diff --git a/.travis.yml b/.travis.yml index db3bb82fe5f..e14aaf48883 100644 --- a/.travis.yml +++ b/.travis.yml @@ -38,7 +38,7 @@ jobs: - $HOME/bin/kind create cluster --wait 2m - $HOME/bin/kind load docker-image docker.io/projectcontour/contour:master - $HOME/bin/kind load docker-image docker.io/projectcontour/contour:latest - - $HOME/bin/kubectl apply -f examples/render/contour.yaml + - $HOME/bin/kustomize build config/deployments/kind | $HOME/bin/kubectl apply -f - - $HOME/bin/kubectl wait --timeout=2m -n projectcontour -l app=contour deployments --for=condition=Available - $HOME/bin/kubectl wait --timeout=2m -n projectcontour -l app=envoy pods --for=condition=Ready - $HOME/bin/kind delete cluster diff --git a/examples/contour/README.md b/config/README.md similarity index 61% rename from examples/contour/README.md rename to config/README.md index c4dc993a1b3..f6937e1a838 100644 --- a/examples/contour/README.md +++ b/config/README.md @@ -1,13 +1,23 @@ # Contour Installation -This is an installation guide to configure Contour in a Deployment separate from Envoy which allows for easier scaling of each component. +This directory contains Contour configuration suitable for use by itself, or with [kustomize](https://kustomize.io). -This configuration has several advantages: -1. Envoy runs as a daemonset which allows for distributed scaling across workers in the cluster -2. Communication between Contour and Envoy is secured by mutually-checked self-signed certificates. +## Components -## Moving parts +The [components](./components) directory contains the collaborating components +of a Contour installation. + +1. [types](./types) contains the CRD types for the Contour API. If you have + Kuberenetes 1.6 or later, [types-v1](./types-v1) contains the same API types +2. [contour](./contour) contains a deployment of the Contour service. This + service will be a xDS management server for an Envoy cluster. +3. [envoy](./envoy) deploys an Envoy cluster as a Daemonset. +4. [certgen](./certgen) deploys a Contour generation Job to generate TLS + certificates that will be used for the xDS session between Contour and + Envoy. + +Installing these components creates the following moving parts: - Contour is run as Deployment and Envoy as a Daemonset - Envoy runs on host networking @@ -19,28 +29,32 @@ This configuration has several advantages: For detailed instructions on how to configure the required certs manually, see the [step-by-step TLS HOWTO](https://projectcontour.io/docs/master/grpc-tls-howto). -## Deploy Contour +## Deployments -Either: +The [deployments](./deployments) directory contains pre-configured +deployments for a number of Kubernetes targets. These are largely +similar. They all install all the Contour components into the +`projectcontour` namespace and use `contour certgen` to create the xDS +session certificates. -1. Run `kubectl apply -f https://projectcontour.io/quickstart/contour.yaml` +The [quickstart YAML](./quickstart.yaml) is the rendered result of the +[base deployment](./deployments/base). -or: -Clone or fork the repository, then run: +## Deploy Contour + +Either: ```bash -kubectl apply -f examples/contour +kubectl apply -f https://projectcontour.io/quickstart/contour.yaml ``` -This will: +or: -- set up RBAC and Contour's CRDs (CRDs include IngressRoute, TLSCertificateDelegation, HTTPProxy) - * IngressRoute is deprecated and will be removed in a furture release. - * Users should start transitioning to HTTPProxy to ensure no disruptions in the future. -- run a Kubernetes Job that will generate one-year validity certs and put them into `projectcontour` -- Install Contour and Envoy in a Deployment and Daemonset respectively. +Clone or fork the repository, and run: -**NOTE**: The current configuration exposes the `/stats` path from the Envoy Admin UI so that Prometheus can scrape for metrics. +```bash +kustomize build config/deployments/base | kubectl apply -f - +``` ## Test diff --git a/config/components/certgen/job.yaml b/config/components/certgen/job.yaml new file mode 100644 index 00000000000..dc567c6a795 --- /dev/null +++ b/config/components/certgen/job.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen +spec: + ttlSecondsAfterFinished: 0 + template: + metadata: + labels: + app: "contour-certgen" + spec: + containers: + - name: contour + image: projectcontour/contour + imagePullPolicy: Always + command: + - contour + - certgen + - --incluster + - --kube + - --namespace=$(CONTOUR_NAMESPACE) + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + serviceAccountName: contour-certgen + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + parallelism: 1 + completions: 1 + backoffLimit: 1 diff --git a/config/components/certgen/kustomization.yaml b/config/components/certgen/kustomization.yaml new file mode 100644 index 00000000000..1e7d66ade6c --- /dev/null +++ b/config/components/certgen/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- job.yaml +- rbac.yaml +- serviceaccount.yaml + +# This version is set to latest because Job specs are immutable; +# if we change this on each version, you can no longer upgrade +# just by applying the deployment YAML. +# +# See #2423, #2395, #2150, and #2030 for earlier questions about this. +images: +- name: projectcontour/contour + newName: docker.io/projectcontour/contour + newTag: master diff --git a/config/components/certgen/rbac.yaml b/config/components/certgen/rbac.yaml new file mode 100644 index 00000000000..fbae071ecff --- /dev/null +++ b/config/components/certgen/rbac.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: contour-certgen +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - watch + - create + - get + - put + - post + - patch diff --git a/config/components/certgen/serviceaccount.yaml b/config/components/certgen/serviceaccount.yaml new file mode 100644 index 00000000000..fa3086541a5 --- /dev/null +++ b/config/components/certgen/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour-certgen diff --git a/config/components/contour/configs/contour.yaml b/config/components/contour/configs/contour.yaml new file mode 100644 index 00000000000..7aa4fd81b99 --- /dev/null +++ b/config/components/contour/configs/contour.yaml @@ -0,0 +1,56 @@ +# Whether contour should expect to be running inside a k8s cluster. +# incluster: true + +# Path to kubeconfig (if not running inside a k8s cluster). +# kubeconfig: /path/to/.kube/config + +# Client request timeout to be passed to Envoy +# as the connection manager request_timeout. +# Defaults to 0, which Envoy interprets as disabled. +# Note that this is the timeout for the whole request, +# not an idle timeout. +# request-timeout: 0s + +# Whether to disable the HTTPProxy permitInsecure field. +disablePermitInsecure: false + +tls: +# minimum TLS version that Contour will negotiate +# minimum-protocol-version: "1.1" + +# The following config shows the defaults for the leader election. +# leaderelection: +# configmap-name: leader-elect +# configmap-namespace: projectcontour + +# Logging options +accesslog-format: envoy + +# To enable JSON logging in Envoy +# accesslog-format: json +# The default fields that will be logged are specified below. +# To customize this list, just add or remove entries. +# The canonical list is available at +# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields +# json-fields: +# - "@timestamp" +# - "authority" +# - "bytes_received" +# - "bytes_sent" +# - "downstream_local_address" +# - "downstream_remote_address" +# - "duration" +# - "method" +# - "path" +# - "protocol" +# - "request_id" +# - "requested_server_name" +# - "response_code" +# - "response_flags" +# - "uber_trace_id" +# - "upstream_cluster" +# - "upstream_host" +# - "upstream_local_address" +# - "upstream_service_time" +# - "user_agent" +# - "x_forwarded_for" diff --git a/examples/contour/02-rbac.yaml b/config/components/contour/contour-rbac.yaml similarity index 66% rename from examples/contour/02-rbac.yaml rename to config/components/contour/contour-rbac.yaml index bfcb123346c..8a2738b9a44 100644 --- a/examples/contour/02-rbac.yaml +++ b/config/components/contour/contour-rbac.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: @@ -10,8 +9,9 @@ roleRef: subjects: - kind: ServiceAccount name: contour - namespace: projectcontour + --- + apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: @@ -58,7 +58,7 @@ rules: - get - list - watch - - patch + - patch - post - update - apiGroups: ["contour.heptio.com"] @@ -88,42 +88,3 @@ rules: - put - post - patch ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: contour-leaderelection - namespace: projectcontour -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - update - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: contour-leaderelection - namespace: projectcontour -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: contour-leaderelection -subjects: -- kind: ServiceAccount - name: contour - namespace: projectcontour diff --git a/examples/contour/03-contour.yaml b/config/components/contour/deployment.yaml similarity index 98% rename from examples/contour/03-contour.yaml rename to config/components/contour/deployment.yaml index 426e86584b7..12fe0b9f9ef 100644 --- a/examples/contour/03-contour.yaml +++ b/config/components/contour/deployment.yaml @@ -1,11 +1,9 @@ ---- apiVersion: apps/v1 kind: Deployment metadata: labels: app: contour name: contour - namespace: projectcontour spec: replicas: 2 strategy: diff --git a/config/components/contour/election-rbac.yaml b/config/components/contour/election-rbac.yaml new file mode 100644 index 00000000000..a9f1a6baf35 --- /dev/null +++ b/config/components/contour/election-rbac.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: contour-leaderelection +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: contour-leaderelection +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-leaderelection +subjects: +- kind: ServiceAccount + name: contour diff --git a/config/components/contour/kustomization.yaml b/config/components/contour/kustomization.yaml new file mode 100644 index 00000000000..ea3c1e8b9dc --- /dev/null +++ b/config/components/contour/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- serviceaccount.yaml +- contour-rbac.yaml +- election-rbac.yaml +- deployment.yaml +- service.yaml + +configMapGenerator: +- name: contour + files: + - configs/contour.yaml + +images: +- name: projectcontour/contour + newName: docker.io/projectcontour/contour + newTag: master diff --git a/examples/contour/02-service-contour.yaml b/config/components/contour/service.yaml similarity index 85% rename from examples/contour/02-service-contour.yaml rename to config/components/contour/service.yaml index 8be5bc9a748..4351a97ef06 100644 --- a/examples/contour/02-service-contour.yaml +++ b/config/components/contour/service.yaml @@ -1,9 +1,7 @@ ---- apiVersion: v1 kind: Service metadata: name: contour - namespace: projectcontour spec: ports: - port: 8001 diff --git a/config/components/contour/serviceaccount.yaml b/config/components/contour/serviceaccount.yaml new file mode 100644 index 00000000000..6536ee5e92a --- /dev/null +++ b/config/components/contour/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour + namespace: projectcontour diff --git a/examples/contour/03-envoy.yaml b/config/components/envoy/daemonset.yaml similarity index 94% rename from examples/contour/03-envoy.yaml rename to config/components/envoy/daemonset.yaml index 0e727ab8bbd..9459354abd4 100644 --- a/examples/contour/03-envoy.yaml +++ b/config/components/envoy/daemonset.yaml @@ -1,11 +1,9 @@ ---- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app: envoy name: envoy - namespace: projectcontour spec: updateStrategy: type: RollingUpdate @@ -29,7 +27,7 @@ spec: args: - envoy - shutdown-manager - image: docker.io/projectcontour/contour:master + image: projectcontour/contour imagePullPolicy: Always lifecycle: preStop: @@ -52,7 +50,7 @@ spec: - --log-level info command: - envoy - image: docker.io/envoyproxy/envoy:v1.14.1 + image: envoyproxy/envoy imagePullPolicy: IfNotPresent name: envoy env: @@ -105,7 +103,7 @@ spec: - --envoy-key-file=/certs/tls.key command: - contour - image: docker.io/projectcontour/contour:master + image: projectcontour/contour imagePullPolicy: Always name: envoy-initconfig volumeMounts: