for the scope of the policy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, +} + +/// ExtensionServiceRef specifies the extension resource that will authorize client requests. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationGlobalExtAuthExtensionRef { + /// API version of the referent. + /// If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiVersion")] + pub api_version: Option, + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// Namespace of the referent. + /// If this field is not specifies, the namespace of the resource that targets the referent will be used. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +/// WithRequestBody specifies configuration for sending the client request's body to authorization server. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationGlobalExtAuthWithRequestBody { + /// If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allowPartialMessage")] + pub allow_partial_message: Option, + /// MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestBytes")] + pub max_request_bytes: Option, + /// If PackAsBytes is true, the body sent to Authorization Server is in raw bytes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "packAsBytes")] + pub pack_as_bytes: Option, +} + +/// Health defines the endpoints Contour uses to serve health checks. +/// Contour's default is { address: "0.0.0.0", port: 8000 }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationHealth { + /// Defines the health address interface. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the health port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// HTTPProxy defines parameters on HTTPProxy. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationHttpproxy { + /// DisablePermitInsecure disables the use of the + /// permitInsecure field in HTTPProxy. + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disablePermitInsecure")] + pub disable_permit_insecure: Option, + /// FallbackCertificate defines the namespace/name of the Kubernetes secret to + /// use as fallback when a non-SNI request is received. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fallbackCertificate")] + pub fallback_certificate: Option, + /// Restrict Contour to searching these namespaces for root ingress routes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rootNamespaces")] + pub root_namespaces: Option>, +} + +/// FallbackCertificate defines the namespace/name of the Kubernetes secret to +/// use as fallback when a non-SNI request is received. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationHttpproxyFallbackCertificate { + pub name: String, + pub namespace: String, +} + +/// Ingress contains parameters for ingress options. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationIngress { + /// Ingress Class Names Contour should use. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "classNames")] + pub class_names: Option>, + /// Address to set in Ingress object status. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "statusAddress")] + pub status_address: Option, +} + +/// Metrics defines the endpoint Contour uses to serve metrics. +/// Contour's default is { address: "0.0.0.0", port: 8000 }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationMetrics { + /// Defines the metrics address interface. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the metrics port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// TLS holds TLS file config details. + /// Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, +} + +/// TLS holds TLS file config details. +/// Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationMetricsTls { + /// CA filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "caFile")] + pub ca_file: Option, + /// Client certificate filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "certFile")] + pub cert_file: Option, + /// Client key filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyFile")] + pub key_file: Option, +} + +/// Policy specifies default policy applied if not overridden by the user +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationPolicy { + /// ApplyToIngress determines if the Policies will apply to ingress objects + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "applyToIngress")] + pub apply_to_ingress: Option, + /// RequestHeadersPolicy defines the request headers set/removed on all routes + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeaders")] + pub request_headers: Option, + /// ResponseHeadersPolicy defines the response headers set/removed on all routes + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseHeaders")] + pub response_headers: Option, +} + +/// RequestHeadersPolicy defines the request headers set/removed on all routes +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationPolicyRequestHeaders { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// ResponseHeadersPolicy defines the response headers set/removed on all routes +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationPolicyResponseHeaders { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// RateLimitService optionally holds properties of the Rate Limit Service +/// to be used for global rate limiting. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitService { + /// DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + /// HTTPProxy can overwrite this configuration. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultGlobalRateLimitPolicy")] + pub default_global_rate_limit_policy: Option, + /// Domain is passed to the Rate Limit Service. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub domain: Option, + /// EnableResourceExhaustedCode enables translating error code 429 to + /// grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE + #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableResourceExhaustedCode")] + pub enable_resource_exhausted_code: Option, + /// EnableXRateLimitHeaders defines whether to include the X-RateLimit + /// headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + /// (as defined by the IETF Internet-Draft linked below), on responses + /// to clients when the Rate Limit Service is consulted for a request. + /// ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableXRateLimitHeaders")] + pub enable_x_rate_limit_headers: Option, + /// ExtensionService identifies the extension service defining the RLS. + #[serde(rename = "extensionService")] + pub extension_service: ContourConfigurationRateLimitServiceExtensionService, + /// FailOpen defines whether to allow requests to proceed when the + /// Rate Limit Service fails to respond with a valid rate limit + /// decision within the timeout defined on the extension service. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "failOpen")] + pub fail_open: Option, +} + +/// DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. +/// HTTPProxy can overwrite this configuration. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicy { + /// Descriptors defines the list of descriptors that will + /// be generated and sent to the rate limit service. Each + /// descriptor contains 1+ key-value pair entries. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub descriptors: Option>, + /// Disabled configures the HTTPProxy to not use + /// the default global rate limit policy defined by the Contour configuration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, +} + +/// RateLimitDescriptor defines a list of key-value pair generators. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptors { + /// Entries is the list of key-value pair generators. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub entries: Option>, +} + +/// RateLimitDescriptorEntry is a key-value pair generator. Exactly +/// one field on this struct must be non-nil. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntries { + /// GenericKey defines a descriptor entry with a static key and value. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "genericKey")] + pub generic_key: Option, + /// RemoteAddress defines a descriptor entry with a key of "remote_address" + /// and a value equal to the client's IP address (from x-forwarded-for). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteAddress")] + pub remote_address: Option, + /// RequestHeader defines a descriptor entry that's populated only if + /// a given header is present on the request. The descriptor key is static, + /// and the descriptor value is equal to the value of the header. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeader")] + pub request_header: Option, + /// RequestHeaderValueMatch defines a descriptor entry that's populated + /// if the request's headers match a set of 1+ match criteria. The + /// descriptor key is "header_match", and the descriptor value is static. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeaderValueMatch")] + pub request_header_value_match: Option, +} + +/// GenericKey defines a descriptor entry with a static key and value. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesGenericKey { + /// Key defines the key of the descriptor entry. If not set, the + /// key is set to "generic_key". + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Value defines the value of the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// RemoteAddress defines a descriptor entry with a key of "remote_address" +/// and a value equal to the client's IP address (from x-forwarded-for). +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRemoteAddress { +} + +/// RequestHeader defines a descriptor entry that's populated only if +/// a given header is present on the request. The descriptor key is static, +/// and the descriptor value is equal to the value of the header. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRequestHeader { + /// DescriptorKey defines the key to use on the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "descriptorKey")] + pub descriptor_key: Option, + /// HeaderName defines the name of the header to look for on the request. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] + pub header_name: Option, +} + +/// RequestHeaderValueMatch defines a descriptor entry that's populated +/// if the request's headers match a set of 1+ match criteria. The +/// descriptor key is "header_match", and the descriptor value is static. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRequestHeaderValueMatch { + /// ExpectMatch defines whether the request must positively match the match + /// criteria in order to generate a descriptor entry (i.e. true), or not + /// match the match criteria in order to generate a descriptor entry (i.e. false). + /// The default is true. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "expectMatch")] + pub expect_match: Option, + /// Headers is a list of 1+ match criteria to apply against the request + /// to determine whether to populate the descriptor entry or not. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// Value defines the value of the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HeaderMatchCondition specifies how to conditionally match against HTTP +/// headers. The Name field is required, only one of Present, NotPresent, +/// Contains, NotContains, Exact, NotExact and Regex can be set. +/// For negative matching rules only (e.g. NotContains or NotExact) you can set +/// TreatMissingAsEmpty. +/// IgnoreCase has no effect for Regex. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRequestHeaderValueMatchHeaders { + /// Contains specifies a substring that must be present in + /// the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contains: Option, + /// Exact specifies a string that the header value must be equal to. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// IgnoreCase specifies that string matching should be case insensitive. + /// Note that this has no effect on the Regex parameter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreCase")] + pub ignore_case: Option, + /// Name is the name of the header to match against. Name is required. + /// Header names are case insensitive. + pub name: String, + /// NotContains specifies a substring that must not be present + /// in the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notcontains: Option, + /// NoExact specifies a string that the header value must not be + /// equal to. The condition is true if the header has any other value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notexact: Option, + /// NotPresent specifies that condition is true when the named header + /// is not present. Note that setting NotPresent to false does not + /// make the condition true if the named header is present. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notpresent: Option, + /// Present specifies that condition is true when the named header + /// is present, regardless of its value. Note that setting Present + /// to false does not make the condition true if the named header + /// is absent. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub present: Option, + /// Regex specifies a regular expression pattern that must match the header + /// value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, + /// TreatMissingAsEmpty specifies if the header match rule specified header + /// does not exist, this header value will be treated as empty. Defaults to false. + /// Unlike the underlying Envoy implementation this is **only** supported for + /// negative matches (e.g. NotContains, NotExact). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "treatMissingAsEmpty")] + pub treat_missing_as_empty: Option, +} + +/// ExtensionService identifies the extension service defining the RLS. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationRateLimitServiceExtensionService { + pub name: String, + pub namespace: String, +} + +/// Tracing defines properties for exporting trace data to OpenTelemetry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationTracing { + /// CustomTags defines a list of custom tags with unique tag name. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customTags")] + pub custom_tags: Option>, + /// ExtensionService identifies the extension service defining the otel-collector. + #[serde(rename = "extensionService")] + pub extension_service: ContourConfigurationTracingExtensionService, + /// IncludePodDetail defines a flag. + /// If it is true, contour will add the pod name and namespace to the span of the trace. + /// the default is true. + /// Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "includePodDetail")] + pub include_pod_detail: Option, + /// MaxPathTagLength defines maximum length of the request path + /// to extract and include in the HttpUrl tag. + /// contour's default is 256. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxPathTagLength")] + pub max_path_tag_length: Option, + /// OverallSampling defines the sampling rate of trace data. + /// contour's default is 100. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "overallSampling")] + pub overall_sampling: Option, + /// ServiceName defines the name for the service. + /// contour's default is contour. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceName")] + pub service_name: Option, +} + +/// CustomTag defines custom tags with unique tag name +/// to create tags for the active span. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationTracingCustomTags { + /// Literal is a static custom tag value. + /// Precisely one of Literal, RequestHeaderName must be set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub literal: Option, + /// RequestHeaderName indicates which request header + /// the label value is obtained from. + /// Precisely one of Literal, RequestHeaderName must be set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeaderName")] + pub request_header_name: Option, + /// TagName is the unique name of the custom tag. + #[serde(rename = "tagName")] + pub tag_name: String, +} + +/// ExtensionService identifies the extension service defining the otel-collector. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationTracingExtensionService { + pub name: String, + pub namespace: String, +} + +/// XDSServer contains parameters for the xDS server. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationXdsServer { + /// Defines the xDS gRPC API address which Contour will serve. + /// Contour's default is "0.0.0.0". + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the xDS gRPC API port which Contour will serve. + /// Contour's default is 8001. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// TLS holds TLS file config details. + /// Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, + /// Defines the XDSServer to use for `contour serve`. + /// Values: `contour` (default), `envoy`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")] + pub r#type: Option, +} + +/// TLS holds TLS file config details. +/// Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationXdsServerTls { + /// CA filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "caFile")] + pub ca_file: Option, + /// Client certificate filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "certFile")] + pub cert_file: Option, + /// Allow serving the xDS gRPC API without TLS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub insecure: Option, + /// Client key filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyFile")] + pub key_file: Option, +} + +/// ContourConfigurationStatus defines the observed state of a ContourConfiguration resource. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationStatus { + /// Conditions contains the current status of the Contour resource. + /// Contour will update a single condition, `Valid`, that is in normal-true polarity. + /// Contour will not modify any other Conditions set in this block, + /// in case some other controller wants to add a Condition. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub conditions: Option>, +} + +/// DetailedCondition is an extension of the normal Kubernetes conditions, with two extra +/// fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) +/// of the condition. +/// `errors` holds information about sub-conditions which are fatal to that condition and render its state False. +/// `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. +/// Remember that Conditions have a type, a status, and a reason. +/// The type is the type of the condition, the most important one in this CRD set is `Valid`. +/// `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. +/// In more detail, `status: true` means that the object is has been ingested into Contour with no errors. +/// `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` +/// slice in this case. +/// `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. +/// The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` +/// slice if `status` is `false`. +/// For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. +/// When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. +/// When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. +/// In either case, there may be entries in the `warnings` slice. +/// Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason +/// (if there is one and only one entry in total across both the `errors` and `warnings` slices), or +/// `MultipleReasons` if there is more than one entry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationStatusConditions { + /// Errors contains a slice of relevant error subconditions for this object. + /// Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + /// An empty slice here indicates no errors. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub errors: Option>, + /// lastTransitionTime is the last time the condition transitioned from one status to another. + /// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + #[serde(rename = "lastTransitionTime")] + pub last_transition_time: String, + /// message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// observedGeneration represents the .metadata.generation that the condition was set based upon. + /// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + /// with respect to the current state of the instance. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "observedGeneration")] + pub observed_generation: Option, + /// reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// status of the condition, one of True, False, Unknown. + pub status: ContourConfigurationStatusConditionsStatus, + /// type of condition in CamelCase or in foo.example.com/CamelCase. + /// --- + /// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + /// useful (see .node.status.conditions), the ability to deconflict is important. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, + /// Warnings contains a slice of relevant warning subconditions for this object. + /// Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + /// An empty slice here indicates no warnings. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub warnings: Option>, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationStatusConditionsErrors { + /// Message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// Reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// Status of the condition, one of True, False, Unknown. + pub status: ContourConfigurationStatusConditionsErrorsStatus, + /// Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + /// This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ContourConfigurationStatusConditionsErrorsStatus { + True, + False, + Unknown, +} + +/// DetailedCondition is an extension of the normal Kubernetes conditions, with two extra +/// fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) +/// of the condition. +/// `errors` holds information about sub-conditions which are fatal to that condition and render its state False. +/// `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. +/// Remember that Conditions have a type, a status, and a reason. +/// The type is the type of the condition, the most important one in this CRD set is `Valid`. +/// `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. +/// In more detail, `status: true` means that the object is has been ingested into Contour with no errors. +/// `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` +/// slice in this case. +/// `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. +/// The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` +/// slice if `status` is `false`. +/// For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. +/// When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. +/// When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. +/// In either case, there may be entries in the `warnings` slice. +/// Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason +/// (if there is one and only one entry in total across both the `errors` and `warnings` slices), or +/// `MultipleReasons` if there is more than one entry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ContourConfigurationStatusConditionsStatus { + True, + False, + Unknown, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourConfigurationStatusConditionsWarnings { + /// Message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// Reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// Status of the condition, one of True, False, Unknown. + pub status: ContourConfigurationStatusConditionsWarningsStatus, + /// Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + /// This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ContourConfigurationStatusConditionsWarningsStatus { + True, + False, + Unknown, +} + diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourdeployments.rs b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourdeployments.rs new file mode 100644 index 000000000..150defb36 --- /dev/null +++ b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/contourdeployments.rs @@ -0,0 +1,3293 @@ +// WARNING: generated by kopium - manual changes will be overwritten +// kopium command: kopium --docs --filename=./crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/contourdeployments.yaml --derive=PartialEq +// kopium version: 0.16.5 + +use kube::CustomResource; +use serde::{Serialize, Deserialize}; +use std::collections::BTreeMap; +use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString; + +/// ContourDeploymentSpec specifies options for how a Contour +/// instance should be provisioned. +#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, PartialEq)] +#[kube(group = "projectcontour.io", version = "v1alpha1", kind = "ContourDeployment", plural = "contourdeployments")] +#[kube(namespaced)] +#[kube(status = "ContourDeploymentStatus")] +#[kube(schema = "disabled")] +pub struct ContourDeploymentSpec { + /// Contour specifies deployment-time settings for the Contour + /// part of the installation, i.e. the xDS server/control plane + /// and associated resources, including things like replica count + /// for the Deployment, and node placement constraints for the pods. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contour: Option, + /// Envoy specifies deployment-time settings for the Envoy + /// part of the installation, i.e. the xDS client/data plane + /// and associated resources, including things like the workload + /// type to use (DaemonSet or Deployment), node placement constraints + /// for the pods, and various options for the Envoy service. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub envoy: Option, + /// ResourceLabels is a set of labels to add to the provisioned Contour resources. + /// Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + /// removed in a future release. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceLabels")] + pub resource_labels: Option>, + /// RuntimeSettings is a ContourConfiguration spec to be used when + /// provisioning a Contour instance that will influence aspects of + /// the Contour instance's runtime behavior. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "runtimeSettings")] + pub runtime_settings: Option, +} + +/// Contour specifies deployment-time settings for the Contour +/// part of the installation, i.e. the xDS server/control plane +/// and associated resources, including things like replica count +/// for the Deployment, and node placement constraints for the pods. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentContour { + /// Deployment describes the settings for running contour as a `Deployment`. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub deployment: Option, + /// DisabledFeatures defines an array of resources that will be ignored by + /// contour reconciler. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disabledFeatures")] + pub disabled_features: Option>, + /// KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + /// defaults to 0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "kubernetesLogLevel")] + pub kubernetes_log_level: Option, + /// LogLevel sets the log level for Contour + /// Allowed values are "info", "debug". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "logLevel")] + pub log_level: Option, + /// NodePlacement describes node scheduling configuration of Contour pods. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodePlacement")] + pub node_placement: Option, + /// PodAnnotations defines annotations to add to the Contour pods. + /// the annotations for Prometheus will be appended or overwritten with predefined value. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "podAnnotations")] + pub pod_annotations: Option>, + /// Deprecated: Use `DeploymentSettings.Replicas` instead. + /// Replicas is the desired number of Contour replicas. If if unset, + /// defaults to 2. + /// if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub replicas: Option, + /// Compute Resources required by contour container. + /// Cannot be updated. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + /// WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance + /// to only watch this subset of namespaces. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "watchNamespaces")] + pub watch_namespaces: Option>, +} + +/// Deployment describes the settings for running contour as a `Deployment`. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentContourDeployment { + /// Replicas is the desired number of replicas. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub replicas: Option, + /// Strategy describes the deployment strategy to use to replace existing pods with new pods. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub strategy: Option, +} + +/// Strategy describes the deployment strategy to use to replace existing pods with new pods. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentContourDeploymentStrategy { + /// Rolling update config params. Present only if DeploymentStrategyType = + /// RollingUpdate. + /// --- + /// TODO: Update this to follow our convention for oneOf, whatever we decide it + /// to be. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rollingUpdate")] + pub rolling_update: Option, + /// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")] + pub r#type: Option, +} + +/// Rolling update config params. Present only if DeploymentStrategyType = +/// RollingUpdate. +/// --- +/// TODO: Update this to follow our convention for oneOf, whatever we decide it +/// to be. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentContourDeploymentStrategyRollingUpdate { + /// The maximum number of pods that can be scheduled above the desired number of + /// pods. + /// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + /// This can not be 0 if MaxUnavailable is 0. + /// Absolute number is calculated from percentage by rounding up. + /// Defaults to 25%. + /// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + /// the rolling update starts, such that the total number of old and new pods do not exceed + /// 130% of desired pods. Once old pods have been killed, + /// new ReplicaSet can be scaled up further, ensuring that total number of pods running + /// at any time during the update is at most 130% of desired pods. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxSurge")] + pub max_surge: Option, + /// The maximum number of pods that can be unavailable during the update. + /// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + /// Absolute number is calculated from percentage by rounding down. + /// This can not be 0 if MaxSurge is 0. + /// Defaults to 25%. + /// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + /// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + /// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + /// that the total number of pods available at all times during the update is at + /// least 70% of desired pods. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxUnavailable")] + pub max_unavailable: Option, +} + +/// NodePlacement describes node scheduling configuration of Contour pods. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentContourNodePlacement { + /// NodeSelector is the simplest recommended form of node selection constraint + /// and specifies a map of key-value pairs. For the pod to be eligible + /// to run on a node, the node must have each of the indicated key-value pairs + /// as labels (it can have additional labels as well). + /// If unset, the pod(s) will be scheduled to any available node. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodeSelector")] + pub node_selector: Option>, + /// Tolerations work with taints to ensure that pods are not scheduled + /// onto inappropriate nodes. One or more taints are applied to a node; this + /// marks that the node should not accept any pods that do not tolerate the + /// taints. + /// The default is an empty list. + /// See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + /// for additional details. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tolerations: Option>, +} + +/// The pod this Toleration is attached to tolerates any taint that matches +/// the triple using the matching operator . +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentContourNodePlacementTolerations { + /// Effect indicates the taint effect to match. Empty means match all taint effects. + /// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub effect: Option, + /// Key is the taint key that the toleration applies to. Empty means match all taint keys. + /// If the key is empty, operator must be Exists; this combination means to match all values and all keys. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Operator represents a key's relationship to the value. + /// Valid operators are Exists and Equal. Defaults to Equal. + /// Exists is equivalent to wildcard for value, so that a pod can + /// tolerate all taints of a particular category. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// TolerationSeconds represents the period of time the toleration (which must be + /// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + /// it is not set, which means tolerate the taint forever (do not evict). Zero and + /// negative values will be treated as 0 (evict immediately) by the system. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tolerationSeconds")] + pub toleration_seconds: Option, + /// Value is the taint value the toleration matches to. + /// If the operator is Exists, the value should be empty, otherwise just a regular string. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Compute Resources required by contour container. +/// Cannot be updated. +/// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentContourResources { + /// Claims lists the names of resources, defined in spec.resourceClaims, + /// that are used by this container. + /// This is an alpha field and requires enabling the + /// DynamicResourceAllocation feature gate. + /// This field is immutable. It can only be set for containers. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub claims: Option>, + /// Limits describes the maximum amount of compute resources allowed. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + /// Requests describes the minimum amount of compute resources required. + /// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + /// otherwise to an implementation-defined value. Requests cannot exceed Limits. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +/// ResourceClaim references one entry in PodSpec.ResourceClaims. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentContourResourcesClaims { + /// Name must match the name of one entry in pod.spec.resourceClaims of + /// the Pod where this field is used. It makes that resource available + /// inside a container. + pub name: String, +} + +/// Envoy specifies deployment-time settings for the Envoy +/// part of the installation, i.e. the xDS client/data plane +/// and associated resources, including things like the workload +/// type to use (DaemonSet or Deployment), node placement constraints +/// for the pods, and various options for the Envoy service. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoy { + /// The base ID to use when allocating shared memory regions. + /// if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID + /// so that the shared memory regions do not conflict. + /// defaults to 0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "baseID")] + pub base_id: Option, + /// DaemonSet describes the settings for running envoy as a `DaemonSet`. + /// if `WorkloadType` is `Deployment`,it's must be nil + #[serde(default, skip_serializing_if = "Option::is_none", rename = "daemonSet")] + pub daemon_set: Option, + /// Deployment describes the settings for running envoy as a `Deployment`. + /// if `WorkloadType` is `DaemonSet`,it's must be nil + #[serde(default, skip_serializing_if = "Option::is_none")] + pub deployment: Option, + /// ExtraVolumeMounts holds the extra volume mounts to add (normally used with extraVolumes). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraVolumeMounts")] + pub extra_volume_mounts: Option>, + /// ExtraVolumes holds the extra volumes to add. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extraVolumes")] + pub extra_volumes: Option>, + /// LogLevel sets the log level for Envoy. + /// Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "logLevel")] + pub log_level: Option, + /// NetworkPublishing defines how to expose Envoy to a network. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "networkPublishing")] + pub network_publishing: Option, + /// NodePlacement describes node scheduling configuration of Envoy pods. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodePlacement")] + pub node_placement: Option, + /// OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + /// When the value is greater than 0, the overload manager is enabled, + /// and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + /// When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + /// More info: https://projectcontour.io/docs/main/config/overload-manager/ + #[serde(default, skip_serializing_if = "Option::is_none", rename = "overloadMaxHeapSize")] + pub overload_max_heap_size: Option, + /// PodAnnotations defines annotations to add to the Envoy pods. + /// the annotations for Prometheus will be appended or overwritten with predefined value. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "podAnnotations")] + pub pod_annotations: Option>, + /// Deprecated: Use `DeploymentSettings.Replicas` instead. + /// Replicas is the desired number of Envoy replicas. If WorkloadType + /// is not "Deployment", this field is ignored. Otherwise, if unset, + /// defaults to 2. + /// if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub replicas: Option, + /// Compute Resources required by envoy container. + /// Cannot be updated. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + /// WorkloadType is the type of workload to install Envoy + /// as. Choices are DaemonSet and Deployment. If unset, defaults + /// to DaemonSet. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "workloadType")] + pub workload_type: Option, +} + +/// DaemonSet describes the settings for running envoy as a `DaemonSet`. +/// if `WorkloadType` is `Deployment`,it's must be nil +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyDaemonSet { + /// Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "updateStrategy")] + pub update_strategy: Option, +} + +/// Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyDaemonSetUpdateStrategy { + /// Rolling update config params. Present only if type = "RollingUpdate". + /// --- + /// TODO: Update this to follow our convention for oneOf, whatever we decide it + /// to be. Same as Deployment `strategy.rollingUpdate`. + /// See https://github.com/kubernetes/kubernetes/issues/35345 + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rollingUpdate")] + pub rolling_update: Option, + /// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")] + pub r#type: Option, +} + +/// Rolling update config params. Present only if type = "RollingUpdate". +/// --- +/// TODO: Update this to follow our convention for oneOf, whatever we decide it +/// to be. Same as Deployment `strategy.rollingUpdate`. +/// See https://github.com/kubernetes/kubernetes/issues/35345 +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyDaemonSetUpdateStrategyRollingUpdate { + /// The maximum number of nodes with an existing available DaemonSet pod that + /// can have an updated DaemonSet pod during during an update. + /// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + /// This can not be 0 if MaxUnavailable is 0. + /// Absolute number is calculated from percentage by rounding up to a minimum of 1. + /// Default value is 0. + /// Example: when this is set to 30%, at most 30% of the total number of nodes + /// that should be running the daemon pod (i.e. status.desiredNumberScheduled) + /// can have their a new pod created before the old pod is marked as deleted. + /// The update starts by launching new pods on 30% of nodes. Once an updated + /// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + /// on that node is marked deleted. If the old pod becomes unavailable for any + /// reason (Ready transitions to false, is evicted, or is drained) an updated + /// pod is immediatedly created on that node without considering surge limits. + /// Allowing surge implies the possibility that the resources consumed by the + /// daemonset on any given node can double if the readiness check fails, and + /// so resource intensive daemonsets should take into account that they may + /// cause evictions during disruption. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxSurge")] + pub max_surge: Option, + /// The maximum number of DaemonSet pods that can be unavailable during the + /// update. Value can be an absolute number (ex: 5) or a percentage of total + /// number of DaemonSet pods at the start of the update (ex: 10%). Absolute + /// number is calculated from percentage by rounding up. + /// This cannot be 0 if MaxSurge is 0 + /// Default value is 1. + /// Example: when this is set to 30%, at most 30% of the total number of nodes + /// that should be running the daemon pod (i.e. status.desiredNumberScheduled) + /// can have their pods stopped for an update at any given time. The update + /// starts by stopping at most 30% of those DaemonSet pods and then brings + /// up new DaemonSet pods in their place. Once the new pods are available, + /// it then proceeds onto other DaemonSet pods, thus ensuring that at least + /// 70% of original number of DaemonSet pods are available at all times during + /// the update. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxUnavailable")] + pub max_unavailable: Option, +} + +/// Deployment describes the settings for running envoy as a `Deployment`. +/// if `WorkloadType` is `DaemonSet`,it's must be nil +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyDeployment { + /// Replicas is the desired number of replicas. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub replicas: Option, + /// Strategy describes the deployment strategy to use to replace existing pods with new pods. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub strategy: Option, +} + +/// Strategy describes the deployment strategy to use to replace existing pods with new pods. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyDeploymentStrategy { + /// Rolling update config params. Present only if DeploymentStrategyType = + /// RollingUpdate. + /// --- + /// TODO: Update this to follow our convention for oneOf, whatever we decide it + /// to be. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rollingUpdate")] + pub rolling_update: Option, + /// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")] + pub r#type: Option, +} + +/// Rolling update config params. Present only if DeploymentStrategyType = +/// RollingUpdate. +/// --- +/// TODO: Update this to follow our convention for oneOf, whatever we decide it +/// to be. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyDeploymentStrategyRollingUpdate { + /// The maximum number of pods that can be scheduled above the desired number of + /// pods. + /// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + /// This can not be 0 if MaxUnavailable is 0. + /// Absolute number is calculated from percentage by rounding up. + /// Defaults to 25%. + /// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + /// the rolling update starts, such that the total number of old and new pods do not exceed + /// 130% of desired pods. Once old pods have been killed, + /// new ReplicaSet can be scaled up further, ensuring that total number of pods running + /// at any time during the update is at most 130% of desired pods. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxSurge")] + pub max_surge: Option, + /// The maximum number of pods that can be unavailable during the update. + /// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + /// Absolute number is calculated from percentage by rounding down. + /// This can not be 0 if MaxSurge is 0. + /// Defaults to 25%. + /// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + /// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + /// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + /// that the total number of pods available at all times during the update is at + /// least 70% of desired pods. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxUnavailable")] + pub max_unavailable: Option, +} + +/// VolumeMount describes a mounting of a Volume within a container. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumeMounts { + /// Path within the container at which the volume should be mounted. Must + /// not contain ':'. + #[serde(rename = "mountPath")] + pub mount_path: String, + /// mountPropagation determines how mounts are propagated from the host + /// to container and the other way around. + /// When not set, MountPropagationNone is used. + /// This field is beta in 1.10. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "mountPropagation")] + pub mount_propagation: Option, + /// This must match the Name of a Volume. + pub name: String, + /// Mounted read-only if true, read-write otherwise (false or unspecified). + /// Defaults to false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// Path within the volume from which the container's volume should be mounted. + /// Defaults to "" (volume's root). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "subPath")] + pub sub_path: Option, + /// Expanded path within the volume from which the container's volume should be mounted. + /// Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + /// Defaults to "" (volume's root). + /// SubPathExpr and SubPath are mutually exclusive. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "subPathExpr")] + pub sub_path_expr: Option, +} + +/// Volume represents a named volume in a pod that may be accessed by any container in the pod. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumes { + /// awsElasticBlockStore represents an AWS Disk resource that is attached to a + /// kubelet's host machine and then exposed to the pod. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + #[serde(default, skip_serializing_if = "Option::is_none", rename = "awsElasticBlockStore")] + pub aws_elastic_block_store: Option, + /// azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "azureDisk")] + pub azure_disk: Option, + /// azureFile represents an Azure File Service mount on the host and bind mount to the pod. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "azureFile")] + pub azure_file: Option, + /// cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cephfs: Option, + /// cinder represents a cinder volume attached and mounted on kubelets host machine. + /// More info: https://examples.k8s.io/mysql-cinder-pd/README.md + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cinder: Option, + /// configMap represents a configMap that should populate this volume + #[serde(default, skip_serializing_if = "Option::is_none", rename = "configMap")] + pub config_map: Option, + /// csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub csi: Option, + /// downwardAPI represents downward API about the pod that should populate this volume + #[serde(default, skip_serializing_if = "Option::is_none", rename = "downwardAPI")] + pub downward_api: Option, + /// emptyDir represents a temporary directory that shares a pod's lifetime. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + #[serde(default, skip_serializing_if = "Option::is_none", rename = "emptyDir")] + pub empty_dir: Option, + /// ephemeral represents a volume that is handled by a cluster storage driver. + /// The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + /// and deleted when the pod is removed. + /// Use this if: + /// a) the volume is only needed while the pod runs, + /// b) features of normal volumes like restoring from snapshot or capacity + /// tracking are needed, + /// c) the storage driver is specified through a storage class, and + /// d) the storage driver supports dynamic volume provisioning through + /// a PersistentVolumeClaim (see EphemeralVolumeSource for more + /// information on the connection between this volume type + /// and PersistentVolumeClaim). + /// Use PersistentVolumeClaim or one of the vendor-specific + /// APIs for volumes that persist for longer than the lifecycle + /// of an individual pod. + /// Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + /// be used that way - see the documentation of the driver for + /// more information. + /// A pod can use both types of ephemeral volumes and + /// persistent volumes at the same time. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ephemeral: Option, + /// fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub fc: Option, + /// flexVolume represents a generic volume resource that is + /// provisioned/attached using an exec based plugin. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "flexVolume")] + pub flex_volume: Option, + /// flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + #[serde(default, skip_serializing_if = "Option::is_none")] + pub flocker: Option, + /// gcePersistentDisk represents a GCE Disk resource that is attached to a + /// kubelet's host machine and then exposed to the pod. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + #[serde(default, skip_serializing_if = "Option::is_none", rename = "gcePersistentDisk")] + pub gce_persistent_disk: Option, + /// gitRepo represents a git repository at a particular revision. + /// DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + /// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + /// into the Pod's container. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "gitRepo")] + pub git_repo: Option, + /// glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + /// More info: https://examples.k8s.io/volumes/glusterfs/README.md + #[serde(default, skip_serializing_if = "Option::is_none")] + pub glusterfs: Option, + /// hostPath represents a pre-existing file or directory on the host + /// machine that is directly exposed to the container. This is generally + /// used for system agents or other privileged things that are allowed + /// to see the host machine. Most containers will NOT need this. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + /// --- + /// TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + /// mount host directories as read/write. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "hostPath")] + pub host_path: Option, + /// iscsi represents an ISCSI Disk resource that is attached to a + /// kubelet's host machine and then exposed to the pod. + /// More info: https://examples.k8s.io/volumes/iscsi/README.md + #[serde(default, skip_serializing_if = "Option::is_none")] + pub iscsi: Option, + /// name of the volume. + /// Must be a DNS_LABEL and unique within the pod. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + pub name: String, + /// nfs represents an NFS mount on the host that shares a pod's lifetime + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + #[serde(default, skip_serializing_if = "Option::is_none")] + pub nfs: Option, + /// persistentVolumeClaimVolumeSource represents a reference to a + /// PersistentVolumeClaim in the same namespace. + /// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + #[serde(default, skip_serializing_if = "Option::is_none", rename = "persistentVolumeClaim")] + pub persistent_volume_claim: Option, + /// photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + #[serde(default, skip_serializing_if = "Option::is_none", rename = "photonPersistentDisk")] + pub photon_persistent_disk: Option, + /// portworxVolume represents a portworx volume attached and mounted on kubelets host machine + #[serde(default, skip_serializing_if = "Option::is_none", rename = "portworxVolume")] + pub portworx_volume: Option, + /// projected items for all in one resources secrets, configmaps, and downward API + #[serde(default, skip_serializing_if = "Option::is_none")] + pub projected: Option, + /// quobyte represents a Quobyte mount on the host that shares a pod's lifetime + #[serde(default, skip_serializing_if = "Option::is_none")] + pub quobyte: Option, + /// rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + /// More info: https://examples.k8s.io/volumes/rbd/README.md + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rbd: Option, + /// scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "scaleIO")] + pub scale_io: Option, + /// secret represents a secret that should populate this volume. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + #[serde(default, skip_serializing_if = "Option::is_none")] + pub secret: Option, + /// storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub storageos: Option, + /// vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + #[serde(default, skip_serializing_if = "Option::is_none", rename = "vsphereVolume")] + pub vsphere_volume: Option, +} + +/// awsElasticBlockStore represents an AWS Disk resource that is attached to a +/// kubelet's host machine and then exposed to the pod. +/// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesAwsElasticBlockStore { + /// fsType is the filesystem type of the volume that you want to mount. + /// Tip: Ensure that the filesystem type is supported by the host operating system. + /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + /// TODO: how do we prevent errors in the filesystem from compromising the machine + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// partition is the partition in the volume that you want to mount. + /// If omitted, the default is to mount by volume name. + /// Examples: For volume /dev/sda1, you specify the partition as "1". + /// Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub partition: Option, + /// readOnly value true will force the readOnly setting in VolumeMounts. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + #[serde(rename = "volumeID")] + pub volume_id: String, +} + +/// azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesAzureDisk { + /// cachingMode is the Host Caching mode: None, Read Only, Read Write. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cachingMode")] + pub caching_mode: Option, + /// diskName is the Name of the data disk in the blob storage + #[serde(rename = "diskName")] + pub disk_name: String, + /// diskURI is the URI of data disk in the blob storage + #[serde(rename = "diskURI")] + pub disk_uri: String, + /// fsType is Filesystem type to mount. + /// Must be a filesystem type supported by the host operating system. + /// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared + #[serde(default, skip_serializing_if = "Option::is_none")] + pub kind: Option, + /// readOnly Defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, +} + +/// azureFile represents an Azure File Service mount on the host and bind mount to the pod. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesAzureFile { + /// readOnly defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// secretName is the name of secret that contains Azure Storage Account Name and Key + #[serde(rename = "secretName")] + pub secret_name: String, + /// shareName is the azure share Name + #[serde(rename = "shareName")] + pub share_name: String, +} + +/// cephFS represents a Ceph FS mount on the host that shares a pod's lifetime +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesCephfs { + /// monitors is Required: Monitors is a collection of Ceph monitors + /// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + pub monitors: Vec, + /// path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + #[serde(default, skip_serializing_if = "Option::is_none")] + pub path: Option, + /// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + /// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + /// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretFile")] + pub secret_file: Option, + /// secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + /// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")] + pub secret_ref: Option, + /// user is optional: User is the rados user name, default is admin + /// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none")] + pub user: Option, +} + +/// secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. +/// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesCephfsSecretRef { + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// cinder represents a cinder volume attached and mounted on kubelets host machine. +/// More info: https://examples.k8s.io/mysql-cinder-pd/README.md +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesCinder { + /// fsType is the filesystem type to mount. + /// Must be a filesystem type supported by the host operating system. + /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + /// More info: https://examples.k8s.io/mysql-cinder-pd/README.md + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// readOnly defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + /// More info: https://examples.k8s.io/mysql-cinder-pd/README.md + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// secretRef is optional: points to a secret object containing parameters used to connect + /// to OpenStack. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")] + pub secret_ref: Option, + /// volumeID used to identify the volume in cinder. + /// More info: https://examples.k8s.io/mysql-cinder-pd/README.md + #[serde(rename = "volumeID")] + pub volume_id: String, +} + +/// secretRef is optional: points to a secret object containing parameters used to connect +/// to OpenStack. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesCinderSecretRef { + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// configMap represents a configMap that should populate this volume +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesConfigMap { + /// defaultMode is optional: mode bits used to set permissions on created files by default. + /// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// Defaults to 0644. + /// Directories within the path are not affected by this setting. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] + pub default_mode: Option, + /// items if unspecified, each key-value pair in the Data field of the referenced + /// ConfigMap will be projected into the volume as a file whose name is the + /// key and content is the value. If specified, the listed keys will be + /// projected into the specified paths, and unlisted keys will not be + /// present. If a key is specified which is not present in the ConfigMap, + /// the volume setup will error unless it is marked optional. Paths must be + /// relative and may not contain the '..' path or start with '..'. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub items: Option>, + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// optional specify whether the ConfigMap or its keys must be defined + #[serde(default, skip_serializing_if = "Option::is_none")] + pub optional: Option, +} + +/// Maps a string key to a path within a volume. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesConfigMapItems { + /// key is the key to project. + pub key: String, + /// mode is Optional: mode bits used to set permissions on this file. + /// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// If not specified, the volume defaultMode will be used. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mode: Option, + /// path is the relative path of the file to map the key to. + /// May not be an absolute path. + /// May not contain the path element '..'. + /// May not start with the string '..'. + pub path: String, +} + +/// csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesCsi { + /// driver is the name of the CSI driver that handles this volume. + /// Consult with your admin for the correct name as registered in the cluster. + pub driver: String, + /// fsType to mount. Ex. "ext4", "xfs", "ntfs". + /// If not provided, the empty value is passed to the associated CSI driver + /// which will determine the default filesystem to apply. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// nodePublishSecretRef is a reference to the secret object containing + /// sensitive information to pass to the CSI driver to complete the CSI + /// NodePublishVolume and NodeUnpublishVolume calls. + /// This field is optional, and may be empty if no secret is required. If the + /// secret object contains more than one secret, all secret references are passed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodePublishSecretRef")] + pub node_publish_secret_ref: Option, + /// readOnly specifies a read-only configuration for the volume. + /// Defaults to false (read/write). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// volumeAttributes stores driver-specific properties that are passed to the CSI + /// driver. Consult your driver's documentation for supported values. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributes")] + pub volume_attributes: Option>, +} + +/// nodePublishSecretRef is a reference to the secret object containing +/// sensitive information to pass to the CSI driver to complete the CSI +/// NodePublishVolume and NodeUnpublishVolume calls. +/// This field is optional, and may be empty if no secret is required. If the +/// secret object contains more than one secret, all secret references are passed. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesCsiNodePublishSecretRef { + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// downwardAPI represents downward API about the pod that should populate this volume +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesDownwardApi { + /// Optional: mode bits to use on created files by default. Must be a + /// Optional: mode bits used to set permissions on created files by default. + /// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// Defaults to 0644. + /// Directories within the path are not affected by this setting. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] + pub default_mode: Option, + /// Items is a list of downward API volume file + #[serde(default, skip_serializing_if = "Option::is_none")] + pub items: Option>, +} + +/// DownwardAPIVolumeFile represents information to create the file containing the pod field +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesDownwardApiItems { + /// Required: Selects a field of the pod: only annotations, labels, name and namespace are supported. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fieldRef")] + pub field_ref: Option, + /// Optional: mode bits used to set permissions on this file, must be an octal value + /// between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// If not specified, the volume defaultMode will be used. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mode: Option, + /// Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..' + pub path: String, + /// Selects a resource of the container: only resources limits and requests + /// (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceFieldRef")] + pub resource_field_ref: Option, +} + +/// Required: Selects a field of the pod: only annotations, labels, name and namespace are supported. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesDownwardApiItemsFieldRef { + /// Version of the schema the FieldPath is written in terms of, defaults to "v1". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiVersion")] + pub api_version: Option, + /// Path of the field to select in the specified API version. + #[serde(rename = "fieldPath")] + pub field_path: String, +} + +/// Selects a resource of the container: only resources limits and requests +/// (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesDownwardApiItemsResourceFieldRef { + /// Container name: required for volumes, optional for env vars + #[serde(default, skip_serializing_if = "Option::is_none", rename = "containerName")] + pub container_name: Option, + /// Specifies the output format of the exposed resources, defaults to "1" + #[serde(default, skip_serializing_if = "Option::is_none")] + pub divisor: Option, + /// Required: resource to select + pub resource: String, +} + +/// emptyDir represents a temporary directory that shares a pod's lifetime. +/// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEmptyDir { + /// medium represents what type of storage medium should back this directory. + /// The default is "" which means to use the node's default medium. + /// Must be an empty string (default) or Memory. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + #[serde(default, skip_serializing_if = "Option::is_none")] + pub medium: Option, + /// sizeLimit is the total amount of local storage required for this EmptyDir volume. + /// The size limit is also applicable for memory medium. + /// The maximum usage on memory medium EmptyDir would be the minimum value between + /// the SizeLimit specified here and the sum of memory limits of all containers in a pod. + /// The default is nil which means that the limit is undefined. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sizeLimit")] + pub size_limit: Option, +} + +/// ephemeral represents a volume that is handled by a cluster storage driver. +/// The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, +/// and deleted when the pod is removed. +/// Use this if: +/// a) the volume is only needed while the pod runs, +/// b) features of normal volumes like restoring from snapshot or capacity +/// tracking are needed, +/// c) the storage driver is specified through a storage class, and +/// d) the storage driver supports dynamic volume provisioning through +/// a PersistentVolumeClaim (see EphemeralVolumeSource for more +/// information on the connection between this volume type +/// and PersistentVolumeClaim). +/// Use PersistentVolumeClaim or one of the vendor-specific +/// APIs for volumes that persist for longer than the lifecycle +/// of an individual pod. +/// Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to +/// be used that way - see the documentation of the driver for +/// more information. +/// A pod can use both types of ephemeral volumes and +/// persistent volumes at the same time. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeral { + /// Will be used to create a stand-alone PVC to provision the volume. + /// The pod in which this EphemeralVolumeSource is embedded will be the + /// owner of the PVC, i.e. the PVC will be deleted together with the + /// pod. The name of the PVC will be `-` where + /// `` is the name from the `PodSpec.Volumes` array + /// entry. Pod validation will reject the pod if the concatenated name + /// is not valid for a PVC (for example, too long). + /// An existing PVC with that name that is not owned by the pod + /// will *not* be used for the pod to avoid using an unrelated + /// volume by mistake. Starting the pod is then blocked until + /// the unrelated PVC is removed. If such a pre-created PVC is + /// meant to be used by the pod, the PVC has to updated with an + /// owner reference to the pod once the pod exists. Normally + /// this should not be necessary, but it may be useful when + /// manually reconstructing a broken cluster. + /// This field is read-only and no changes will be made by Kubernetes + /// to the PVC after it has been created. + /// Required, must not be nil. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeClaimTemplate")] + pub volume_claim_template: Option, +} + +/// Will be used to create a stand-alone PVC to provision the volume. +/// The pod in which this EphemeralVolumeSource is embedded will be the +/// owner of the PVC, i.e. the PVC will be deleted together with the +/// pod. The name of the PVC will be `-` where +/// `` is the name from the `PodSpec.Volumes` array +/// entry. Pod validation will reject the pod if the concatenated name +/// is not valid for a PVC (for example, too long). +/// An existing PVC with that name that is not owned by the pod +/// will *not* be used for the pod to avoid using an unrelated +/// volume by mistake. Starting the pod is then blocked until +/// the unrelated PVC is removed. If such a pre-created PVC is +/// meant to be used by the pod, the PVC has to updated with an +/// owner reference to the pod once the pod exists. Normally +/// this should not be necessary, but it may be useful when +/// manually reconstructing a broken cluster. +/// This field is read-only and no changes will be made by Kubernetes +/// to the PVC after it has been created. +/// Required, must not be nil. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplate { + /// May contain labels and annotations that will be copied into the PVC + /// when creating it. No other fields are allowed and will be rejected during + /// validation. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metadata: Option, + /// The specification for the PersistentVolumeClaim. The entire content is + /// copied unchanged into the PVC that gets created from this + /// template. The same fields as in a PersistentVolumeClaim + /// are also valid here. + pub spec: ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateSpec, +} + +/// May contain labels and annotations that will be copied into the PVC +/// when creating it. No other fields are allowed and will be rejected during +/// validation. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateMetadata { +} + +/// The specification for the PersistentVolumeClaim. The entire content is +/// copied unchanged into the PVC that gets created from this +/// template. The same fields as in a PersistentVolumeClaim +/// are also valid here. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateSpec { + /// accessModes contains the desired access modes the volume should have. + /// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessModes")] + pub access_modes: Option>, + /// dataSource field can be used to specify either: + /// * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + /// * An existing PVC (PersistentVolumeClaim) + /// If the provisioner or an external controller can support the specified data source, + /// it will create a new volume based on the contents of the specified data source. + /// When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + /// and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + /// If the namespace is specified, then dataSourceRef will not be copied to dataSource. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSource")] + pub data_source: Option, + /// dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + /// volume is desired. This may be any object from a non-empty API group (non + /// core object) or a PersistentVolumeClaim object. + /// When this field is specified, volume binding will only succeed if the type of + /// the specified object matches some installed volume populator or dynamic + /// provisioner. + /// This field will replace the functionality of the dataSource field and as such + /// if both fields are non-empty, they must have the same value. For backwards + /// compatibility, when namespace isn't specified in dataSourceRef, + /// both fields (dataSource and dataSourceRef) will be set to the same + /// value automatically if one of them is empty and the other is non-empty. + /// When namespace is specified in dataSourceRef, + /// dataSource isn't set to the same value and must be empty. + /// There are three important differences between dataSource and dataSourceRef: + /// * While dataSource only allows two specific types of objects, dataSourceRef + /// allows any non-core object, as well as PersistentVolumeClaim objects. + /// * While dataSource ignores disallowed values (dropping them), dataSourceRef + /// preserves all values, and generates an error if a disallowed value is + /// specified. + /// * While dataSource only allows local objects, dataSourceRef allows objects + /// in any namespaces. + /// (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + /// (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dataSourceRef")] + pub data_source_ref: Option, + /// resources represents the minimum resources the volume should have. + /// If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + /// that are lower than previous value but must still be higher than capacity recorded in the + /// status field of the claim. + /// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option, + /// selector is a label query over volumes to consider for binding. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selector: Option, + /// storageClassName is the name of the StorageClass required by the claim. + /// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageClassName")] + pub storage_class_name: Option, + /// volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + /// If specified, the CSI driver will create or update the volume with the attributes defined + /// in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + /// it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + /// will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + /// If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + /// will be set by the persistentvolume controller if it exists. + /// If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + /// set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + /// exists. + /// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + /// (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeAttributesClassName")] + pub volume_attributes_class_name: Option, + /// volumeMode defines what type of volume is required by the claim. + /// Value of Filesystem is implied when not included in claim spec. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeMode")] + pub volume_mode: Option, + /// volumeName is the binding reference to the PersistentVolume backing this claim. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +/// dataSource field can be used to specify either: +/// * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) +/// * An existing PVC (PersistentVolumeClaim) +/// If the provisioner or an external controller can support the specified data source, +/// it will create a new volume based on the contents of the specified data source. +/// When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, +/// and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. +/// If the namespace is specified, then dataSourceRef will not be copied to dataSource. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateSpecDataSource { + /// APIGroup is the group for the resource being referenced. + /// If APIGroup is not specified, the specified Kind must be in the core API group. + /// For any other third-party types, APIGroup is required. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + /// Kind is the type of resource being referenced + pub kind: String, + /// Name is the name of resource being referenced + pub name: String, +} + +/// dataSourceRef specifies the object from which to populate the volume with data, if a non-empty +/// volume is desired. This may be any object from a non-empty API group (non +/// core object) or a PersistentVolumeClaim object. +/// When this field is specified, volume binding will only succeed if the type of +/// the specified object matches some installed volume populator or dynamic +/// provisioner. +/// This field will replace the functionality of the dataSource field and as such +/// if both fields are non-empty, they must have the same value. For backwards +/// compatibility, when namespace isn't specified in dataSourceRef, +/// both fields (dataSource and dataSourceRef) will be set to the same +/// value automatically if one of them is empty and the other is non-empty. +/// When namespace is specified in dataSourceRef, +/// dataSource isn't set to the same value and must be empty. +/// There are three important differences between dataSource and dataSourceRef: +/// * While dataSource only allows two specific types of objects, dataSourceRef +/// allows any non-core object, as well as PersistentVolumeClaim objects. +/// * While dataSource ignores disallowed values (dropping them), dataSourceRef +/// preserves all values, and generates an error if a disallowed value is +/// specified. +/// * While dataSource only allows local objects, dataSourceRef allows objects +/// in any namespaces. +/// (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. +/// (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateSpecDataSourceRef { + /// APIGroup is the group for the resource being referenced. + /// If APIGroup is not specified, the specified Kind must be in the core API group. + /// For any other third-party types, APIGroup is required. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiGroup")] + pub api_group: Option, + /// Kind is the type of resource being referenced + pub kind: String, + /// Name is the name of resource being referenced + pub name: String, + /// Namespace is the namespace of resource being referenced + /// Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + /// (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +/// resources represents the minimum resources the volume should have. +/// If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements +/// that are lower than previous value but must still be higher than capacity recorded in the +/// status field of the claim. +/// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateSpecResources { + /// Limits describes the maximum amount of compute resources allowed. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + /// Requests describes the minimum amount of compute resources required. + /// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + /// otherwise to an implementation-defined value. Requests cannot exceed Limits. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +/// selector is a label query over volumes to consider for binding. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateSpecSelector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesEphemeralVolumeClaimTemplateSpecSelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesFc { + /// fsType is the filesystem type to mount. + /// Must be a filesystem type supported by the host operating system. + /// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + /// TODO: how do we prevent errors in the filesystem from compromising the machine + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// lun is Optional: FC target lun number + #[serde(default, skip_serializing_if = "Option::is_none")] + pub lun: Option, + /// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// targetWWNs is Optional: FC target worldwide names (WWNs) + #[serde(default, skip_serializing_if = "Option::is_none", rename = "targetWWNs")] + pub target_ww_ns: Option>, + /// wwids Optional: FC volume world wide identifiers (wwids) + /// Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub wwids: Option>, +} + +/// flexVolume represents a generic volume resource that is +/// provisioned/attached using an exec based plugin. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesFlexVolume { + /// driver is the name of the driver to use for this volume. + pub driver: String, + /// fsType is the filesystem type to mount. + /// Must be a filesystem type supported by the host operating system. + /// Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// options is Optional: this field holds extra command options if any. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub options: Option>, + /// readOnly is Optional: defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// secretRef is Optional: secretRef is reference to the secret object containing + /// sensitive information to pass to the plugin scripts. This may be + /// empty if no secret object is specified. If the secret object + /// contains more than one secret, all secrets are passed to the plugin + /// scripts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")] + pub secret_ref: Option, +} + +/// secretRef is Optional: secretRef is reference to the secret object containing +/// sensitive information to pass to the plugin scripts. This may be +/// empty if no secret object is specified. If the secret object +/// contains more than one secret, all secrets are passed to the plugin +/// scripts. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesFlexVolumeSecretRef { + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesFlocker { + /// datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + /// should be considered as deprecated + #[serde(default, skip_serializing_if = "Option::is_none", rename = "datasetName")] + pub dataset_name: Option, + /// datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + #[serde(default, skip_serializing_if = "Option::is_none", rename = "datasetUUID")] + pub dataset_uuid: Option, +} + +/// gcePersistentDisk represents a GCE Disk resource that is attached to a +/// kubelet's host machine and then exposed to the pod. +/// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesGcePersistentDisk { + /// fsType is filesystem type of the volume that you want to mount. + /// Tip: Ensure that the filesystem type is supported by the host operating system. + /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + /// TODO: how do we prevent errors in the filesystem from compromising the machine + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// partition is the partition in the volume that you want to mount. + /// If omitted, the default is to mount by volume name. + /// Examples: For volume /dev/sda1, you specify the partition as "1". + /// Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + #[serde(default, skip_serializing_if = "Option::is_none")] + pub partition: Option, + /// pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + #[serde(rename = "pdName")] + pub pd_name: String, + /// readOnly here will force the ReadOnly setting in VolumeMounts. + /// Defaults to false. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, +} + +/// gitRepo represents a git repository at a particular revision. +/// DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +/// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +/// into the Pod's container. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesGitRepo { + /// directory is the target directory name. + /// Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + /// git repository. Otherwise, if specified, the volume will contain the git repository in + /// the subdirectory with the given name. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub directory: Option, + /// repository is the URL + pub repository: String, + /// revision is the commit hash for the specified revision. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub revision: Option, +} + +/// glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. +/// More info: https://examples.k8s.io/volumes/glusterfs/README.md +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesGlusterfs { + /// endpoints is the endpoint name that details Glusterfs topology. + /// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + pub endpoints: String, + /// path is the Glusterfs volume path. + /// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + pub path: String, + /// readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + /// Defaults to false. + /// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, +} + +/// hostPath represents a pre-existing file or directory on the host +/// machine that is directly exposed to the container. This is generally +/// used for system agents or other privileged things that are allowed +/// to see the host machine. Most containers will NOT need this. +/// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath +/// --- +/// TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not +/// mount host directories as read/write. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesHostPath { + /// path of the directory on the host. + /// If the path is a symlink, it will follow the link to the real path. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + pub path: String, + /// type for HostPath Volume + /// Defaults to "" + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")] + pub r#type: Option, +} + +/// iscsi represents an ISCSI Disk resource that is attached to a +/// kubelet's host machine and then exposed to the pod. +/// More info: https://examples.k8s.io/volumes/iscsi/README.md +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesIscsi { + /// chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + #[serde(default, skip_serializing_if = "Option::is_none", rename = "chapAuthDiscovery")] + pub chap_auth_discovery: Option, + /// chapAuthSession defines whether support iSCSI Session CHAP authentication + #[serde(default, skip_serializing_if = "Option::is_none", rename = "chapAuthSession")] + pub chap_auth_session: Option, + /// fsType is the filesystem type of the volume that you want to mount. + /// Tip: Ensure that the filesystem type is supported by the host operating system. + /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + /// TODO: how do we prevent errors in the filesystem from compromising the machine + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// initiatorName is the custom iSCSI Initiator Name. + /// If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + /// : will be created for the connection. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "initiatorName")] + pub initiator_name: Option, + /// iqn is the target iSCSI Qualified Name. + pub iqn: String, + /// iscsiInterface is the interface Name that uses an iSCSI transport. + /// Defaults to 'default' (tcp). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "iscsiInterface")] + pub iscsi_interface: Option, + /// lun represents iSCSI Target Lun number. + pub lun: i32, + /// portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + /// is other than default (typically TCP ports 860 and 3260). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub portals: Option>, + /// readOnly here will force the ReadOnly setting in VolumeMounts. + /// Defaults to false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// secretRef is the CHAP Secret for iSCSI target and initiator authentication + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")] + pub secret_ref: Option, + /// targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + /// is other than default (typically TCP ports 860 and 3260). + #[serde(rename = "targetPortal")] + pub target_portal: String, +} + +/// secretRef is the CHAP Secret for iSCSI target and initiator authentication +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesIscsiSecretRef { + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// nfs represents an NFS mount on the host that shares a pod's lifetime +/// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesNfs { + /// path that is exported by the NFS server. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + pub path: String, + /// readOnly here will force the NFS export to be mounted with read-only permissions. + /// Defaults to false. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// server is the hostname or IP address of the NFS server. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + pub server: String, +} + +/// persistentVolumeClaimVolumeSource represents a reference to a +/// PersistentVolumeClaim in the same namespace. +/// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesPersistentVolumeClaim { + /// claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + /// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + #[serde(rename = "claimName")] + pub claim_name: String, + /// readOnly Will force the ReadOnly setting in VolumeMounts. + /// Default false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, +} + +/// photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesPhotonPersistentDisk { + /// fsType is the filesystem type to mount. + /// Must be a filesystem type supported by the host operating system. + /// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// pdID is the ID that identifies Photon Controller persistent disk + #[serde(rename = "pdID")] + pub pd_id: String, +} + +/// portworxVolume represents a portworx volume attached and mounted on kubelets host machine +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesPortworxVolume { + /// fSType represents the filesystem type to mount + /// Must be a filesystem type supported by the host operating system. + /// Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// readOnly defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// volumeID uniquely identifies a Portworx volume + #[serde(rename = "volumeID")] + pub volume_id: String, +} + +/// projected items for all in one resources secrets, configmaps, and downward API +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjected { + /// defaultMode are the mode bits used to set permissions on created files by default. + /// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// Directories within the path are not affected by this setting. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] + pub default_mode: Option, + /// sources is the list of volume projections + #[serde(default, skip_serializing_if = "Option::is_none")] + pub sources: Option>, +} + +/// Projection that may be projected along with other supported volume types +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSources { + /// ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + /// of ClusterTrustBundle objects in an auto-updating file. + /// Alpha, gated by the ClusterTrustBundleProjection feature gate. + /// ClusterTrustBundle objects can either be selected by name, or by the + /// combination of signer name and a label selector. + /// Kubelet performs aggressive normalization of the PEM contents written + /// into the pod filesystem. Esoteric PEM features such as inter-block + /// comments and block headers are stripped. Certificates are deduplicated. + /// The ordering of certificates within the file is arbitrary, and Kubelet + /// may change the order over time. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "clusterTrustBundle")] + pub cluster_trust_bundle: Option, + /// configMap information about the configMap data to project + #[serde(default, skip_serializing_if = "Option::is_none", rename = "configMap")] + pub config_map: Option, + /// downwardAPI information about the downwardAPI data to project + #[serde(default, skip_serializing_if = "Option::is_none", rename = "downwardAPI")] + pub downward_api: Option, + /// secret information about the secret data to project + #[serde(default, skip_serializing_if = "Option::is_none")] + pub secret: Option, + /// serviceAccountToken is information about the serviceAccountToken data to project + #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAccountToken")] + pub service_account_token: Option, +} + +/// ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field +/// of ClusterTrustBundle objects in an auto-updating file. +/// Alpha, gated by the ClusterTrustBundleProjection feature gate. +/// ClusterTrustBundle objects can either be selected by name, or by the +/// combination of signer name and a label selector. +/// Kubelet performs aggressive normalization of the PEM contents written +/// into the pod filesystem. Esoteric PEM features such as inter-block +/// comments and block headers are stripped. Certificates are deduplicated. +/// The ordering of certificates within the file is arbitrary, and Kubelet +/// may change the order over time. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesClusterTrustBundle { + /// Select all ClusterTrustBundles that match this label selector. Only has + /// effect if signerName is set. Mutually-exclusive with name. If unset, + /// interpreted as "match nothing". If set but empty, interpreted as "match + /// everything". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")] + pub label_selector: Option, + /// Select a single ClusterTrustBundle by object name. Mutually-exclusive + /// with signerName and labelSelector. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// If true, don't block pod startup if the referenced ClusterTrustBundle(s) + /// aren't available. If using name, then the named ClusterTrustBundle is + /// allowed not to exist. If using signerName, then the combination of + /// signerName and labelSelector is allowed to match zero + /// ClusterTrustBundles. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub optional: Option, + /// Relative path from the volume root to write the bundle. + pub path: String, + /// Select all ClusterTrustBundles that match this signer name. + /// Mutually-exclusive with name. The contents of all selected + /// ClusterTrustBundles will be unified and deduplicated. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "signerName")] + pub signer_name: Option, +} + +/// Select all ClusterTrustBundles that match this label selector. Only has +/// effect if signerName is set. Mutually-exclusive with name. If unset, +/// interpreted as "match nothing". If set but empty, interpreted as "match +/// everything". +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesClusterTrustBundleLabelSelector { + /// matchExpressions is a list of label selector requirements. The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")] + pub match_expressions: Option>, + /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + /// map is equivalent to an element of matchExpressions, whose key field is "key", the + /// operator is "In", and the values array contains only "value". The requirements are ANDed. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")] + pub match_labels: Option>, +} + +/// A label selector requirement is a selector that contains values, a key, and an operator that +/// relates the key and values. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesClusterTrustBundleLabelSelectorMatchExpressions { + /// key is the label key that the selector applies to. + pub key: String, + /// operator represents a key's relationship to a set of values. + /// Valid operators are In, NotIn, Exists and DoesNotExist. + pub operator: String, + /// values is an array of string values. If the operator is In or NotIn, + /// the values array must be non-empty. If the operator is Exists or DoesNotExist, + /// the values array must be empty. This array is replaced during a strategic + /// merge patch. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// configMap information about the configMap data to project +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesConfigMap { + /// items if unspecified, each key-value pair in the Data field of the referenced + /// ConfigMap will be projected into the volume as a file whose name is the + /// key and content is the value. If specified, the listed keys will be + /// projected into the specified paths, and unlisted keys will not be + /// present. If a key is specified which is not present in the ConfigMap, + /// the volume setup will error unless it is marked optional. Paths must be + /// relative and may not contain the '..' path or start with '..'. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub items: Option>, + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// optional specify whether the ConfigMap or its keys must be defined + #[serde(default, skip_serializing_if = "Option::is_none")] + pub optional: Option, +} + +/// Maps a string key to a path within a volume. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesConfigMapItems { + /// key is the key to project. + pub key: String, + /// mode is Optional: mode bits used to set permissions on this file. + /// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// If not specified, the volume defaultMode will be used. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mode: Option, + /// path is the relative path of the file to map the key to. + /// May not be an absolute path. + /// May not contain the path element '..'. + /// May not start with the string '..'. + pub path: String, +} + +/// downwardAPI information about the downwardAPI data to project +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesDownwardApi { + /// Items is a list of DownwardAPIVolume file + #[serde(default, skip_serializing_if = "Option::is_none")] + pub items: Option>, +} + +/// DownwardAPIVolumeFile represents information to create the file containing the pod field +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesDownwardApiItems { + /// Required: Selects a field of the pod: only annotations, labels, name and namespace are supported. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fieldRef")] + pub field_ref: Option, + /// Optional: mode bits used to set permissions on this file, must be an octal value + /// between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// If not specified, the volume defaultMode will be used. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mode: Option, + /// Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..' + pub path: String, + /// Selects a resource of the container: only resources limits and requests + /// (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "resourceFieldRef")] + pub resource_field_ref: Option, +} + +/// Required: Selects a field of the pod: only annotations, labels, name and namespace are supported. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesDownwardApiItemsFieldRef { + /// Version of the schema the FieldPath is written in terms of, defaults to "v1". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiVersion")] + pub api_version: Option, + /// Path of the field to select in the specified API version. + #[serde(rename = "fieldPath")] + pub field_path: String, +} + +/// Selects a resource of the container: only resources limits and requests +/// (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesDownwardApiItemsResourceFieldRef { + /// Container name: required for volumes, optional for env vars + #[serde(default, skip_serializing_if = "Option::is_none", rename = "containerName")] + pub container_name: Option, + /// Specifies the output format of the exposed resources, defaults to "1" + #[serde(default, skip_serializing_if = "Option::is_none")] + pub divisor: Option, + /// Required: resource to select + pub resource: String, +} + +/// secret information about the secret data to project +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesSecret { + /// items if unspecified, each key-value pair in the Data field of the referenced + /// Secret will be projected into the volume as a file whose name is the + /// key and content is the value. If specified, the listed keys will be + /// projected into the specified paths, and unlisted keys will not be + /// present. If a key is specified which is not present in the Secret, + /// the volume setup will error unless it is marked optional. Paths must be + /// relative and may not contain the '..' path or start with '..'. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub items: Option>, + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// optional field specify whether the Secret or its key must be defined + #[serde(default, skip_serializing_if = "Option::is_none")] + pub optional: Option, +} + +/// Maps a string key to a path within a volume. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesSecretItems { + /// key is the key to project. + pub key: String, + /// mode is Optional: mode bits used to set permissions on this file. + /// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// If not specified, the volume defaultMode will be used. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mode: Option, + /// path is the relative path of the file to map the key to. + /// May not be an absolute path. + /// May not contain the path element '..'. + /// May not start with the string '..'. + pub path: String, +} + +/// serviceAccountToken is information about the serviceAccountToken data to project +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesProjectedSourcesServiceAccountToken { + /// audience is the intended audience of the token. A recipient of a token + /// must identify itself with an identifier specified in the audience of the + /// token, and otherwise should reject the token. The audience defaults to the + /// identifier of the apiserver. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub audience: Option, + /// expirationSeconds is the requested duration of validity of the service + /// account token. As the token approaches expiration, the kubelet volume + /// plugin will proactively rotate the service account token. The kubelet will + /// start trying to rotate the token if the token is older than 80 percent of + /// its time to live or if the token is older than 24 hours.Defaults to 1 hour + /// and must be at least 10 minutes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "expirationSeconds")] + pub expiration_seconds: Option, + /// path is the path relative to the mount point of the file to project the + /// token into. + pub path: String, +} + +/// quobyte represents a Quobyte mount on the host that shares a pod's lifetime +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesQuobyte { + /// group to map volume access to + /// Default is no group + #[serde(default, skip_serializing_if = "Option::is_none")] + pub group: Option, + /// readOnly here will force the Quobyte volume to be mounted with read-only permissions. + /// Defaults to false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// registry represents a single or multiple Quobyte Registry services + /// specified as a string as host:port pair (multiple entries are separated with commas) + /// which acts as the central registry for volumes + pub registry: String, + /// tenant owning the given Quobyte volume in the Backend + /// Used with dynamically provisioned Quobyte volumes, value is set by the plugin + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tenant: Option, + /// user to map volume access to + /// Defaults to serivceaccount user + #[serde(default, skip_serializing_if = "Option::is_none")] + pub user: Option, + /// volume is a string that references an already created Quobyte volume by name. + pub volume: String, +} + +/// rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. +/// More info: https://examples.k8s.io/volumes/rbd/README.md +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesRbd { + /// fsType is the filesystem type of the volume that you want to mount. + /// Tip: Ensure that the filesystem type is supported by the host operating system. + /// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + /// TODO: how do we prevent errors in the filesystem from compromising the machine + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// image is the rados image name. + /// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + pub image: String, + /// keyring is the path to key ring for RBDUser. + /// Default is /etc/ceph/keyring. + /// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none")] + pub keyring: Option, + /// monitors is a collection of Ceph monitors. + /// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + pub monitors: Vec, + /// pool is the rados pool name. + /// Default is rbd. + /// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none")] + pub pool: Option, + /// readOnly here will force the ReadOnly setting in VolumeMounts. + /// Defaults to false. + /// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// secretRef is name of the authentication secret for RBDUser. If provided + /// overrides keyring. + /// Default is nil. + /// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")] + pub secret_ref: Option, + /// user is the rados user name. + /// Default is admin. + /// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + #[serde(default, skip_serializing_if = "Option::is_none")] + pub user: Option, +} + +/// secretRef is name of the authentication secret for RBDUser. If provided +/// overrides keyring. +/// Default is nil. +/// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesRbdSecretRef { + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesScaleIo { + /// fsType is the filesystem type to mount. + /// Must be a filesystem type supported by the host operating system. + /// Ex. "ext4", "xfs", "ntfs". + /// Default is "xfs". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// gateway is the host address of the ScaleIO API Gateway. + pub gateway: String, + /// protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "protectionDomain")] + pub protection_domain: Option, + /// readOnly Defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// secretRef references to the secret for ScaleIO user and other + /// sensitive information. If this is not provided, Login operation will fail. + #[serde(rename = "secretRef")] + pub secret_ref: ContourDeploymentEnvoyExtraVolumesScaleIoSecretRef, + /// sslEnabled Flag enable/disable SSL communication with Gateway, default false + #[serde(default, skip_serializing_if = "Option::is_none", rename = "sslEnabled")] + pub ssl_enabled: Option, + /// storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + /// Default is ThinProvisioned. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storageMode")] + pub storage_mode: Option, + /// storagePool is the ScaleIO Storage Pool associated with the protection domain. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storagePool")] + pub storage_pool: Option, + /// system is the name of the storage system as configured in ScaleIO. + pub system: String, + /// volumeName is the name of a volume already created in the ScaleIO system + /// that is associated with this volume source. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, +} + +/// secretRef references to the secret for ScaleIO user and other +/// sensitive information. If this is not provided, Login operation will fail. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesScaleIoSecretRef { + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// secret represents a secret that should populate this volume. +/// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesSecret { + /// defaultMode is Optional: mode bits used to set permissions on created files by default. + /// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values + /// for mode bits. Defaults to 0644. + /// Directories within the path are not affected by this setting. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultMode")] + pub default_mode: Option, + /// items If unspecified, each key-value pair in the Data field of the referenced + /// Secret will be projected into the volume as a file whose name is the + /// key and content is the value. If specified, the listed keys will be + /// projected into the specified paths, and unlisted keys will not be + /// present. If a key is specified which is not present in the Secret, + /// the volume setup will error unless it is marked optional. Paths must be + /// relative and may not contain the '..' path or start with '..'. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub items: Option>, + /// optional field specify whether the Secret or its keys must be defined + #[serde(default, skip_serializing_if = "Option::is_none")] + pub optional: Option, + /// secretName is the name of the secret in the pod's namespace to use. + /// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretName")] + pub secret_name: Option, +} + +/// Maps a string key to a path within a volume. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesSecretItems { + /// key is the key to project. + pub key: String, + /// mode is Optional: mode bits used to set permissions on this file. + /// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + /// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + /// If not specified, the volume defaultMode will be used. + /// This might be in conflict with other options that affect the file + /// mode, like fsGroup, and the result can be other mode bits set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mode: Option, + /// path is the relative path of the file to map the key to. + /// May not be an absolute path. + /// May not contain the path element '..'. + /// May not start with the string '..'. + pub path: String, +} + +/// storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesStorageos { + /// fsType is the filesystem type to mount. + /// Must be a filesystem type supported by the host operating system. + /// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// readOnly defaults to false (read/write). ReadOnly here will force + /// the ReadOnly setting in VolumeMounts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "readOnly")] + pub read_only: Option, + /// secretRef specifies the secret to use for obtaining the StorageOS API + /// credentials. If not specified, default values will be attempted. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")] + pub secret_ref: Option, + /// volumeName is the human-readable name of the StorageOS volume. Volume + /// names are only unique within a namespace. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeName")] + pub volume_name: Option, + /// volumeNamespace specifies the scope of the volume within StorageOS. If no + /// namespace is specified then the Pod's namespace will be used. This allows the + /// Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + /// Set VolumeName to any name to override the default behaviour. + /// Set to "default" if you are not using namespaces within StorageOS. + /// Namespaces that do not pre-exist within StorageOS will be created. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "volumeNamespace")] + pub volume_namespace: Option, +} + +/// secretRef specifies the secret to use for obtaining the StorageOS API +/// credentials. If not specified, default values will be attempted. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesStorageosSecretRef { + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + /// TODO: Add other useful fields. apiVersion, kind, uid? + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, +} + +/// vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyExtraVolumesVsphereVolume { + /// fsType is filesystem type to mount. + /// Must be a filesystem type supported by the host operating system. + /// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsType")] + pub fs_type: Option, + /// storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storagePolicyID")] + pub storage_policy_id: Option, + /// storagePolicyName is the storage Policy Based Management (SPBM) profile name. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "storagePolicyName")] + pub storage_policy_name: Option, + /// volumePath is the path that identifies vSphere volume vmdk + #[serde(rename = "volumePath")] + pub volume_path: String, +} + +/// NetworkPublishing defines how to expose Envoy to a network. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyNetworkPublishing { + /// ExternalTrafficPolicy describes how nodes distribute service traffic they + /// receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, + /// and LoadBalancer IPs). + /// If unset, defaults to "Local". + #[serde(default, skip_serializing_if = "Option::is_none", rename = "externalTrafficPolicy")] + pub external_traffic_policy: Option, + /// IPFamilyPolicy represents the dual-stack-ness requested or required by + /// this Service. If there is no value provided, then this field will be set + /// to SingleStack. Services can be "SingleStack" (a single IP family), + /// "PreferDualStack" (two IP families on dual-stack configured clusters or + /// a single IP family on single-stack clusters), or "RequireDualStack" + /// (two IP families on dual-stack configured clusters, otherwise fail). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipFamilyPolicy")] + pub ip_family_policy: Option, + /// ServiceAnnotations is the annotations to add to + /// the provisioned Envoy service. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceAnnotations")] + pub service_annotations: Option>, + /// NetworkPublishingType is the type of publishing strategy to use. Valid values are: + /// * LoadBalancerService + /// In this configuration, network endpoints for Envoy use container networking. + /// A Kubernetes LoadBalancer Service is created to publish Envoy network + /// endpoints. + /// See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + /// * NodePortService + /// Publishes Envoy network endpoints using a Kubernetes NodePort Service. + /// In this configuration, Envoy network endpoints use container networking. A Kubernetes + /// NodePort Service is created to publish the network endpoints. + /// See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + /// NOTE: + /// When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate + /// the Service's node port values, there's no way to auto-allocate them. + /// See: https://github.com/projectcontour/contour/issues/4499 + /// * ClusterIPService + /// Publishes Envoy network endpoints using a Kubernetes ClusterIP Service. + /// In this configuration, Envoy network endpoints use container networking. A Kubernetes + /// ClusterIP Service is created to publish the network endpoints. + /// See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + /// If unset, defaults to LoadBalancerService. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")] + pub r#type: Option, +} + +/// NodePlacement describes node scheduling configuration of Envoy pods. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyNodePlacement { + /// NodeSelector is the simplest recommended form of node selection constraint + /// and specifies a map of key-value pairs. For the pod to be eligible + /// to run on a node, the node must have each of the indicated key-value pairs + /// as labels (it can have additional labels as well). + /// If unset, the pod(s) will be scheduled to any available node. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "nodeSelector")] + pub node_selector: Option>, + /// Tolerations work with taints to ensure that pods are not scheduled + /// onto inappropriate nodes. One or more taints are applied to a node; this + /// marks that the node should not accept any pods that do not tolerate the + /// taints. + /// The default is an empty list. + /// See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + /// for additional details. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tolerations: Option>, +} + +/// The pod this Toleration is attached to tolerates any taint that matches +/// the triple using the matching operator . +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyNodePlacementTolerations { + /// Effect indicates the taint effect to match. Empty means match all taint effects. + /// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub effect: Option, + /// Key is the taint key that the toleration applies to. Empty means match all taint keys. + /// If the key is empty, operator must be Exists; this combination means to match all values and all keys. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Operator represents a key's relationship to the value. + /// Valid operators are Exists and Equal. Defaults to Equal. + /// Exists is equivalent to wildcard for value, so that a pod can + /// tolerate all taints of a particular category. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub operator: Option, + /// TolerationSeconds represents the period of time the toleration (which must be + /// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + /// it is not set, which means tolerate the taint forever (do not evict). Zero and + /// negative values will be treated as 0 (evict immediately) by the system. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "tolerationSeconds")] + pub toleration_seconds: Option, + /// Value is the taint value the toleration matches to. + /// If the operator is Exists, the value should be empty, otherwise just a regular string. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// Compute Resources required by envoy container. +/// Cannot be updated. +/// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyResources { + /// Claims lists the names of resources, defined in spec.resourceClaims, + /// that are used by this container. + /// This is an alpha field and requires enabling the + /// DynamicResourceAllocation feature gate. + /// This field is immutable. It can only be set for containers. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub claims: Option>, + /// Limits describes the maximum amount of compute resources allowed. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub limits: Option>, + /// Requests describes the minimum amount of compute resources required. + /// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + /// otherwise to an implementation-defined value. Requests cannot exceed Limits. + /// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub requests: Option>, +} + +/// ResourceClaim references one entry in PodSpec.ResourceClaims. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentEnvoyResourcesClaims { + /// Name must match the name of one entry in pod.spec.resourceClaims of + /// the Pod where this field is used. It makes that resource available + /// inside a container. + pub name: String, +} + +/// RuntimeSettings is a ContourConfiguration spec to be used when +/// provisioning a Contour instance that will influence aspects of +/// the Contour instance's runtime behavior. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettings { + /// Debug contains parameters to enable debug logging + /// and debug interfaces inside Contour. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub debug: Option, + /// EnableExternalNameService allows processing of ExternalNameServices + /// Contour's default is false for security reasons. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableExternalNameService")] + pub enable_external_name_service: Option, + /// Envoy contains parameters for Envoy as well + /// as how to optionally configure a managed Envoy fleet. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub envoy: Option, + /// FeatureFlags defines toggle to enable new contour features. + /// Available toggles are: + /// useEndpointSlices - configures contour to fetch endpoint data + /// from k8s endpoint slices. defaults to false and reading endpoint + /// data from the k8s endpoints. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "featureFlags")] + pub feature_flags: Option>, + /// Gateway contains parameters for the gateway-api Gateway that Contour + /// is configured to serve traffic. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub gateway: Option, + /// GlobalExternalAuthorization allows envoys external authorization filter + /// to be enabled for all virtual hosts. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "globalExtAuth")] + pub global_ext_auth: Option, + /// Health defines the endpoints Contour uses to serve health checks. + /// Contour's default is { address: "0.0.0.0", port: 8000 }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub health: Option, + /// HTTPProxy defines parameters on HTTPProxy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub httpproxy: Option, + /// Ingress contains parameters for ingress options. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub ingress: Option, + /// Metrics defines the endpoint Contour uses to serve metrics. + /// Contour's default is { address: "0.0.0.0", port: 8000 }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Policy specifies default policy applied if not overridden by the user + #[serde(default, skip_serializing_if = "Option::is_none")] + pub policy: Option, + /// RateLimitService optionally holds properties of the Rate Limit Service + /// to be used for global rate limiting. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rateLimitService")] + pub rate_limit_service: Option, + /// Tracing defines properties for exporting trace data to OpenTelemetry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tracing: Option, + /// XDSServer contains parameters for the xDS server. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "xdsServer")] + pub xds_server: Option, +} + +/// Debug contains parameters to enable debug logging +/// and debug interfaces inside Contour. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsDebug { + /// Defines the Contour debug address interface. + /// Contour's default is "127.0.0.1". + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the Contour debug address port. + /// Contour's default is 6060. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// Envoy contains parameters for Envoy as well +/// as how to optionally configure a managed Envoy fleet. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoy { + /// ClientCertificate defines the namespace/name of the Kubernetes + /// secret containing the client certificate and private key + /// to be used when establishing TLS connection to upstream + /// cluster. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientCertificate")] + pub client_certificate: Option, + /// Cluster holds various configurable Envoy cluster values that can + /// be set in the config file. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cluster: Option, + /// DefaultHTTPVersions defines the default set of HTTPS + /// versions the proxy should accept. HTTP versions are + /// strings of the form "HTTP/xx". Supported versions are + /// "HTTP/1.1" and "HTTP/2". + /// Values: `HTTP/1.1`, `HTTP/2` (default: both). + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultHTTPVersions")] + pub default_http_versions: Option>, + /// Health defines the endpoint Envoy uses to serve health checks. + /// Contour's default is { address: "0.0.0.0", port: 8002 }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub health: Option, + /// Defines the HTTP Listener for Envoy. + /// Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub http: Option, + /// Defines the HTTPS Listener for Envoy. + /// Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub https: Option, + /// Listener hold various configurable Envoy listener values. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub listener: Option, + /// Logging defines how Envoy's logs can be configured. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub logging: Option, + /// Metrics defines the endpoint Envoy uses to serve metrics. + /// Contour's default is { address: "0.0.0.0", port: 8002 }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub metrics: Option, + /// Network holds various configurable Envoy network values. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub network: Option, + /// Service holds Envoy service parameters for setting Ingress status. + /// Contour's default is { namespace: "projectcontour", name: "envoy" }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub service: Option, + /// Timeouts holds various configurable timeouts that can + /// be set in the config file. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub timeouts: Option, +} + +/// ClientCertificate defines the namespace/name of the Kubernetes +/// secret containing the client certificate and private key +/// to be used when establishing TLS connection to upstream +/// cluster. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyClientCertificate { + pub name: String, + pub namespace: String, +} + +/// Cluster holds various configurable Envoy cluster values that can +/// be set in the config file. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyCluster { + /// GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + /// If defined, this will be used as the default for all services. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "circuitBreakers")] + pub circuit_breakers: Option, + /// DNSLookupFamily defines how external names are looked up + /// When configured as V4, the DNS resolver will only perform a lookup + /// for addresses in the IPv4 family. If V6 is configured, the DNS resolver + /// will only perform a lookup for addresses in the IPv6 family. + /// If AUTO is configured, the DNS resolver will first perform a lookup + /// for addresses in the IPv6 family and fallback to a lookup for addresses + /// in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + /// both IPv4 and IPv6 families, and return all resolved addresses. + /// When this is used, Happy Eyeballs will be enabled for upstream connections. + /// Refer to Happy Eyeballs Support for more information. + /// Note: This only applies to externalName clusters. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + /// for more information. + /// Values: `auto` (default), `v4`, `v6`, `all`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsLookupFamily")] + pub dns_lookup_family: Option, + /// Defines the maximum requests for upstream connections. If not specified, there is no limit. + /// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestsPerConnection")] + pub max_requests_per_connection: Option, + /// Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + /// If unspecified, an implementation defined default is applied (1MiB). + /// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "per-connection-buffer-limit-bytes")] + pub per_connection_buffer_limit_bytes: Option, + /// UpstreamTLS contains the TLS policy parameters for upstream connections + #[serde(default, skip_serializing_if = "Option::is_none", rename = "upstreamTLS")] + pub upstream_tls: Option, +} + +/// GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. +/// If defined, this will be used as the default for all services. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyClusterCircuitBreakers { + /// The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxConnections")] + pub max_connections: Option, + /// The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxPendingRequests")] + pub max_pending_requests: Option, + /// The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024 + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequests")] + pub max_requests: Option, + /// The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRetries")] + pub max_retries: Option, +} + +/// UpstreamTLS contains the TLS policy parameters for upstream connections +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyClusterUpstreamTls { + /// CipherSuites defines the TLS ciphers to be supported by Envoy TLS + /// listeners when negotiating TLS 1.2. Ciphers are validated against the + /// set that Envoy supports by default. This parameter should only be used + /// by advanced users. Note that these will be ignored when TLS 1.3 is in + /// use. + /// This field is optional; when it is undefined, a Contour-managed ciphersuite list + /// will be used, which may be updated to keep it secure. + /// Contour's default list is: + /// - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + /// - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + /// - "ECDHE-ECDSA-AES256-GCM-SHA384" + /// - "ECDHE-RSA-AES256-GCM-SHA384" + /// Ciphers provided are validated against the following list: + /// - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + /// - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + /// - "ECDHE-ECDSA-AES128-GCM-SHA256" + /// - "ECDHE-RSA-AES128-GCM-SHA256" + /// - "ECDHE-ECDSA-AES128-SHA" + /// - "ECDHE-RSA-AES128-SHA" + /// - "AES128-GCM-SHA256" + /// - "AES128-SHA" + /// - "ECDHE-ECDSA-AES256-GCM-SHA384" + /// - "ECDHE-RSA-AES256-GCM-SHA384" + /// - "ECDHE-ECDSA-AES256-SHA" + /// - "ECDHE-RSA-AES256-SHA" + /// - "AES256-GCM-SHA384" + /// - "AES256-SHA" + /// Contour recommends leaving this undefined unless you are sure you must. + /// See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + /// Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cipherSuites")] + pub cipher_suites: Option>, + /// MaximumProtocolVersion is the maximum TLS version this vhost should + /// negotiate. + /// Values: `1.2`, `1.3`(default). + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maximumProtocolVersion")] + pub maximum_protocol_version: Option, + /// MinimumProtocolVersion is the minimum TLS version this vhost should + /// negotiate. + /// Values: `1.2` (default), `1.3`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "minimumProtocolVersion")] + pub minimum_protocol_version: Option, +} + +/// Health defines the endpoint Envoy uses to serve health checks. +/// Contour's default is { address: "0.0.0.0", port: 8002 }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyHealth { + /// Defines the health address interface. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the health port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// Defines the HTTP Listener for Envoy. +/// Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyHttp { + /// AccessLog defines where Envoy logs are outputted for this listener. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLog")] + pub access_log: Option, + /// Defines an Envoy Listener Address. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines an Envoy listener Port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// Defines the HTTPS Listener for Envoy. +/// Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyHttps { + /// AccessLog defines where Envoy logs are outputted for this listener. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLog")] + pub access_log: Option, + /// Defines an Envoy Listener Address. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines an Envoy listener Port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// Listener hold various configurable Envoy listener values. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyListener { + /// ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + /// for more information. + /// Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "connectionBalancer")] + pub connection_balancer: Option, + /// DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + /// strip the "Content-Length" header if "Transfer-Encoding: chunked" is + /// also set. This is an emergency off-switch to revert back to Envoy's + /// default behavior in case of failures. Please file an issue if failures + /// are encountered. + /// See: https://github.com/projectcontour/contour/issues/3221 + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disableAllowChunkedLength")] + pub disable_allow_chunked_length: Option, + /// DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + /// which strips duplicate slashes from request URL paths. + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disableMergeSlashes")] + pub disable_merge_slashes: Option, + /// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + /// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + /// for a peer on a single HTTP/2 connection. It is recommended to not set this lower + /// than 100 but this field can be used to bound resource usage by HTTP/2 connections + /// and mitigate attacks like CVE-2023-44487. The default value when this is not set is + /// unlimited. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "httpMaxConcurrentStreams")] + pub http_max_concurrent_streams: Option, + /// Defines the limit on number of active connections to a listener. The limit is applied + /// per listener. The default value when this is not set is unlimited. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxConnectionsPerListener")] + pub max_connections_per_listener: Option, + /// Defines the maximum requests for downstream connections. If not specified, there is no limit. + /// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestsPerConnection")] + pub max_requests_per_connection: Option, + /// Defines the limit on number of HTTP requests that Envoy will process from a single + /// connection in a single I/O cycle. Requests over this limit are processed in subsequent + /// I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + /// detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + /// value when this is not set is no limit. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestsPerIOCycle")] + pub max_requests_per_io_cycle: Option, + /// Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + /// If unspecified, an implementation defined default is applied (1MiB). + /// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "per-connection-buffer-limit-bytes")] + pub per_connection_buffer_limit_bytes: Option, + /// Defines the action to be applied to the Server header on the response path. + /// When configured as overwrite, overwrites any Server header with "envoy". + /// When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + /// When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + /// Values: `overwrite` (default), `append_if_absent`, `pass_through` + /// Other values will produce an error. + /// Contour's default is overwrite. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "serverHeaderTransformation")] + pub server_header_transformation: Option, + /// SocketOptions defines configurable socket options for the listeners. + /// Single set of options are applied to all listeners. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "socketOptions")] + pub socket_options: Option, + /// TLS holds various configurable Envoy TLS listener values. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, + /// Use PROXY protocol for all listeners. + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "useProxyProtocol")] + pub use_proxy_protocol: Option, +} + +/// SocketOptions defines configurable socket options for the listeners. +/// Single set of options are applied to all listeners. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyListenerSocketOptions { + /// Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + /// Single value is applied to all listeners. + /// If listeners are bound to IPv6-only addresses, setting this option will cause an error. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tos: Option, + /// Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + /// Single value is applied to all listeners. + /// If listeners are bound to IPv4-only addresses, setting this option will cause an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "trafficClass")] + pub traffic_class: Option, +} + +/// TLS holds various configurable Envoy TLS listener values. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyListenerTls { + /// CipherSuites defines the TLS ciphers to be supported by Envoy TLS + /// listeners when negotiating TLS 1.2. Ciphers are validated against the + /// set that Envoy supports by default. This parameter should only be used + /// by advanced users. Note that these will be ignored when TLS 1.3 is in + /// use. + /// This field is optional; when it is undefined, a Contour-managed ciphersuite list + /// will be used, which may be updated to keep it secure. + /// Contour's default list is: + /// - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + /// - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + /// - "ECDHE-ECDSA-AES256-GCM-SHA384" + /// - "ECDHE-RSA-AES256-GCM-SHA384" + /// Ciphers provided are validated against the following list: + /// - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + /// - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + /// - "ECDHE-ECDSA-AES128-GCM-SHA256" + /// - "ECDHE-RSA-AES128-GCM-SHA256" + /// - "ECDHE-ECDSA-AES128-SHA" + /// - "ECDHE-RSA-AES128-SHA" + /// - "AES128-GCM-SHA256" + /// - "AES128-SHA" + /// - "ECDHE-ECDSA-AES256-GCM-SHA384" + /// - "ECDHE-RSA-AES256-GCM-SHA384" + /// - "ECDHE-ECDSA-AES256-SHA" + /// - "ECDHE-RSA-AES256-SHA" + /// - "AES256-GCM-SHA384" + /// - "AES256-SHA" + /// Contour recommends leaving this undefined unless you are sure you must. + /// See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + /// Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "cipherSuites")] + pub cipher_suites: Option>, + /// MaximumProtocolVersion is the maximum TLS version this vhost should + /// negotiate. + /// Values: `1.2`, `1.3`(default). + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maximumProtocolVersion")] + pub maximum_protocol_version: Option, + /// MinimumProtocolVersion is the minimum TLS version this vhost should + /// negotiate. + /// Values: `1.2` (default), `1.3`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "minimumProtocolVersion")] + pub minimum_protocol_version: Option, +} + +/// Logging defines how Envoy's logs can be configured. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyLogging { + /// AccessLogFormat sets the global access log format. + /// Values: `envoy` (default), `json`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLogFormat")] + pub access_log_format: Option, + /// AccessLogFormatString sets the access log format when format is set to `envoy`. + /// When empty, Envoy's default format is used. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLogFormatString")] + pub access_log_format_string: Option, + /// AccessLogJSONFields sets the fields that JSON logging will + /// output when AccessLogFormat is json. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLogJSONFields")] + pub access_log_json_fields: Option>, + /// AccessLogLevel sets the verbosity level of the access log. + /// Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "accessLogLevel")] + pub access_log_level: Option, +} + +/// Metrics defines the endpoint Envoy uses to serve metrics. +/// Contour's default is { address: "0.0.0.0", port: 8002 }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyMetrics { + /// Defines the metrics address interface. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the metrics port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// TLS holds TLS file config details. + /// Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, +} + +/// TLS holds TLS file config details. +/// Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyMetricsTls { + /// CA filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "caFile")] + pub ca_file: Option, + /// Client certificate filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "certFile")] + pub cert_file: Option, + /// Client key filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyFile")] + pub key_file: Option, +} + +/// Network holds various configurable Envoy network values. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyNetwork { + /// Configure the port used to access the Envoy Admin interface. + /// If configured to port "0" then the admin interface is disabled. + /// Contour's default is 9001. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "adminPort")] + pub admin_port: Option, + /// XffNumTrustedHops defines the number of additional ingress proxy hops from the + /// right side of the x-forwarded-for HTTP header to trust when determining the origin + /// client’s IP address. + /// See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + /// for more information. + /// Contour's default is 0. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "numTrustedHops")] + pub num_trusted_hops: Option, +} + +/// Service holds Envoy service parameters for setting Ingress status. +/// Contour's default is { namespace: "projectcontour", name: "envoy" }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyService { + pub name: String, + pub namespace: String, +} + +/// Timeouts holds various configurable timeouts that can +/// be set in the config file. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsEnvoyTimeouts { + /// ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + /// If not set, a default value of 2 seconds will be used. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "connectTimeout")] + pub connect_timeout: Option, + /// ConnectionIdleTimeout defines how long the proxy should wait while there are + /// no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + /// an HTTP connection. Set to "infinity" to disable the timeout entirely. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "connectionIdleTimeout")] + pub connection_idle_timeout: Option, + /// ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + /// initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + /// During this grace period, the proxy will continue to respond to new streams. After the final + /// GOAWAY frame has been sent, the proxy will refuse new streams. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "connectionShutdownGracePeriod")] + pub connection_shutdown_grace_period: Option, + /// DelayedCloseTimeout defines how long envoy will wait, once connection + /// close processing has been initiated, for the downstream peer to close + /// the connection before Envoy closes the socket associated with the connection. + /// Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + /// in Envoy. Leaving it unset will result in the Envoy default value being used. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "delayedCloseTimeout")] + pub delayed_close_timeout: Option, + /// MaxConnectionDuration defines the maximum period of time after an HTTP connection + /// has been established from the client to the proxy before it is closed by the proxy, + /// regardless of whether there has been activity or not. Omit or set to "infinity" for + /// no max duration. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxConnectionDuration")] + pub max_connection_duration: Option, + /// RequestTimeout sets the client request timeout globally for Contour. Note that + /// this is a timeout for the entire request, not an idle timeout. Omit or set to + /// "infinity" to disable the timeout entirely. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestTimeout")] + pub request_timeout: Option, + /// StreamIdleTimeout defines how long the proxy should wait while there is no + /// request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + /// terminating the HTTP request or stream. Set to "infinity" to disable the + /// timeout entirely. + /// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + /// for more information. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "streamIdleTimeout")] + pub stream_idle_timeout: Option, +} + +/// Gateway contains parameters for the gateway-api Gateway that Contour +/// is configured to serve traffic. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsGateway { + /// ControllerName is used to determine whether Contour should reconcile a + /// GatewayClass. The string takes the form of "projectcontour.io//contour". + /// If unset, the gatewayclass controller will not be started. + /// Exactly one of ControllerName or GatewayRef must be set. + /// Deprecated: users should use GatewayRef, or the Gateway provisioner, + /// in place of this field. This field will be removed in a future release. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "controllerName")] + pub controller_name: Option, + /// GatewayRef defines a specific Gateway that this Contour + /// instance corresponds to. If set, Contour will reconcile + /// only this gateway, and will not reconcile any gateway + /// classes. + /// Exactly one of ControllerName or GatewayRef must be set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "gatewayRef")] + pub gateway_ref: Option, +} + +/// GatewayRef defines a specific Gateway that this Contour +/// instance corresponds to. If set, Contour will reconcile +/// only this gateway, and will not reconcile any gateway +/// classes. +/// Exactly one of ControllerName or GatewayRef must be set. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsGatewayGatewayRef { + pub name: String, + pub namespace: String, +} + +/// GlobalExternalAuthorization allows envoys external authorization filter +/// to be enabled for all virtual hosts. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsGlobalExtAuth { + /// AuthPolicy sets a default authorization policy for client requests. + /// This policy will be used unless overridden by individual routes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "authPolicy")] + pub auth_policy: Option, + /// ExtensionServiceRef specifies the extension resource that will authorize client requests. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "extensionRef")] + pub extension_ref: Option, + /// If FailOpen is true, the client request is forwarded to the upstream service + /// even if the authorization server fails to respond. This field should not be + /// set in most cases. It is intended for use only while migrating applications + /// from internal authorization to Contour external authorization. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "failOpen")] + pub fail_open: Option, + /// ResponseTimeout configures maximum time to wait for a check response from the authorization server. + /// Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + /// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + /// The string "infinity" is also a valid input and specifies no timeout. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseTimeout")] + pub response_timeout: Option, + /// WithRequestBody specifies configuration for sending the client request's body to authorization server. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "withRequestBody")] + pub with_request_body: Option, +} + +/// AuthPolicy sets a default authorization policy for client requests. +/// This policy will be used unless overridden by individual routes. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsGlobalExtAuthAuthPolicy { + /// Context is a set of key/value pairs that are sent to the + /// authentication server in the check request. If a context + /// is provided at an enclosing scope, the entries are merged + /// such that the inner scope overrides matching keys from the + /// outer scope. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub context: Option>, + /// When true, this field disables client request authentication + /// for the scope of the policy. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, +} + +/// ExtensionServiceRef specifies the extension resource that will authorize client requests. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsGlobalExtAuthExtensionRef { + /// API version of the referent. + /// If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + #[serde(default, skip_serializing_if = "Option::is_none", rename = "apiVersion")] + pub api_version: Option, + /// Name of the referent. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + /// Namespace of the referent. + /// If this field is not specifies, the namespace of the resource that targets the referent will be used. + /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + #[serde(default, skip_serializing_if = "Option::is_none")] + pub namespace: Option, +} + +/// WithRequestBody specifies configuration for sending the client request's body to authorization server. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsGlobalExtAuthWithRequestBody { + /// If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "allowPartialMessage")] + pub allow_partial_message: Option, + /// MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxRequestBytes")] + pub max_request_bytes: Option, + /// If PackAsBytes is true, the body sent to Authorization Server is in raw bytes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "packAsBytes")] + pub pack_as_bytes: Option, +} + +/// Health defines the endpoints Contour uses to serve health checks. +/// Contour's default is { address: "0.0.0.0", port: 8000 }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsHealth { + /// Defines the health address interface. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the health port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, +} + +/// HTTPProxy defines parameters on HTTPProxy. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsHttpproxy { + /// DisablePermitInsecure disables the use of the + /// permitInsecure field in HTTPProxy. + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "disablePermitInsecure")] + pub disable_permit_insecure: Option, + /// FallbackCertificate defines the namespace/name of the Kubernetes secret to + /// use as fallback when a non-SNI request is received. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "fallbackCertificate")] + pub fallback_certificate: Option, + /// Restrict Contour to searching these namespaces for root ingress routes. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "rootNamespaces")] + pub root_namespaces: Option>, +} + +/// FallbackCertificate defines the namespace/name of the Kubernetes secret to +/// use as fallback when a non-SNI request is received. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsHttpproxyFallbackCertificate { + pub name: String, + pub namespace: String, +} + +/// Ingress contains parameters for ingress options. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsIngress { + /// Ingress Class Names Contour should use. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "classNames")] + pub class_names: Option>, + /// Address to set in Ingress object status. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "statusAddress")] + pub status_address: Option, +} + +/// Metrics defines the endpoint Contour uses to serve metrics. +/// Contour's default is { address: "0.0.0.0", port: 8000 }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsMetrics { + /// Defines the metrics address interface. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the metrics port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// TLS holds TLS file config details. + /// Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, +} + +/// TLS holds TLS file config details. +/// Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsMetricsTls { + /// CA filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "caFile")] + pub ca_file: Option, + /// Client certificate filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "certFile")] + pub cert_file: Option, + /// Client key filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyFile")] + pub key_file: Option, +} + +/// Policy specifies default policy applied if not overridden by the user +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsPolicy { + /// ApplyToIngress determines if the Policies will apply to ingress objects + /// Contour's default is false. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "applyToIngress")] + pub apply_to_ingress: Option, + /// RequestHeadersPolicy defines the request headers set/removed on all routes + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeaders")] + pub request_headers: Option, + /// ResponseHeadersPolicy defines the response headers set/removed on all routes + #[serde(default, skip_serializing_if = "Option::is_none", rename = "responseHeaders")] + pub response_headers: Option, +} + +/// RequestHeadersPolicy defines the request headers set/removed on all routes +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsPolicyRequestHeaders { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// ResponseHeadersPolicy defines the response headers set/removed on all routes +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsPolicyResponseHeaders { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remove: Option>, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set: Option>, +} + +/// RateLimitService optionally holds properties of the Rate Limit Service +/// to be used for global rate limiting. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitService { + /// DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + /// HTTPProxy can overwrite this configuration. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "defaultGlobalRateLimitPolicy")] + pub default_global_rate_limit_policy: Option, + /// Domain is passed to the Rate Limit Service. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub domain: Option, + /// EnableResourceExhaustedCode enables translating error code 429 to + /// grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE + #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableResourceExhaustedCode")] + pub enable_resource_exhausted_code: Option, + /// EnableXRateLimitHeaders defines whether to include the X-RateLimit + /// headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + /// (as defined by the IETF Internet-Draft linked below), on responses + /// to clients when the Rate Limit Service is consulted for a request. + /// ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + #[serde(default, skip_serializing_if = "Option::is_none", rename = "enableXRateLimitHeaders")] + pub enable_x_rate_limit_headers: Option, + /// ExtensionService identifies the extension service defining the RLS. + #[serde(rename = "extensionService")] + pub extension_service: ContourDeploymentRuntimeSettingsRateLimitServiceExtensionService, + /// FailOpen defines whether to allow requests to proceed when the + /// Rate Limit Service fails to respond with a valid rate limit + /// decision within the timeout defined on the extension service. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "failOpen")] + pub fail_open: Option, +} + +/// DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. +/// HTTPProxy can overwrite this configuration. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicy { + /// Descriptors defines the list of descriptors that will + /// be generated and sent to the rate limit service. Each + /// descriptor contains 1+ key-value pair entries. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub descriptors: Option>, + /// Disabled configures the HTTPProxy to not use + /// the default global rate limit policy defined by the Contour configuration. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub disabled: Option, +} + +/// RateLimitDescriptor defines a list of key-value pair generators. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptors { + /// Entries is the list of key-value pair generators. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub entries: Option>, +} + +/// RateLimitDescriptorEntry is a key-value pair generator. Exactly +/// one field on this struct must be non-nil. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntries { + /// GenericKey defines a descriptor entry with a static key and value. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "genericKey")] + pub generic_key: Option, + /// RemoteAddress defines a descriptor entry with a key of "remote_address" + /// and a value equal to the client's IP address (from x-forwarded-for). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "remoteAddress")] + pub remote_address: Option, + /// RequestHeader defines a descriptor entry that's populated only if + /// a given header is present on the request. The descriptor key is static, + /// and the descriptor value is equal to the value of the header. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeader")] + pub request_header: Option, + /// RequestHeaderValueMatch defines a descriptor entry that's populated + /// if the request's headers match a set of 1+ match criteria. The + /// descriptor key is "header_match", and the descriptor value is static. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeaderValueMatch")] + pub request_header_value_match: Option, +} + +/// GenericKey defines a descriptor entry with a static key and value. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesGenericKey { + /// Key defines the key of the descriptor entry. If not set, the + /// key is set to "generic_key". + #[serde(default, skip_serializing_if = "Option::is_none")] + pub key: Option, + /// Value defines the value of the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// RemoteAddress defines a descriptor entry with a key of "remote_address" +/// and a value equal to the client's IP address (from x-forwarded-for). +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRemoteAddress { +} + +/// RequestHeader defines a descriptor entry that's populated only if +/// a given header is present on the request. The descriptor key is static, +/// and the descriptor value is equal to the value of the header. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRequestHeader { + /// DescriptorKey defines the key to use on the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "descriptorKey")] + pub descriptor_key: Option, + /// HeaderName defines the name of the header to look for on the request. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] + pub header_name: Option, +} + +/// RequestHeaderValueMatch defines a descriptor entry that's populated +/// if the request's headers match a set of 1+ match criteria. The +/// descriptor key is "header_match", and the descriptor value is static. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRequestHeaderValueMatch { + /// ExpectMatch defines whether the request must positively match the match + /// criteria in order to generate a descriptor entry (i.e. true), or not + /// match the match criteria in order to generate a descriptor entry (i.e. false). + /// The default is true. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "expectMatch")] + pub expect_match: Option, + /// Headers is a list of 1+ match criteria to apply against the request + /// to determine whether to populate the descriptor entry or not. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub headers: Option>, + /// Value defines the value of the descriptor entry. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub value: Option, +} + +/// HeaderMatchCondition specifies how to conditionally match against HTTP +/// headers. The Name field is required, only one of Present, NotPresent, +/// Contains, NotContains, Exact, NotExact and Regex can be set. +/// For negative matching rules only (e.g. NotContains or NotExact) you can set +/// TreatMissingAsEmpty. +/// IgnoreCase has no effect for Regex. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceDefaultGlobalRateLimitPolicyDescriptorsEntriesRequestHeaderValueMatchHeaders { + /// Contains specifies a substring that must be present in + /// the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub contains: Option, + /// Exact specifies a string that the header value must be equal to. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exact: Option, + /// IgnoreCase specifies that string matching should be case insensitive. + /// Note that this has no effect on the Regex parameter. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "ignoreCase")] + pub ignore_case: Option, + /// Name is the name of the header to match against. Name is required. + /// Header names are case insensitive. + pub name: String, + /// NotContains specifies a substring that must not be present + /// in the header value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notcontains: Option, + /// NoExact specifies a string that the header value must not be + /// equal to. The condition is true if the header has any other value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notexact: Option, + /// NotPresent specifies that condition is true when the named header + /// is not present. Note that setting NotPresent to false does not + /// make the condition true if the named header is present. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub notpresent: Option, + /// Present specifies that condition is true when the named header + /// is present, regardless of its value. Note that setting Present + /// to false does not make the condition true if the named header + /// is absent. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub present: Option, + /// Regex specifies a regular expression pattern that must match the header + /// value. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub regex: Option, + /// TreatMissingAsEmpty specifies if the header match rule specified header + /// does not exist, this header value will be treated as empty. Defaults to false. + /// Unlike the underlying Envoy implementation this is **only** supported for + /// negative matches (e.g. NotContains, NotExact). + #[serde(default, skip_serializing_if = "Option::is_none", rename = "treatMissingAsEmpty")] + pub treat_missing_as_empty: Option, +} + +/// ExtensionService identifies the extension service defining the RLS. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsRateLimitServiceExtensionService { + pub name: String, + pub namespace: String, +} + +/// Tracing defines properties for exporting trace data to OpenTelemetry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsTracing { + /// CustomTags defines a list of custom tags with unique tag name. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "customTags")] + pub custom_tags: Option>, + /// ExtensionService identifies the extension service defining the otel-collector. + #[serde(rename = "extensionService")] + pub extension_service: ContourDeploymentRuntimeSettingsTracingExtensionService, + /// IncludePodDetail defines a flag. + /// If it is true, contour will add the pod name and namespace to the span of the trace. + /// the default is true. + /// Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "includePodDetail")] + pub include_pod_detail: Option, + /// MaxPathTagLength defines maximum length of the request path + /// to extract and include in the HttpUrl tag. + /// contour's default is 256. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "maxPathTagLength")] + pub max_path_tag_length: Option, + /// OverallSampling defines the sampling rate of trace data. + /// contour's default is 100. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "overallSampling")] + pub overall_sampling: Option, + /// ServiceName defines the name for the service. + /// contour's default is contour. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "serviceName")] + pub service_name: Option, +} + +/// CustomTag defines custom tags with unique tag name +/// to create tags for the active span. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsTracingCustomTags { + /// Literal is a static custom tag value. + /// Precisely one of Literal, RequestHeaderName must be set. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub literal: Option, + /// RequestHeaderName indicates which request header + /// the label value is obtained from. + /// Precisely one of Literal, RequestHeaderName must be set. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHeaderName")] + pub request_header_name: Option, + /// TagName is the unique name of the custom tag. + #[serde(rename = "tagName")] + pub tag_name: String, +} + +/// ExtensionService identifies the extension service defining the otel-collector. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsTracingExtensionService { + pub name: String, + pub namespace: String, +} + +/// XDSServer contains parameters for the xDS server. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsXdsServer { + /// Defines the xDS gRPC API address which Contour will serve. + /// Contour's default is "0.0.0.0". + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option, + /// Defines the xDS gRPC API port which Contour will serve. + /// Contour's default is 8001. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port: Option, + /// TLS holds TLS file config details. + /// Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tls: Option, + /// Defines the XDSServer to use for `contour serve`. + /// Values: `contour` (default), `envoy`. + /// Other values will produce an error. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")] + pub r#type: Option, +} + +/// TLS holds TLS file config details. +/// Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentRuntimeSettingsXdsServerTls { + /// CA filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "caFile")] + pub ca_file: Option, + /// Client certificate filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "certFile")] + pub cert_file: Option, + /// Allow serving the xDS gRPC API without TLS. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub insecure: Option, + /// Client key filename. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "keyFile")] + pub key_file: Option, +} + +/// ContourDeploymentStatus defines the observed state of a ContourDeployment resource. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentStatus { + /// Conditions describe the current conditions of the ContourDeployment resource. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub conditions: Option>, +} + +/// Condition contains details for one aspect of the current state of this API Resource. +/// --- +/// This struct is intended for direct use as an array at the field path .status.conditions. For example, +/// +/// +/// type FooStatus struct{ +/// // Represents the observations of a foo's current state. +/// // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" +/// // +patchMergeKey=type +/// // +patchStrategy=merge +/// // +listType=map +/// // +listMapKey=type +/// Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` +/// +/// +/// // other fields +/// } +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ContourDeploymentStatusConditions { + /// lastTransitionTime is the last time the condition transitioned from one status to another. + /// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + #[serde(rename = "lastTransitionTime")] + pub last_transition_time: String, + /// message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// observedGeneration represents the .metadata.generation that the condition was set based upon. + /// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + /// with respect to the current state of the instance. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "observedGeneration")] + pub observed_generation: Option, + /// reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// status of the condition, one of True, False, Unknown. + pub status: ContourDeploymentStatusConditionsStatus, + /// type of condition in CamelCase or in foo.example.com/CamelCase. + /// --- + /// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + /// useful (see .node.status.conditions), the ability to deconflict is important. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// Condition contains details for one aspect of the current state of this API Resource. +/// --- +/// This struct is intended for direct use as an array at the field path .status.conditions. For example, +/// +/// +/// type FooStatus struct{ +/// // Represents the observations of a foo's current state. +/// // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" +/// // +patchMergeKey=type +/// // +patchStrategy=merge +/// // +listType=map +/// // +listMapKey=type +/// Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` +/// +/// +/// // other fields +/// } +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ContourDeploymentStatusConditionsStatus { + True, + False, + Unknown, +} + diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/extensionservices.rs b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/extensionservices.rs new file mode 100644 index 000000000..c5abad347 --- /dev/null +++ b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/extensionservices.rs @@ -0,0 +1,367 @@ +// WARNING: generated by kopium - manual changes will be overwritten +// kopium command: kopium --docs --filename=./crd-catalog/projectcontour/contour/projectcontour.io/v1alpha1/extensionservices.yaml --derive=PartialEq +// kopium version: 0.16.5 + +use kube::CustomResource; +use serde::{Serialize, Deserialize}; + +/// ExtensionServiceSpec defines the desired state of an ExtensionService resource. +#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, PartialEq)] +#[kube(group = "projectcontour.io", version = "v1alpha1", kind = "ExtensionService", plural = "extensionservices")] +#[kube(namespaced)] +#[kube(status = "ExtensionServiceStatus")] +#[kube(schema = "disabled")] +pub struct ExtensionServiceSpec { + /// The policy for load balancing GRPC service requests. Note that the + /// `Cookie` and `RequestHash` load balancing strategies cannot be used + /// here. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "loadBalancerPolicy")] + pub load_balancer_policy: Option, + /// Protocol may be used to specify (or override) the protocol used to reach this Service. + /// Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub protocol: Option, + /// This field sets the version of the GRPC protocol that Envoy uses to + /// send requests to the extension service. Since Contour always uses the + /// v3 Envoy API, this is currently fixed at "v3". However, other + /// protocol options will be available in future. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "protocolVersion")] + pub protocol_version: Option, + /// Services specifies the set of Kubernetes Service resources that + /// receive GRPC extension API requests. + /// If no weights are specified for any of the entries in + /// this array, traffic will be spread evenly across all the + /// services. + /// Otherwise, traffic is balanced proportionally to the + /// Weight field in each entry. + pub services: Vec, + /// The timeout policy for requests to the services. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "timeoutPolicy")] + pub timeout_policy: Option, + /// UpstreamValidation defines how to verify the backend service's certificate + #[serde(default, skip_serializing_if = "Option::is_none")] + pub validation: Option, +} + +/// The policy for load balancing GRPC service requests. Note that the +/// `Cookie` and `RequestHash` load balancing strategies cannot be used +/// here. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceLoadBalancerPolicy { + /// RequestHashPolicies contains a list of hash policies to apply when the + /// `RequestHash` load balancing strategy is chosen. If an element of the + /// supplied list of hash policies is invalid, it will be ignored. If the + /// list of hash policies is empty after validation, the load balancing + /// strategy will fall back to the default `RoundRobin`. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "requestHashPolicies")] + pub request_hash_policies: Option>, + /// Strategy specifies the policy used to balance requests + /// across the pool of backend pods. Valid policy names are + /// `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + /// and `RequestHash`. If an unknown strategy name is specified + /// or no policy is supplied, the default `RoundRobin` policy + /// is used. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub strategy: Option, +} + +/// RequestHashPolicy contains configuration for an individual hash policy +/// on a request attribute. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceLoadBalancerPolicyRequestHashPolicies { + /// HashSourceIP should be set to true when request source IP hash based + /// load balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "hashSourceIP")] + pub hash_source_ip: Option, + /// HeaderHashOptions should be set when request header hash based load + /// balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerHashOptions")] + pub header_hash_options: Option, + /// QueryParameterHashOptions should be set when request query parameter hash based load + /// balancing is desired. It must be the only hash option field set, + /// otherwise this request hash policy object will be ignored. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "queryParameterHashOptions")] + pub query_parameter_hash_options: Option, + /// Terminal is a flag that allows for short-circuiting computing of a hash + /// for a given request. If set to true, and the request attribute specified + /// in the attribute hash options is present, no further hash policies will + /// be used to calculate a hash for the request. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub terminal: Option, +} + +/// HeaderHashOptions should be set when request header hash based load +/// balancing is desired. It must be the only hash option field set, +/// otherwise this request hash policy object will be ignored. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceLoadBalancerPolicyRequestHashPoliciesHeaderHashOptions { + /// HeaderName is the name of the HTTP request header that will be used to + /// calculate the hash key. If the header specified is not present on a + /// request, no hash will be produced. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "headerName")] + pub header_name: Option, +} + +/// QueryParameterHashOptions should be set when request query parameter hash based load +/// balancing is desired. It must be the only hash option field set, +/// otherwise this request hash policy object will be ignored. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceLoadBalancerPolicyRequestHashPoliciesQueryParameterHashOptions { + /// ParameterName is the name of the HTTP request query parameter that will be used to + /// calculate the hash key. If the query parameter specified is not present on a + /// request, no hash will be produced. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "parameterName")] + pub parameter_name: Option, +} + +/// ExtensionServiceSpec defines the desired state of an ExtensionService resource. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ExtensionServiceProtocol { + #[serde(rename = "h2")] + H2, + #[serde(rename = "h2c")] + H2c, +} + +/// ExtensionServiceSpec defines the desired state of an ExtensionService resource. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ExtensionServiceProtocolVersion { + #[serde(rename = "v3")] + V3, +} + +/// ExtensionServiceTarget defines an Kubernetes Service to target with +/// extension service traffic. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceServices { + /// Name is the name of Kubernetes service that will accept service + /// traffic. + pub name: String, + /// Port (defined as Integer) to proxy traffic to since a service can have multiple defined. + pub port: i64, + /// Weight defines proportion of traffic to balance to the Kubernetes Service. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub weight: Option, +} + +/// The timeout policy for requests to the services. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceTimeoutPolicy { + /// Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + /// Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + /// If not specified, there is no per-route idle timeout, though a connection manager-wide + /// stream_idle_timeout default of 5m still applies. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub idle: Option, + /// Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + /// If not supplied, Envoy's default value of 1h applies. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "idleConnection")] + pub idle_connection: Option, + /// Timeout for receiving a response from the server after processing a request from client. + /// If not supplied, Envoy's default value of 15s applies. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub response: Option, +} + +/// UpstreamValidation defines how to verify the backend service's certificate +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceValidation { + /// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + /// The secret must contain key named ca.crt. + /// The name can be optionally prefixed with namespace "namespace/name". + /// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + /// Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) + #[serde(rename = "caSecret")] + pub ca_secret: String, + /// Key which is expected to be present in the 'subjectAltName' of the presented certificate. + /// Deprecated: migrate to using the plural field subjectNames. + #[serde(rename = "subjectName")] + pub subject_name: String, + /// List of keys, of which at least one is expected to be present in the 'subjectAltName of the + /// presented certificate. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "subjectNames")] + pub subject_names: Option>, +} + +/// ExtensionServiceStatus defines the observed state of an +/// ExtensionService resource. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceStatus { + /// Conditions contains the current status of the ExtensionService resource. + /// Contour will update a single condition, `Valid`, that is in normal-true polarity. + /// Contour will not modify any other Conditions set in this block, + /// in case some other controller wants to add a Condition. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub conditions: Option>, +} + +/// DetailedCondition is an extension of the normal Kubernetes conditions, with two extra +/// fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) +/// of the condition. +/// `errors` holds information about sub-conditions which are fatal to that condition and render its state False. +/// `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. +/// Remember that Conditions have a type, a status, and a reason. +/// The type is the type of the condition, the most important one in this CRD set is `Valid`. +/// `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. +/// In more detail, `status: true` means that the object is has been ingested into Contour with no errors. +/// `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` +/// slice in this case. +/// `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. +/// The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` +/// slice if `status` is `false`. +/// For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. +/// When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. +/// When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. +/// In either case, there may be entries in the `warnings` slice. +/// Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason +/// (if there is one and only one entry in total across both the `errors` and `warnings` slices), or +/// `MultipleReasons` if there is more than one entry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceStatusConditions { + /// Errors contains a slice of relevant error subconditions for this object. + /// Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + /// An empty slice here indicates no errors. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub errors: Option>, + /// lastTransitionTime is the last time the condition transitioned from one status to another. + /// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + #[serde(rename = "lastTransitionTime")] + pub last_transition_time: String, + /// message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// observedGeneration represents the .metadata.generation that the condition was set based upon. + /// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + /// with respect to the current state of the instance. + #[serde(default, skip_serializing_if = "Option::is_none", rename = "observedGeneration")] + pub observed_generation: Option, + /// reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// status of the condition, one of True, False, Unknown. + pub status: ExtensionServiceStatusConditionsStatus, + /// type of condition in CamelCase or in foo.example.com/CamelCase. + /// --- + /// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + /// useful (see .node.status.conditions), the ability to deconflict is important. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, + /// Warnings contains a slice of relevant warning subconditions for this object. + /// Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + /// An empty slice here indicates no warnings. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub warnings: Option>, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceStatusConditionsErrors { + /// Message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// Reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// Status of the condition, one of True, False, Unknown. + pub status: ExtensionServiceStatusConditionsErrorsStatus, + /// Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + /// This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ExtensionServiceStatusConditionsErrorsStatus { + True, + False, + Unknown, +} + +/// DetailedCondition is an extension of the normal Kubernetes conditions, with two extra +/// fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) +/// of the condition. +/// `errors` holds information about sub-conditions which are fatal to that condition and render its state False. +/// `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. +/// Remember that Conditions have a type, a status, and a reason. +/// The type is the type of the condition, the most important one in this CRD set is `Valid`. +/// `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. +/// In more detail, `status: true` means that the object is has been ingested into Contour with no errors. +/// `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` +/// slice in this case. +/// `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. +/// The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` +/// slice if `status` is `false`. +/// For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. +/// When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. +/// When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. +/// In either case, there may be entries in the `warnings` slice. +/// Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason +/// (if there is one and only one entry in total across both the `errors` and `warnings` slices), or +/// `MultipleReasons` if there is more than one entry. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ExtensionServiceStatusConditionsStatus { + True, + False, + Unknown, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub struct ExtensionServiceStatusConditionsWarnings { + /// Message is a human readable message indicating details about the transition. + /// This may be an empty string. + pub message: String, + /// Reason contains a programmatic identifier indicating the reason for the condition's last transition. + /// Producers of specific condition types may define expected values and meanings for this field, + /// and whether the values are considered a guaranteed API. + /// The value should be a CamelCase string. + /// This field may not be empty. + pub reason: String, + /// Status of the condition, one of True, False, Unknown. + pub status: ExtensionServiceStatusConditionsWarningsStatus, + /// Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + /// This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + /// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + #[serde(rename = "type")] + pub r#type: String, +} + +/// SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. +/// It contains a subset of the Condition fields. +/// It is intended for warnings and errors, so `type` names should use abnormal-true polarity, +/// that is, they should be of the form "ErrorPresent: true". +/// The expected lifecycle for these errors is that they should only be present when the error or warning is, +/// and should be removed when they are not relevant. +#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)] +pub enum ExtensionServiceStatusConditionsWarningsStatus { + True, + False, + Unknown, +} + diff --git a/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/mod.rs b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/mod.rs new file mode 100644 index 000000000..2b78fe758 --- /dev/null +++ b/kube-custom-resources-rs/src/projectcontour_io/v1alpha1/mod.rs @@ -0,0 +1,3 @@ +pub mod contourconfigurations; +pub mod contourdeployments; +pub mod extensionservices;