diff --git a/config/components/envoy/kustomization.yaml b/config/components/envoy/kustomization.yaml new file mode 100644 index 00000000000..dc8ad155a3e --- /dev/null +++ b/config/components/envoy/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- serviceaccount.yaml +- daemonset.yaml +- service.yaml + +images: +- name: envoyproxy/envoy + newName: docker.io/envoyproxy/envoy + newTag: v1.14.1 +- name: projectcontour/contour + newName: docker.io/projectcontour/contour + newTag: master diff --git a/config/components/envoy/service.yaml b/config/components/envoy/service.yaml new file mode 100644 index 00000000000..61b0699f8a5 --- /dev/null +++ b/config/components/envoy/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: envoy +spec: + externalTrafficPolicy: Local + ports: + - port: 80 + name: http + protocol: TCP + - port: 443 + name: https + protocol: TCP + selector: + app: envoy + type: LoadBalancer diff --git a/config/components/envoy/serviceaccount.yaml b/config/components/envoy/serviceaccount.yaml new file mode 100644 index 00000000000..3889b7a715e --- /dev/null +++ b/config/components/envoy/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy diff --git a/config/components/types-v1/contour.heptio.com_ingressroutes.yaml b/config/components/types-v1/contour.heptio.com_ingressroutes.yaml new file mode 100644 index 00000000000..6a6756413aa --- /dev/null +++ b/config/components/types-v1/contour.heptio.com_ingressroutes.yaml @@ -0,0 +1,373 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: ingressroutes.contour.heptio.com +spec: + group: contour.heptio.com + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: First routes defined + jsonPath: .spec.routes[0].match + name: First route + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: IngressRoute is an Ingress CRD specificiation + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteSpec defines the spec of the CRD + properties: + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host + properties: + delegate: + description: Delegate specifies that this route should be delegated + to another IngressRoute + properties: + name: + description: Name of the IngressRoute + type: string + namespace: + description: Namespace of the IngressRoute. Defaults to + the current namespace if not supplied. + type: string + required: + - name + type: object + enableWebsockets: + description: Enables websocket support for the route + type: boolean + match: + description: Match defines the prefix match + type: string + permitInsecure: + description: Allow this path to respond to insecure requests + over HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + prefixRewrite: + description: Indicates that during forwarding, the matched prefix + (or path) should be swapped with this value + type: string + retryPolicy: + description: The retry policy for this route + properties: + count: + description: NumRetries is maximum allowed number of retries. + If not supplied, the number of retries is one. + format: int64 + minimum: 0 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an upstream to proxy traffic + to + properties: + healthCheck: + description: HealthCheck defines optional healthchecks + on the upstream service + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP + health check request. If left empty (default value), + the name "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health + checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health + checks on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health + check response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks + required before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + name: + description: Name is the name of Kubernetes service to + proxy traffic. Names defined here will be used to look + up corresponding endpoints which contain the ips to + route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined + type: integer + strategy: + description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) + type: string + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used + to validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + timeoutPolicy: + description: The timeout policy for this route + properties: + request: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied + the timeout duration is undefined. + type: string + type: object + required: + - match + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + delegate: + description: Delegate specifies that this tcpproxy should be delegated + to another IngressRoute + properties: + name: + description: Name of the IngressRoute + type: string + namespace: + description: Namespace of the IngressRoute. Defaults to the + current namespace if not supplied. + type: string + required: + - name + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an upstream to proxy traffic to + properties: + healthCheck: + description: HealthCheck defines optional healthchecks on + the upstream service + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP + health check request. If left empty (default value), + the name "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health + check response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined + type: integer + strategy: + description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) + type: string + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to + validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root". + properties: + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn + type: string + tls: + description: If present describes tls properties. The SNI names + that will be matched on are described in fqdn, the tls.secretName + secret must contain a matching certificate + properties: + clientValidation: + description: 'ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. This setting: 1. Enables TLS client certificate + validation. 2. Requires clients to present a TLS certificate + (i.e. not optional validation). 3. Specifies how the client + certificate will be validated.' + properties: + caSecret: + description: Name of a Kubernetes secret that contains + a CA certificate bundle. The client certificate must + validate against the certificates in the bundle. + minLength: 1 + type: string + required: + - caSecret + type: object + minimumProtocolVersion: + description: Minimum TLS version this vhost should negotiate + type: string + passthrough: + description: If Passthrough is set to true, the SecretName + will be ignored and the encrypted handshake will be passed + through to the backing cluster. + type: boolean + secretName: + description: required, the name of a secret in the current + namespace + type: string + type: object + required: + - fqdn + type: object + type: object + status: + description: Status reports the current state of the HTTPProxy. + properties: + currentStatus: + type: string + description: + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/components/types-v1/contour.heptio.com_tlscertificatedelegations.yaml b/config/components/types-v1/contour.heptio.com_tlscertificatedelegations.yaml new file mode 100644 index 00000000000..19729310527 --- /dev/null +++ b/config/components/types-v1/contour.heptio.com_tlscertificatedelegations.yaml @@ -0,0 +1,76 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: tlscertificatedelegations.contour.heptio.com +spec: + group: contour.heptio.com + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD + specificiation. See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/components/types-v1/kustomization.yaml b/config/components/types-v1/kustomization.yaml new file mode 100644 index 00000000000..62194dbda1d --- /dev/null +++ b/config/components/types-v1/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- contour.heptio.com_ingressroutes.yaml +- contour.heptio.com_tlscertificatedelegations.yaml +- projectcontour.io_httpproxies.yaml +- projectcontour.io_tlscertificatedelegations.yaml diff --git a/config/components/types-v1/projectcontour.io_httpproxies.yaml b/config/components/types-v1/projectcontour.io_httpproxies.yaml new file mode 100644 index 00000000000..5aecd25871a --- /dev/null +++ b/config/components/types-v1/projectcontour.io_httpproxies.yaml @@ -0,0 +1,761 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: httpproxies.projectcontour.io +spec: + group: projectcontour.io + names: + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1 + schema: + openAPIV3Schema: + description: HTTPProxy is an Ingress CRD specification + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HTTPProxySpec defines the spec of the CRD. + properties: + includes: + description: Includes allow for specific routing configuration to + be appended to another HTTPProxy in another namespace. + items: + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. + properties: + conditions: + description: Conditions are a set of routing properties that + is applied to an HTTPProxy in a namespace. + items: + description: Condition are policies that are applied on top + of HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + type: array + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + conditions: + description: Conditions are a set of routing properties that + is applied to an HTTPProxy in a namespace. + items: + description: Condition are policies that are applied on top + of HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP health + check request. If left empty (default value), the name + "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy + names are `Random`, `RoundRobin`, `WeightedLeastRequest`, + `Random` and `Cookie`. If an unknown strategy name is + specified or no policy is supplied, the default `RoundRobin` + policy is used. + type: string + type: object + pathRewritePolicy: + description: The policy for rewriting the path of the request + URL after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix + should be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. + properties: + prefix: + description: "Prefix specifies the URL path prefix + to be replaced. \n If Prefix is specified, it must + exactly match the Condition prefix that is rendered + by the chain of including HTTPProxies and only that + path prefix will be replaced by Replacement. This + allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving + others unmodified. \n If Prefix is not specified, + all routing prefixes rendered by the include chain + will be replaced." + minLength: 1 + type: string + replacement: + description: Replacement is the string that the routing + path prefix will be replaced with. This must not + be empty. + minLength: 1 + type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: Allow this path to respond to insecure requests + over HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + requestHeadersPolicy: + description: The policy for managing request headers during + proxying + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + retryPolicy: + description: The retry policy for this route. + properties: + count: + description: NumRetries is maximum allowed number of retries. + If not supplied, the number of retries is one. + format: int64 + minimum: 0 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + type: string + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to + proxy traffic. Names defined here will be used to look + up corresponding endpoints which contain the ips to + route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may + be tls, h2, h2c. If omitted, protocol-selection falls + back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers + during proxying + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used + to validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: Timeout after which if there are no active + requests for this route, the connection between Envoy + and the backend will be closed. If not specified, there + is no per-route idle timeout. + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied + the timeout duration is undefined. + type: string + type: object + required: + - services + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: "IncludesDeprecated allow for specific routing configuration + to be appended to another HTTPProxy in another namespace. \n + Exists due to a mistake when developing HTTPProxy and the field + was marked plural when it should have been singular. This field + should stay to not break backwards compatibility to v1 users." + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: The load balancing policy for the backend services. + properties: + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy names + are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Random` + and `Cookie`. If an unknown strategy name is specified or + no policy is supplied, the default `RoundRobin` policy is + used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may be + tls, h2, h2c. If omitted, protocol-selection falls back + on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to + validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + required: + - services + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root". + properties: + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn + type: string + tls: + description: If present describes tls properties. The SNI names + that will be matched on are described in fqdn, the tls.secretName + secret must contain a matching certificate + properties: + clientValidation: + description: 'ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. This setting: 1. Enables TLS client certificate + validation. 2. Requires clients to present a TLS certificate + (i.e. not optional validation). 3. Specifies how the client + certificate will be validated.' + properties: + caSecret: + description: Name of a Kubernetes secret that contains + a CA certificate bundle. The client certificate must + validate against the certificates in the bundle. + minLength: 1 + type: string + required: + - caSecret + type: object + minimumProtocolVersion: + description: Minimum TLS version this vhost should negotiate + type: string + passthrough: + description: If Passthrough is set to true, the SecretName + will be ignored and the encrypted handshake will be passed + through to the backing cluster. + type: boolean + secretName: + description: required, the name of a secret in the current + namespace + type: string + type: object + required: + - fqdn + type: object + type: object + status: + description: Status reports the current state of the HTTPProxy. + properties: + currentStatus: + type: string + description: + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/components/types-v1/projectcontour.io_tlscertificatedelegations.yaml b/config/components/types-v1/projectcontour.io_tlscertificatedelegations.yaml new file mode 100644 index 00000000000..404f2747429 --- /dev/null +++ b/config/components/types-v1/projectcontour.io_tlscertificatedelegations.yaml @@ -0,0 +1,78 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: tlscertificatedelegations.projectcontour.io +spec: + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD + specificiation. See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/components/types/contour.heptio.com_ingressroutes.yaml b/config/components/types/contour.heptio.com_ingressroutes.yaml new file mode 100644 index 00000000000..c44572f65a6 --- /dev/null +++ b/config/components/types/contour.heptio.com_ingressroutes.yaml @@ -0,0 +1,370 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: ingressroutes.contour.heptio.com +spec: + additionalPrinterColumns: + - JSONPath: .spec.virtualhost.fqdn + description: Fully qualified domain name + name: FQDN + type: string + - JSONPath: .spec.virtualhost.tls.secretName + description: Secret with TLS credentials + name: TLS Secret + type: string + - JSONPath: .spec.routes[0].match + description: First routes defined + name: First route + type: string + - JSONPath: .status.currentStatus + description: The current status of the HTTPProxy + name: Status + type: string + - JSONPath: .status.description + description: Description of the current status + name: Status Description + type: string + group: contour.heptio.com + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + subresources: {} + validation: + openAPIV3Schema: + description: IngressRoute is an Ingress CRD specificiation + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteSpec defines the spec of the CRD + properties: + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host + properties: + delegate: + description: Delegate specifies that this route should be delegated + to another IngressRoute + properties: + name: + description: Name of the IngressRoute + type: string + namespace: + description: Namespace of the IngressRoute. Defaults to the + current namespace if not supplied. + type: string + required: + - name + type: object + enableWebsockets: + description: Enables websocket support for the route + type: boolean + match: + description: Match defines the prefix match + type: string + permitInsecure: + description: Allow this path to respond to insecure requests over + HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + prefixRewrite: + description: Indicates that during forwarding, the matched prefix + (or path) should be swapped with this value + type: string + retryPolicy: + description: The retry policy for this route + properties: + count: + description: NumRetries is maximum allowed number of retries. + If not supplied, the number of retries is one. + format: int64 + minimum: 0 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an upstream to proxy traffic to + properties: + healthCheck: + description: HealthCheck defines optional healthchecks on + the upstream service + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP + health check request. If left empty (default value), + the name "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health + check response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined + type: integer + strategy: + description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) + type: string + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to + validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + timeoutPolicy: + description: The timeout policy for this route + properties: + request: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied + the timeout duration is undefined. + type: string + type: object + required: + - match + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + delegate: + description: Delegate specifies that this tcpproxy should be delegated + to another IngressRoute + properties: + name: + description: Name of the IngressRoute + type: string + namespace: + description: Namespace of the IngressRoute. Defaults to the + current namespace if not supplied. + type: string + required: + - name + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an upstream to proxy traffic to + properties: + healthCheck: + description: HealthCheck defines optional healthchecks on + the upstream service + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP + health check request. If left empty (default value), + the name "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic to + since a service can have multiple defined + type: integer + strategy: + description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) + type: string + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to + validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in the + 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root". + properties: + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn + type: string + tls: + description: If present describes tls properties. The SNI names + that will be matched on are described in fqdn, the tls.secretName + secret must contain a matching certificate + properties: + clientValidation: + description: 'ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. This setting: 1. Enables TLS client certificate + validation. 2. Requires clients to present a TLS certificate + (i.e. not optional validation). 3. Specifies how the client + certificate will be validated.' + properties: + caSecret: + description: Name of a Kubernetes secret that contains a + CA certificate bundle. The client certificate must validate + against the certificates in the bundle. + minLength: 1 + type: string + required: + - caSecret + type: object + minimumProtocolVersion: + description: Minimum TLS version this vhost should negotiate + type: string + passthrough: + description: If Passthrough is set to true, the SecretName will + be ignored and the encrypted handshake will be passed through + to the backing cluster. + type: boolean + secretName: + description: required, the name of a secret in the current namespace + type: string + type: object + required: + - fqdn + type: object + type: object + status: + description: Status reports the current state of the HTTPProxy. + properties: + currentStatus: + type: string + description: + type: string + type: object + required: + - metadata + - spec + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/components/types/contour.heptio.com_tlscertificatedelegations.yaml b/config/components/types/contour.heptio.com_tlscertificatedelegations.yaml new file mode 100644 index 00000000000..d06b5a8c552 --- /dev/null +++ b/config/components/types/contour.heptio.com_tlscertificatedelegations.yaml @@ -0,0 +1,77 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: tlscertificatedelegations.contour.heptio.com +spec: + group: contour.heptio.com + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + singular: tlscertificatedelegation + scope: Namespaced + validation: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation. + See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + required: + - metadata + - spec + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/components/types/kustomization.yaml b/config/components/types/kustomization.yaml new file mode 100644 index 00000000000..62194dbda1d --- /dev/null +++ b/config/components/types/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- contour.heptio.com_ingressroutes.yaml +- contour.heptio.com_tlscertificatedelegations.yaml +- projectcontour.io_httpproxies.yaml +- projectcontour.io_tlscertificatedelegations.yaml diff --git a/examples/contour/01-crds.yaml b/config/components/types/projectcontour.io_httpproxies.yaml similarity index 61% rename from examples/contour/01-crds.yaml rename to config/components/types/projectcontour.io_httpproxies.yaml index 99f4cc80947..359ec4e5e84 100644 --- a/examples/contour/01-crds.yaml +++ b/config/components/types/projectcontour.io_httpproxies.yaml @@ -1,448 +1,4 @@ ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.9 - creationTimestamp: null - name: ingressroutes.contour.heptio.com -spec: - additionalPrinterColumns: - - JSONPath: .spec.virtualhost.fqdn - description: Fully qualified domain name - name: FQDN - type: string - - JSONPath: .spec.virtualhost.tls.secretName - description: Secret with TLS credentials - name: TLS Secret - type: string - - JSONPath: .spec.routes[0].match - description: First routes defined - name: First route - type: string - - JSONPath: .status.currentStatus - description: The current status of the HTTPProxy - name: Status - type: string - - JSONPath: .status.description - description: Description of the current status - name: Status Description - type: string - group: contour.heptio.com - names: - kind: IngressRoute - listKind: IngressRouteList - plural: ingressroutes - singular: ingressroute - scope: Namespaced - subresources: {} - validation: - openAPIV3Schema: - description: IngressRoute is an Ingress CRD specificiation - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IngressRouteSpec defines the spec of the CRD - properties: - routes: - description: Routes are the ingress routes. If TCPProxy is present, - Routes is ignored. - items: - description: Route contains the set of routes for a virtual host - properties: - delegate: - description: Delegate specifies that this route should be delegated - to another IngressRoute - properties: - name: - description: Name of the IngressRoute - type: string - namespace: - description: Namespace of the IngressRoute. Defaults to the - current namespace if not supplied. - type: string - required: - - name - type: object - enableWebsockets: - description: Enables websocket support for the route - type: boolean - match: - description: Match defines the prefix match - type: string - permitInsecure: - description: Allow this path to respond to insecure requests over - HTTP which are normally not permitted when a `virtualhost.tls` - block is present. - type: boolean - prefixRewrite: - description: Indicates that during forwarding, the matched prefix - (or path) should be swapped with this value - type: string - retryPolicy: - description: The retry policy for this route - properties: - count: - description: NumRetries is maximum allowed number of retries. - If not supplied, the number of retries is one. - format: int64 - minimum: 0 - type: integer - perTryTimeout: - description: PerTryTimeout specifies the timeout per retry - attempt. Ignored if NumRetries is not supplied. - type: string - type: object - services: - description: Services are the services to proxy traffic - items: - description: Service defines an upstream to proxy traffic to - properties: - healthCheck: - description: HealthCheck defines optional healthchecks on - the upstream service - properties: - healthyThresholdCount: - description: The number of healthy health checks required - before a host is marked healthy - format: int64 - minimum: 0 - type: integer - host: - description: The value of the host header in the HTTP - health check request. If left empty (default value), - the name "contour-envoy-healthcheck" will be used. - type: string - intervalSeconds: - description: The interval (seconds) between health checks - format: int64 - type: integer - path: - description: HTTP endpoint used to perform health checks - on upstream service - type: string - timeoutSeconds: - description: The time to wait (seconds) for a health - check response - format: int64 - type: integer - unhealthyThresholdCount: - description: The number of unhealthy health checks required - before a host is marked unhealthy - format: int64 - minimum: 0 - type: integer - required: - - path - type: object - name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. - type: string - port: - description: Port (defined as Integer) to proxy traffic - to since a service can have multiple defined - type: integer - strategy: - description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) - type: string - validation: - description: UpstreamValidation defines how to verify the - backend service's certificate - properties: - caSecret: - description: Name of the Kubernetes secret be used to - validate the certificate presented by the backend - type: string - subjectName: - description: Key which is expected to be present in - the 'subjectAltName' of the presented certificate - type: string - required: - - caSecret - - subjectName - type: object - weight: - description: Weight defines percentage of traffic to balance - traffic - format: int64 - minimum: 0 - type: integer - required: - - name - - port - type: object - type: array - timeoutPolicy: - description: The timeout policy for this route - properties: - request: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied - the timeout duration is undefined. - type: string - type: object - required: - - match - type: object - type: array - tcpproxy: - description: TCPProxy holds TCP proxy information. - properties: - delegate: - description: Delegate specifies that this tcpproxy should be delegated - to another IngressRoute - properties: - name: - description: Name of the IngressRoute - type: string - namespace: - description: Namespace of the IngressRoute. Defaults to the - current namespace if not supplied. - type: string - required: - - name - type: object - services: - description: Services are the services to proxy traffic - items: - description: Service defines an upstream to proxy traffic to - properties: - healthCheck: - description: HealthCheck defines optional healthchecks on - the upstream service - properties: - healthyThresholdCount: - description: The number of healthy health checks required - before a host is marked healthy - format: int64 - minimum: 0 - type: integer - host: - description: The value of the host header in the HTTP - health check request. If left empty (default value), - the name "contour-envoy-healthcheck" will be used. - type: string - intervalSeconds: - description: The interval (seconds) between health checks - format: int64 - type: integer - path: - description: HTTP endpoint used to perform health checks - on upstream service - type: string - timeoutSeconds: - description: The time to wait (seconds) for a health check - response - format: int64 - type: integer - unhealthyThresholdCount: - description: The number of unhealthy health checks required - before a host is marked unhealthy - format: int64 - minimum: 0 - type: integer - required: - - path - type: object - name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. - type: string - port: - description: Port (defined as Integer) to proxy traffic to - since a service can have multiple defined - type: integer - strategy: - description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) - type: string - validation: - description: UpstreamValidation defines how to verify the - backend service's certificate - properties: - caSecret: - description: Name of the Kubernetes secret be used to - validate the certificate presented by the backend - type: string - subjectName: - description: Key which is expected to be present in the - 'subjectAltName' of the presented certificate - type: string - required: - - caSecret - - subjectName - type: object - weight: - description: Weight defines percentage of traffic to balance - traffic - format: int64 - minimum: 0 - type: integer - required: - - name - - port - type: object - type: array - type: object - virtualhost: - description: Virtualhost appears at most once. If it is present, the - object is considered to be a "root". - properties: - fqdn: - description: The fully qualified domain name of the root of the - ingress tree all leaves of the DAG rooted at this object relate - to the fqdn - type: string - tls: - description: If present describes tls properties. The SNI names - that will be matched on are described in fqdn, the tls.secretName - secret must contain a matching certificate - properties: - clientValidation: - description: 'ClientValidation defines how to verify the client - certificate when an external client establishes a TLS connection - to Envoy. This setting: 1. Enables TLS client certificate - validation. 2. Requires clients to present a TLS certificate - (i.e. not optional validation). 3. Specifies how the client - certificate will be validated.' - properties: - caSecret: - description: Name of a Kubernetes secret that contains a - CA certificate bundle. The client certificate must validate - against the certificates in the bundle. - minLength: 1 - type: string - required: - - caSecret - type: object - minimumProtocolVersion: - description: Minimum TLS version this vhost should negotiate - type: string - passthrough: - description: If Passthrough is set to true, the SecretName will - be ignored and the encrypted handshake will be passed through - to the backing cluster. - type: boolean - secretName: - description: required, the name of a secret in the current namespace - type: string - type: object - required: - - fqdn - type: object - type: object - status: - description: Status reports the current state of the HTTPProxy. - properties: - currentStatus: - type: string - description: - type: string - type: object - required: - - metadata - - spec - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.9 - creationTimestamp: null - name: tlscertificatedelegations.contour.heptio.com -spec: - group: contour.heptio.com - names: - kind: TLSCertificateDelegation - listKind: TLSCertificateDelegationList - plural: tlscertificatedelegations - singular: tlscertificatedelegation - scope: Namespaced - validation: - openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation. - See design/tls-certificate-delegation.md for details. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TLSCertificateDelegationSpec defines the spec of the CRD - properties: - delegations: - items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. - properties: - secretName: - description: required, the name of a secret in the current namespace. - type: string - targetNamespaces: - description: required, the namespaces the authority to reference - the the secret will be delegated to. If TargetNamespaces is - nil or empty, the CertificateDelegation' is ignored. If the - TargetNamespace list contains the character, "*" the secret - will be delegated to all namespaces. - items: - type: string - type: array - required: - - secretName - - targetNamespaces - type: object - type: array - required: - - delegations - type: object - required: - - metadata - - spec - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -1190,81 +746,3 @@ status: plural: "" conditions: [] storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.9 - creationTimestamp: null - name: tlscertificatedelegations.projectcontour.io -spec: - group: projectcontour.io - names: - kind: TLSCertificateDelegation - listKind: TLSCertificateDelegationList - plural: tlscertificatedelegations - shortNames: - - tlscerts - singular: tlscertificatedelegation - scope: Namespaced - validation: - openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation. - See design/tls-certificate-delegation.md for details. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TLSCertificateDelegationSpec defines the spec of the CRD - properties: - delegations: - items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. - properties: - secretName: - description: required, the name of a secret in the current namespace. - type: string - targetNamespaces: - description: required, the namespaces the authority to reference - the the secret will be delegated to. If TargetNamespaces is - nil or empty, the CertificateDelegation' is ignored. If the - TargetNamespace list contains the character, "*" the secret - will be delegated to all namespaces. - items: - type: string - type: array - required: - - secretName - - targetNamespaces - type: object - type: array - required: - - delegations - type: object - required: - - metadata - - spec - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/components/types/projectcontour.io_tlscertificatedelegations.yaml b/config/components/types/projectcontour.io_tlscertificatedelegations.yaml new file mode 100644 index 00000000000..a1773bdc686 --- /dev/null +++ b/config/components/types/projectcontour.io_tlscertificatedelegations.yaml @@ -0,0 +1,79 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: tlscertificatedelegations.projectcontour.io +spec: + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + validation: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation. + See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + required: + - metadata + - spec + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/deployments/aws/enable-proxy-protocol.yaml b/config/deployments/aws/enable-proxy-protocol.yaml new file mode 100644 index 00000000000..91d31914b6a --- /dev/null +++ b/config/deployments/aws/enable-proxy-protocol.yaml @@ -0,0 +1,6 @@ +# On AWS, we enable TCP mode for ELS, so we also want to enable PROXY +# protocol support to propagate the remote IP address. + +- op: add + path: /spec/template/spec/containers/0/args/- + value: --use-proxy-protocol diff --git a/config/deployments/aws/enable-tcp-balancer.yaml b/config/deployments/aws/enable-tcp-balancer.yaml new file mode 100644 index 00000000000..c3d8c88f6ef --- /dev/null +++ b/config/deployments/aws/enable-tcp-balancer.yaml @@ -0,0 +1,16 @@ +# Add annotations to specify the AWS load balancer mode. +# +# - Specify the backend protocol as "TCP" so that Envoy can do the TLS termination. +# - Enable PROXY protocol to propagate the remote IP address to Envoy. +# +# See https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws + +apiVersion: v1 +kind: Service +metadata: + name: envoy + annotations: + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' +spec: + type: LoadBalancer diff --git a/config/deployments/aws/kustomization.yaml b/config/deployments/aws/kustomization.yaml new file mode 100644 index 00000000000..feb56931647 --- /dev/null +++ b/config/deployments/aws/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../base + +patchesStrategicMerge: +- enable-tcp-balancer.yaml + +patchesJson6902: +- target: + group: apps + version: v1 + kind: Deployment + name: contour + namespace: projectcontour + path: enable-proxy-protocol.yaml + diff --git a/config/deployments/base/kustomization.yaml b/config/deployments/base/kustomization.yaml new file mode 100644 index 00000000000..61751ef7c4b --- /dev/null +++ b/config/deployments/base/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: projectcontour + +resources: +- namespace.yaml +- ../../components/types +- ../../components/envoy +- ../../components/contour +- ../../components/certgen diff --git a/config/deployments/base/namespace.yaml b/config/deployments/base/namespace.yaml new file mode 100644 index 00000000000..ccc06e716c1 --- /dev/null +++ b/config/deployments/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: projectcontour diff --git a/config/deployments/gke/kustomization.yaml b/config/deployments/gke/kustomization.yaml new file mode 100644 index 00000000000..852e22250f5 --- /dev/null +++ b/config/deployments/gke/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../base diff --git a/config/deployments/kind/envoy-nodeport.yaml b/config/deployments/kind/envoy-nodeport.yaml new file mode 100644 index 00000000000..de9c4f0784d --- /dev/null +++ b/config/deployments/kind/envoy-nodeport.yaml @@ -0,0 +1,12 @@ +# Kind doesn't support Service type Loadbalancer, so we use NodePort +# instead, and assume that the Kind configuration maps the nost ports to +# the host. +# +# See ../../../examples/kind/kind-expose-port.yaml + +apiVersion: v1 +kind: Service +metadata: + name: envoy +spec: + type: NodePort diff --git a/config/deployments/kind/kustomization.yaml b/config/deployments/kind/kustomization.yaml new file mode 100644 index 00000000000..2baf5714d95 --- /dev/null +++ b/config/deployments/kind/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../base + +patchesStrategicMerge: +- envoy-nodeport.yaml diff --git a/examples/render/contour.yaml b/config/quickstart.yaml similarity index 95% rename from examples/render/contour.yaml rename to config/quickstart.yaml index d5b7d474cb6..64c5825de5e 100644 --- a/examples/render/contour.yaml +++ b/config/quickstart.yaml @@ -2,94 +2,36 @@ # edit this file directly but instead edit the source files and re-render. # # Generated from: -# examples/contour/00-common.yaml -# examples/contour/01-contour-config.yaml -# examples/contour/01-crds.yaml -# examples/contour/02-job-certgen.yaml -# examples/contour/02-rbac.yaml -# examples/contour/02-service-contour.yaml -# examples/contour/02-service-envoy.yaml -# examples/contour/03-contour.yaml -# examples/contour/03-envoy.yaml +# config/components/certgen/job.yaml +# config/components/certgen/kustomization.yaml +# config/components/certgen/rbac.yaml +# config/components/certgen/serviceaccount.yaml +# config/components/contour/contour-rbac.yaml +# config/components/contour/deployment.yaml +# config/components/contour/election-rbac.yaml +# config/components/contour/kustomization.yaml +# config/components/contour/service.yaml +# config/components/contour/serviceaccount.yaml +# config/components/envoy/daemonset.yaml +# config/components/envoy/kustomization.yaml +# config/components/envoy/service.yaml +# config/components/envoy/serviceaccount.yaml +# config/components/types-v1/contour.heptio.com_ingressroutes.yaml +# config/components/types-v1/contour.heptio.com_tlscertificatedelegations.yaml +# config/components/types-v1/kustomization.yaml +# config/components/types-v1/projectcontour.io_httpproxies.yaml +# config/components/types-v1/projectcontour.io_tlscertificatedelegations.yaml +# config/components/types/contour.heptio.com_ingressroutes.yaml +# config/components/types/contour.heptio.com_tlscertificatedelegations.yaml +# config/components/types/kustomization.yaml +# config/components/types/projectcontour.io_httpproxies.yaml +# config/components/types/projectcontour.io_tlscertificatedelegations.yaml # ---- apiVersion: v1 kind: Namespace metadata: - name: projectcontour ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: contour - namespace: projectcontour ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: envoy - namespace: projectcontour ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: contour - namespace: projectcontour -data: - contour.yaml: | - # should contour expect to be running inside a k8s cluster - # incluster: true - # - # path to kubeconfig (if not running inside a k8s cluster) - # kubeconfig: /path/to/.kube/config - # - # Client request timeout to be passed to Envoy - # as the connection manager request_timeout. - # Defaults to 0, which Envoy interprets as disabled. - # Note that this is the timeout for the whole request, - # not an idle timeout. - # request-timeout: 0s - # disable ingressroute permitInsecure field - disablePermitInsecure: false - tls: - # minimum TLS version that Contour will negotiate - # minimum-protocol-version: "1.1" - # The following config shows the defaults for the leader election. - # leaderelection: - # configmap-name: leader-elect - # configmap-namespace: projectcontour - ### Logging options - # Default setting - accesslog-format: envoy - # To enable JSON logging in Envoy - # accesslog-format: json - # The default fields that will be logged are specified below. - # To customise this list, just add or remove entries. - # The canonical list is available at - # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields - # json-fields: - # - "@timestamp" - # - "authority" - # - "bytes_received" - # - "bytes_sent" - # - "downstream_local_address" - # - "downstream_remote_address" - # - "duration" - # - "method" - # - "path" - # - "protocol" - # - "request_id" - # - "requested_server_name" - # - "response_code" - # - "response_flags" - # - "uber_trace_id" - # - "upstream_cluster" - # - "upstream_host" - # - "upstream_local_address" - # - "upstream_service_time" - # - "user_agent" - # - "x_forwarded_for" + name: projectcontour --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -97,7 +39,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.9 creationTimestamp: null - name: ingressroutes.contour.heptio.com + name: httpproxies.projectcontour.io spec: additionalPrinterColumns: - JSONPath: .spec.virtualhost.fqdn @@ -108,10 +50,6 @@ spec: description: Secret with TLS credentials name: TLS Secret type: string - - JSONPath: .spec.routes[0].match - description: First routes defined - name: First route - type: string - JSONPath: .status.currentStatus description: The current status of the HTTPProxy name: Status @@ -120,17 +58,20 @@ spec: description: Description of the current status name: Status Description type: string - group: contour.heptio.com + group: projectcontour.io names: - kind: IngressRoute - listKind: IngressRouteList - plural: ingressroutes - singular: ingressroute + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy scope: Namespaced subresources: {} validation: openAPIV3Schema: - description: IngressRoute is an Ingress CRD specificiation + description: HTTPProxy is an Ingress CRD specification properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -145,662 +86,251 @@ spec: metadata: type: object spec: - description: IngressRouteSpec defines the spec of the CRD + description: HTTPProxySpec defines the spec of the CRD. properties: - routes: - description: Routes are the ingress routes. If TCPProxy is present, - Routes is ignored. + includes: + description: Includes allow for specific routing configuration to be + appended to another HTTPProxy in another namespace. items: - description: Route contains the set of routes for a virtual host + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. properties: - delegate: - description: Delegate specifies that this route should be delegated - to another IngressRoute - properties: - name: - description: Name of the IngressRoute - type: string - namespace: - description: Namespace of the IngressRoute. Defaults to the - current namespace if not supplied. - type: string - required: - - name - type: object - enableWebsockets: - description: Enables websocket support for the route - type: boolean - match: - description: Match defines the prefix match - type: string - permitInsecure: - description: Allow this path to respond to insecure requests over - HTTP which are normally not permitted when a `virtualhost.tls` - block is present. - type: boolean - prefixRewrite: - description: Indicates that during forwarding, the matched prefix - (or path) should be swapped with this value - type: string - retryPolicy: - description: The retry policy for this route - properties: - count: - description: NumRetries is maximum allowed number of retries. - If not supplied, the number of retries is one. - format: int64 - minimum: 0 - type: integer - perTryTimeout: - description: PerTryTimeout specifies the timeout per retry - attempt. Ignored if NumRetries is not supplied. - type: string - type: object - services: - description: Services are the services to proxy traffic + conditions: + description: Conditions are a set of routing properties that is + applied to an HTTPProxy in a namespace. items: - description: Service defines an upstream to proxy traffic to + description: Condition are policies that are applied on top + of HTTPProxies. One of Prefix or Header must be provided. properties: - healthCheck: - description: HealthCheck defines optional healthchecks on - the upstream service + header: + description: Header specifies the header condition to match. properties: - healthyThresholdCount: - description: The number of healthy health checks required - before a host is marked healthy - format: int64 - minimum: 0 - type: integer - host: - description: The value of the host header in the HTTP - health check request. If left empty (default value), - the name "contour-envoy-healthcheck" will be used. + contains: + description: Contains specifies a substring that must + be present in the header value. type: string - intervalSeconds: - description: The interval (seconds) between health checks - format: int64 - type: integer - path: - description: HTTP endpoint used to perform health checks - on upstream service + exact: + description: Exact specifies a string that the header + value must be equal to. type: string - timeoutSeconds: - description: The time to wait (seconds) for a health - check response - format: int64 - type: integer - unhealthyThresholdCount: - description: The number of unhealthy health checks required - before a host is marked unhealthy - format: int64 - minimum: 0 - type: integer - required: - - path - type: object - name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. - type: string - port: - description: Port (defined as Integer) to proxy traffic - to since a service can have multiple defined - type: integer - strategy: - description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) - type: string - validation: - description: UpstreamValidation defines how to verify the - backend service's certificate - properties: - caSecret: - description: Name of the Kubernetes secret be used to - validate the certificate presented by the backend + name: + description: Name is the name of the header to match + against. Name is required. Header names are case insensitive. type: string - subjectName: - description: Key which is expected to be present in - the 'subjectAltName' of the presented certificate + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. type: string + present: + description: Present specifies that condition is true + when the named header is present, regardless of its + value. Note that setting Present to false does not + make the condition true if the named header is absent. + type: boolean required: - - caSecret - - subjectName + - name type: object - weight: - description: Weight defines percentage of traffic to balance - traffic - format: int64 - minimum: 0 - type: integer - required: - - name - - port + prefix: + description: Prefix defines a prefix match for a request. + type: string type: object type: array - timeoutPolicy: - description: The timeout policy for this route - properties: - request: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied - the timeout duration is undefined. - type: string - type: object - required: - - match - type: object + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults to + the current namespace if not supplied. + type: string + required: + - name + type: object type: array - tcpproxy: - description: TCPProxy holds TCP proxy information. - properties: - delegate: - description: Delegate specifies that this tcpproxy should be delegated - to another IngressRoute - properties: - name: - description: Name of the IngressRoute - type: string - namespace: - description: Namespace of the IngressRoute. Defaults to the - current namespace if not supplied. - type: string - required: - - name - type: object - services: - description: Services are the services to proxy traffic - items: - description: Service defines an upstream to proxy traffic to + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + conditions: + description: Conditions are a set of routing properties that is + applied to an HTTPProxy in a namespace. + items: + description: Condition are policies that are applied on top + of HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + present: + description: Present specifies that condition is true + when the named header is present, regardless of its + value. Note that setting Present to false does not + make the condition true if the named header is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. properties: - healthCheck: - description: HealthCheck defines optional healthchecks on - the upstream service - properties: - healthyThresholdCount: - description: The number of healthy health checks required - before a host is marked healthy - format: int64 - minimum: 0 - type: integer - host: - description: The value of the host header in the HTTP - health check request. If left empty (default value), - the name "contour-envoy-healthcheck" will be used. - type: string - intervalSeconds: - description: The interval (seconds) between health checks - format: int64 - type: integer - path: - description: HTTP endpoint used to perform health checks - on upstream service - type: string - timeoutSeconds: - description: The time to wait (seconds) for a health check - response - format: int64 - type: integer - unhealthyThresholdCount: - description: The number of unhealthy health checks required - before a host is marked unhealthy - format: int64 - minimum: 0 - type: integer - required: - - path - type: object - name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP health + check request. If left empty (default value), the name "contour-envoy-healthcheck" + will be used. type: string - port: - description: Port (defined as Integer) to proxy traffic to - since a service can have multiple defined + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 type: integer - strategy: - description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) + path: + description: HTTP endpoint used to perform health checks on + upstream service type: string - validation: - description: UpstreamValidation defines how to verify the - backend service's certificate - properties: - caSecret: - description: Name of the Kubernetes secret be used to - validate the certificate presented by the backend - type: string - subjectName: - description: Key which is expected to be present in the - 'subjectAltName' of the presented certificate - type: string - required: - - caSecret - - subjectName - type: object - weight: - description: Weight defines percentage of traffic to balance - traffic + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy format: int64 minimum: 0 type: integer required: - - name - - port + - path type: object - type: array - type: object - virtualhost: - description: Virtualhost appears at most once. If it is present, the - object is considered to be a "root". - properties: - fqdn: - description: The fully qualified domain name of the root of the - ingress tree all leaves of the DAG rooted at this object relate - to the fqdn - type: string - tls: - description: If present describes tls properties. The SNI names - that will be matched on are described in fqdn, the tls.secretName - secret must contain a matching certificate - properties: - clientValidation: - description: 'ClientValidation defines how to verify the client - certificate when an external client establishes a TLS connection - to Envoy. This setting: 1. Enables TLS client certificate - validation. 2. Requires clients to present a TLS certificate - (i.e. not optional validation). 3. Specifies how the client - certificate will be validated.' - properties: - caSecret: - description: Name of a Kubernetes secret that contains a - CA certificate bundle. The client certificate must validate - against the certificates in the bundle. - minLength: 1 - type: string - required: - - caSecret - type: object - minimumProtocolVersion: - description: Minimum TLS version this vhost should negotiate - type: string - passthrough: - description: If Passthrough is set to true, the SecretName will - be ignored and the encrypted handshake will be passed through - to the backing cluster. - type: boolean - secretName: - description: required, the name of a secret in the current namespace - type: string - type: object - required: - - fqdn - type: object - type: object - status: - description: Status reports the current state of the HTTPProxy. - properties: - currentStatus: - type: string - description: - type: string - type: object - required: - - metadata - - spec - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.9 - creationTimestamp: null - name: tlscertificatedelegations.contour.heptio.com -spec: - group: contour.heptio.com - names: - kind: TLSCertificateDelegation - listKind: TLSCertificateDelegationList - plural: tlscertificatedelegations - singular: tlscertificatedelegation - scope: Namespaced - validation: - openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation. - See design/tls-certificate-delegation.md for details. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TLSCertificateDelegationSpec defines the spec of the CRD - properties: - delegations: - items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. - properties: - secretName: - description: required, the name of a secret in the current namespace. - type: string - targetNamespaces: - description: required, the namespaces the authority to reference - the the secret will be delegated to. If TargetNamespaces is - nil or empty, the CertificateDelegation' is ignored. If the - TargetNamespace list contains the character, "*" the secret - will be delegated to all namespaces. - items: - type: string - type: array - required: - - secretName - - targetNamespaces - type: object - type: array - required: - - delegations - type: object - required: - - metadata - - spec - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.9 - creationTimestamp: null - name: httpproxies.projectcontour.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.virtualhost.fqdn - description: Fully qualified domain name - name: FQDN - type: string - - JSONPath: .spec.virtualhost.tls.secretName - description: Secret with TLS credentials - name: TLS Secret - type: string - - JSONPath: .status.currentStatus - description: The current status of the HTTPProxy - name: Status - type: string - - JSONPath: .status.description - description: Description of the current status - name: Status Description - type: string - group: projectcontour.io - names: - kind: HTTPProxy - listKind: HTTPProxyList - plural: httpproxies - shortNames: - - proxy - - proxies - singular: httpproxy - scope: Namespaced - subresources: {} - validation: - openAPIV3Schema: - description: HTTPProxy is an Ingress CRD specification - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HTTPProxySpec defines the spec of the CRD. - properties: - includes: - description: Includes allow for specific routing configuration to be - appended to another HTTPProxy in another namespace. - items: - description: Include describes a set of policies that can be applied - to an HTTPProxy in a namespace. - properties: - conditions: - description: Conditions are a set of routing properties that is - applied to an HTTPProxy in a namespace. - items: - description: Condition are policies that are applied on top - of HTTPProxies. One of Prefix or Header must be provided. - properties: - header: - description: Header specifies the header condition to match. + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy names + are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Random` + and `Cookie`. If an unknown strategy name is specified or + no policy is supplied, the default `RoundRobin` policy is + used. + type: string + type: object + pathRewritePolicy: + description: The policy for rewriting the path of the request + URL after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix should + be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. properties: - contains: - description: Contains specifies a substring that must - be present in the header value. + prefix: + description: "Prefix specifies the URL path prefix to + be replaced. \n If Prefix is specified, it must exactly + match the Condition prefix that is rendered by the + chain of including HTTPProxies and only that path + prefix will be replaced by Replacement. This allows + HTTPProxies that are included through multiple roots + to only replace specific path prefixes, leaving others + unmodified. \n If Prefix is not specified, all routing + prefixes rendered by the include chain will be replaced." + minLength: 1 type: string - exact: - description: Exact specifies a string that the header - value must be equal to. + replacement: + description: Replacement is the string that the routing + path prefix will be replaced with. This must not be + empty. + minLength: 1 type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: Allow this path to respond to insecure requests over + HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + requestHeadersPolicy: + description: The policy for managing request headers during proxying + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values that + will be set in the HTTP header. If the header does not exist + it will be added, otherwise it will be overwritten with + the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: name: - description: Name is the name of the header to match - against. Name is required. Header names are case insensitive. - type: string - notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: Name represents a key of a header + minLength: 1 type: string - notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + value: + description: Value represents the value of a header + specified by a key + minLength: 1 type: string - present: - description: Present specifies that condition is true - when the named header is present, regardless of its - value. Note that setting Present to false does not - make the condition true if the named header is absent. - type: boolean required: - name + - value type: object - prefix: - description: Prefix defines a prefix match for a request. - type: string - type: object - type: array - name: - description: Name of the HTTPProxy - type: string - namespace: - description: Namespace of the HTTPProxy to include. Defaults to - the current namespace if not supplied. - type: string - required: - - name - type: object - type: array - routes: - description: Routes are the ingress routes. If TCPProxy is present, - Routes is ignored. - items: - description: Route contains the set of routes for a virtual host. - properties: - conditions: - description: Conditions are a set of routing properties that is - applied to an HTTPProxy in a namespace. - items: - description: Condition are policies that are applied on top - of HTTPProxies. One of Prefix or Header must be provided. - properties: - header: - description: Header specifies the header condition to match. - properties: - contains: - description: Contains specifies a substring that must - be present in the header value. - type: string - exact: - description: Exact specifies a string that the header - value must be equal to. - type: string - name: - description: Name is the name of the header to match - against. Name is required. Header names are case insensitive. - type: string - notcontains: - description: NotContains specifies a substring that - must not be present in the header value. - type: string - notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. - type: string - present: - description: Present specifies that condition is true - when the named header is present, regardless of its - value. Note that setting Present to false does not - make the condition true if the named header is absent. - type: boolean - required: - - name - type: object - prefix: - description: Prefix defines a prefix match for a request. - type: string - type: object - type: array - enableWebsockets: - description: Enables websocket support for the route. - type: boolean - healthCheckPolicy: - description: The health check policy for this route. - properties: - healthyThresholdCount: - description: The number of healthy health checks required - before a host is marked healthy - format: int64 - minimum: 0 - type: integer - host: - description: The value of the host header in the HTTP health - check request. If left empty (default value), the name "contour-envoy-healthcheck" - will be used. - type: string - intervalSeconds: - description: The interval (seconds) between health checks - format: int64 - type: integer - path: - description: HTTP endpoint used to perform health checks on - upstream service - type: string - timeoutSeconds: - description: The time to wait (seconds) for a health check - response - format: int64 - type: integer - unhealthyThresholdCount: - description: The number of unhealthy health checks required - before a host is marked unhealthy - format: int64 - minimum: 0 - type: integer - required: - - path - type: object - loadBalancerPolicy: - description: The load balancing policy for this route. - properties: - strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy names - are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Random` - and `Cookie`. If an unknown strategy name is specified or - no policy is supplied, the default `RoundRobin` policy is - used. - type: string - type: object - pathRewritePolicy: - description: The policy for rewriting the path of the request - URL after the request has been routed to a Service. - properties: - replacePrefix: - description: ReplacePrefix describes how the path prefix should - be replaced. - items: - description: ReplacePrefix describes a path prefix replacement. - properties: - prefix: - description: "Prefix specifies the URL path prefix to - be replaced. \n If Prefix is specified, it must exactly - match the Condition prefix that is rendered by the - chain of including HTTPProxies and only that path - prefix will be replaced by Replacement. This allows - HTTPProxies that are included through multiple roots - to only replace specific path prefixes, leaving others - unmodified. \n If Prefix is not specified, all routing - prefixes rendered by the include chain will be replaced." - minLength: 1 - type: string - replacement: - description: Replacement is the string that the routing - path prefix will be replaced with. This must not be - empty. - minLength: 1 - type: string - required: - - replacement - type: object - type: array - type: object - permitInsecure: - description: Allow this path to respond to insecure requests over - HTTP which are normally not permitted when a `virtualhost.tls` - block is present. - type: boolean - requestHeadersPolicy: - description: The policy for managing request headers during proxying - properties: - remove: - description: Remove specifies a list of HTTP header names - to remove. - items: + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during proxying + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: type: string type: array set: @@ -827,41 +357,522 @@ spec: type: object type: array type: object - responseHeadersPolicy: - description: The policy for managing response headers during proxying + retryPolicy: + description: The retry policy for this route. properties: - remove: - description: Remove specifies a list of HTTP header names - to remove. - items: + count: + description: NumRetries is maximum allowed number of retries. + If not supplied, the number of retries is one. + format: int64 + minimum: 0 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + type: string + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. type: string - type: array - set: - description: Set specifies a list of HTTP header values that - will be set in the HTTP header. If the header does not exist - it will be added, otherwise it will be overwritten with - the new value. - items: - description: HeaderValue represents a header name/value - pair + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may be + tls, h2, h2c. If omitted, protocol-selection falls back + on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array type: object - type: array + responseHeadersPolicy: + description: The policy for managing response headers during + proxying + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to + validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: Timeout after which if there are no active requests + for this route, the connection between Envoy and the backend + will be closed. If not specified, there is no per-route + idle timeout. + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied + the timeout duration is undefined. + type: string + type: object + required: + - services + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required before + a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: "IncludesDeprecated allow for specific routing configuration + to be appended to another HTTPProxy in another namespace. \n Exists + due to a mistake when developing HTTPProxy and the field was marked + plural when it should have been singular. This field should stay + to not break backwards compatibility to v1 users." + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: The load balancing policy for the backend services. + properties: + strategy: + description: Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are `Random`, + `RoundRobin`, `WeightedLeastRequest`, `Random` and `Cookie`. + If an unknown strategy name is specified or no policy is supplied, + the default `RoundRobin` policy is used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy traffic. + properties: + mirror: + description: If Mirror is true the Service will receive a + read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic to + since a service can have multiple defined. + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may be tls, + h2, h2c. If omitted, protocol-selection falls back on Service + annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name of the Kubernetes secret be used to + validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in the + 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + required: + - services + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root". + properties: + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn + type: string + tls: + description: If present describes tls properties. The SNI names + that will be matched on are described in fqdn, the tls.secretName + secret must contain a matching certificate + properties: + clientValidation: + description: 'ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. This setting: 1. Enables TLS client certificate + validation. 2. Requires clients to present a TLS certificate + (i.e. not optional validation). 3. Specifies how the client + certificate will be validated.' + properties: + caSecret: + description: Name of a Kubernetes secret that contains a + CA certificate bundle. The client certificate must validate + against the certificates in the bundle. + minLength: 1 + type: string + required: + - caSecret + type: object + minimumProtocolVersion: + description: Minimum TLS version this vhost should negotiate + type: string + passthrough: + description: If Passthrough is set to true, the SecretName will + be ignored and the encrypted handshake will be passed through + to the backing cluster. + type: boolean + secretName: + description: required, the name of a secret in the current namespace + type: string + type: object + required: + - fqdn + type: object + type: object + status: + description: Status reports the current state of the HTTPProxy. + properties: + currentStatus: + type: string + description: + type: string + type: object + required: + - metadata + - spec + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: ingressroutes.contour.heptio.com +spec: + additionalPrinterColumns: + - JSONPath: .spec.virtualhost.fqdn + description: Fully qualified domain name + name: FQDN + type: string + - JSONPath: .spec.virtualhost.tls.secretName + description: Secret with TLS credentials + name: TLS Secret + type: string + - JSONPath: .spec.routes[0].match + description: First routes defined + name: First route + type: string + - JSONPath: .status.currentStatus + description: The current status of the HTTPProxy + name: Status + type: string + - JSONPath: .status.description + description: Description of the current status + name: Status Description + type: string + group: contour.heptio.com + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + subresources: {} + validation: + openAPIV3Schema: + description: IngressRoute is an Ingress CRD specificiation + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteSpec defines the spec of the CRD + properties: + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host + properties: + delegate: + description: Delegate specifies that this route should be delegated + to another IngressRoute + properties: + name: + description: Name of the IngressRoute + type: string + namespace: + description: Namespace of the IngressRoute. Defaults to the + current namespace if not supplied. + type: string + required: + - name type: object + enableWebsockets: + description: Enables websocket support for the route + type: boolean + match: + description: Match defines the prefix match + type: string + permitInsecure: + description: Allow this path to respond to insecure requests over + HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + prefixRewrite: + description: Indicates that during forwarding, the matched prefix + (or path) should be swapped with this value + type: string retryPolicy: - description: The retry policy for this route. + description: The retry policy for this route properties: count: description: NumRetries is maximum allowed number of retries. @@ -875,15 +886,47 @@ spec: type: string type: object services: - description: Services are the services to proxy traffic. + description: Services are the services to proxy traffic items: - description: Service defines an Kubernetes Service to proxy - traffic. + description: Service defines an upstream to proxy traffic to properties: - mirror: - description: If Mirror is true the Service will receive - a read only mirror of the traffic for this route. - type: boolean + healthCheck: + description: HealthCheck defines optional healthchecks on + the upstream service + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP + health check request. If left empty (default value), + the name "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health + check response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object name: description: Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding @@ -891,86 +934,11 @@ spec: type: string port: description: Port (defined as Integer) to proxy traffic - to since a service can have multiple defined. + to since a service can have multiple defined type: integer - protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may be - tls, h2, h2c. If omitted, protocol-selection falls back - on Service annotations. - enum: - - h2 - - h2c - - tls + strategy: + description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) type: string - requestHeadersPolicy: - description: The policy for managing request headers during - proxying - properties: - remove: - description: Remove specifies a list of HTTP header - names to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object - responseHeadersPolicy: - description: The policy for managing response headers during - proxying - properties: - remove: - description: Remove specifies a list of HTTP header - names to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object validation: description: UpstreamValidation defines how to verify the backend service's certificate @@ -997,103 +965,79 @@ spec: - name - port type: object - minItems: 1 type: array timeoutPolicy: - description: The timeout policy for this route. + description: The timeout policy for this route properties: - idle: - description: Timeout after which if there are no active requests - for this route, the connection between Envoy and the backend - will be closed. If not specified, there is no per-route - idle timeout. - type: string - response: + request: description: Timeout for receiving a response from the server after processing a request from client. If not supplied the timeout duration is undefined. type: string type: object required: - - services + - match type: object type: array tcpproxy: description: TCPProxy holds TCP proxy information. properties: - healthCheckPolicy: - description: The health check policy for this tcp proxy - properties: - healthyThresholdCount: - description: The number of healthy health checks required before - a host is marked healthy - format: int32 - type: integer - intervalSeconds: - description: The interval (seconds) between health checks - format: int64 - type: integer - timeoutSeconds: - description: The time to wait (seconds) for a health check response - format: int64 - type: integer - unhealthyThresholdCount: - description: The number of unhealthy health checks required - before a host is marked unhealthy - format: int32 - type: integer - type: object - include: - description: Include specifies that this tcpproxy should be delegated - to another HTTPProxy. - properties: - name: - description: Name of the child HTTPProxy - type: string - namespace: - description: Namespace of the HTTPProxy to include. Defaults - to the current namespace if not supplied. - type: string - required: - - name - type: object - includes: - description: "IncludesDeprecated allow for specific routing configuration - to be appended to another HTTPProxy in another namespace. \n Exists - due to a mistake when developing HTTPProxy and the field was marked - plural when it should have been singular. This field should stay - to not break backwards compatibility to v1 users." + delegate: + description: Delegate specifies that this tcpproxy should be delegated + to another IngressRoute properties: name: - description: Name of the child HTTPProxy + description: Name of the IngressRoute type: string namespace: - description: Namespace of the HTTPProxy to include. Defaults - to the current namespace if not supplied. + description: Namespace of the IngressRoute. Defaults to the + current namespace if not supplied. type: string required: - name type: object - loadBalancerPolicy: - description: The load balancing policy for the backend services. - properties: - strategy: - description: Strategy specifies the policy used to balance requests - across the pool of backend pods. Valid policy names are `Random`, - `RoundRobin`, `WeightedLeastRequest`, `Random` and `Cookie`. - If an unknown strategy name is specified or no policy is supplied, - the default `RoundRobin` policy is used. - type: string - type: object services: description: Services are the services to proxy traffic items: - description: Service defines an Kubernetes Service to proxy traffic. + description: Service defines an upstream to proxy traffic to properties: - mirror: - description: If Mirror is true the Service will receive a - read only mirror of the traffic for this route. - type: boolean + healthCheck: + description: HealthCheck defines optional healthchecks on + the upstream service + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP + health check request. If left empty (default value), + the name "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object name: description: Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding @@ -1101,86 +1045,11 @@ spec: type: string port: description: Port (defined as Integer) to proxy traffic to - since a service can have multiple defined. + since a service can have multiple defined type: integer - protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may be tls, - h2, h2c. If omitted, protocol-selection falls back on Service - annotations. - enum: - - h2 - - h2c - - tls + strategy: + description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) type: string - requestHeadersPolicy: - description: The policy for managing request headers during - proxying - properties: - remove: - description: Remove specifies a list of HTTP header names - to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object - responseHeadersPolicy: - description: The policy for managing response headers during - proxying - properties: - remove: - description: Remove specifies a list of HTTP header names - to remove. - items: - type: string - type: array - set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. - items: - description: HeaderValue represents a header name/value - pair - properties: - name: - description: Name represents a key of a header - minLength: 1 - type: string - value: - description: Value represents the value of a header - specified by a key - minLength: 1 - type: string - required: - - name - - value - type: object - type: array - type: object validation: description: UpstreamValidation defines how to verify the backend service's certificate @@ -1207,10 +1076,7 @@ spec: - name - port type: object - minItems: 1 type: array - required: - - services type: object virtualhost: description: Virtualhost appears at most once. If it is present, the @@ -1271,9 +1137,85 @@ spec: - metadata - spec type: object - version: v1 + version: v1beta1 versions: - - name: v1 + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: tlscertificatedelegations.contour.heptio.com +spec: + group: contour.heptio.com + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + singular: tlscertificatedelegation + scope: Namespaced + validation: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation. + See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + required: + - metadata + - spec + type: object + version: v1beta1 + versions: + - name: v1beta1 served: true storage: true status: @@ -1364,23 +1306,21 @@ status: apiVersion: v1 kind: ServiceAccount metadata: - name: contour-certgen + name: contour namespace: projectcontour --- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding +apiVersion: v1 +kind: ServiceAccount metadata: - name: contour - namespace: projectcontour -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: contour-certgen -subjects: -- kind: ServiceAccount name: contour-certgen namespace: projectcontour --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy + namespace: projectcontour +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: @@ -1399,60 +1339,31 @@ rules: - put - post - patch ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: contour-certgen - namespace: projectcontour -spec: - ttlSecondsAfterFinished: 0 - template: - metadata: - labels: - app: "contour-certgen" - spec: - containers: - - name: contour - # This version is set to latest because Job specs are immutable; - # if we change this on each version, you can no longer upgrade - # just by applying the deployment YAML. - # See #2423, #2395, #2150, and #2030 for earlier questions about this. - image: docker.io/projectcontour/contour:latest - imagePullPolicy: IfNotPresent - command: - - contour - - certgen - - --incluster - - --kube - - --namespace=$(CONTOUR_NAMESPACE) - env: - - name: CONTOUR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - restartPolicy: Never - serviceAccountName: contour-certgen - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - parallelism: 1 - completions: 1 - backoffLimit: 1 ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: contour -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: contour -subjects: -- kind: ServiceAccount - name: contour +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: contour-leaderelection namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole @@ -1485,7 +1396,7 @@ rules: - list - watch - apiGroups: - - "networking.k8s.io" + - networking.k8s.io resources: - ingresses verbs: @@ -1493,18 +1404,21 @@ rules: - list - watch - apiGroups: - - "networking.k8s.io" + - networking.k8s.io resources: - - "ingresses/status" + - ingresses/status verbs: - get - list - watch - - patch + - patch - post - update -- apiGroups: ["contour.heptio.com"] - resources: ["ingressroutes", "tlscertificatedelegations"] +- apiGroups: + - contour.heptio.com + resources: + - ingressroutes + - tlscertificatedelegations verbs: - get - list @@ -1512,8 +1426,11 @@ rules: - put - post - patch -- apiGroups: ["projectcontour.io"] - resources: ["httpproxies", "tlscertificatedelegations"] +- apiGroups: + - projectcontour.io + resources: + - httpproxies + - tlscertificatedelegations verbs: - get - list @@ -1521,8 +1438,13 @@ rules: - put - post - patch -- apiGroups: ["networking.x.k8s.io"] - resources: ["gatewayclasses", "gateways", "httproutes", "tcproutes"] +- apiGroups: + - networking.x.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes verbs: - get - list @@ -1532,29 +1454,18 @@ rules: - patch --- apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role +kind: RoleBinding metadata: - name: contour-leaderelection + name: contour + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen namespace: projectcontour -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - update - - patch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding @@ -1570,6 +1481,76 @@ subjects: name: contour namespace: projectcontour --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour +--- +apiVersion: v1 +data: + contour.yaml: | + # Whether contour should expect to be running inside a k8s cluster. + # incluster: true + # Path to kubeconfig (if not running inside a k8s cluster). + # kubeconfig: /path/to/.kube/config + # Client request timeout to be passed to Envoy + # as the connection manager request_timeout. + # Defaults to 0, which Envoy interprets as disabled. + # Note that this is the timeout for the whole request, + # not an idle timeout. + # request-timeout: 0s + # Whether to disable the HTTPProxy permitInsecure field. + disablePermitInsecure: false + tls: + # minimum TLS version that Contour will negotiate + # minimum-protocol-version: "1.1" + # The following config shows the defaults for the leader election. + # leaderelection: + # configmap-name: leader-elect + # configmap-namespace: projectcontour + # Logging options + accesslog-format: envoy + # To enable JSON logging in Envoy + # accesslog-format: json + # The default fields that will be logged are specified below. + # To customize this list, just add or remove entries. + # The canonical list is available at + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields + # json-fields: + # - "@timestamp" + # - "authority" + # - "bytes_received" + # - "bytes_sent" + # - "downstream_local_address" + # - "downstream_remote_address" + # - "duration" + # - "method" + # - "path" + # - "protocol" + # - "request_id" + # - "requested_server_name" + # - "response_code" + # - "response_flags" + # - "uber_trace_id" + # - "upstream_cluster" + # - "upstream_host" + # - "upstream_local_address" + # - "upstream_service_time" + # - "user_agent" + # - "x_forwarded_for" +kind: ConfigMap +metadata: + name: contour-94dt6gg9ht + namespace: projectcontour +--- apiVersion: v1 kind: Service metadata: @@ -1577,8 +1558,8 @@ metadata: namespace: projectcontour spec: ports: - - port: 8001 - name: xds + - name: xds + port: 8001 protocol: TCP targetPort: 8001 selector: @@ -1590,22 +1571,14 @@ kind: Service metadata: name: envoy namespace: projectcontour - annotations: - # This annotation puts the AWS ELB into "TCP" mode so that it does not - # do HTTP negotiation for HTTPS connections at the ELB edge. - # The downside of this is the remote IP address of all connections will - # appear to be the internal address of the ELB. See docs/proxy-proto.md - # for information about enabling the PROXY protocol on the ELB to recover - # the original remote IP address. - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp spec: externalTrafficPolicy: Local ports: - - port: 80 - name: http + - name: http + port: 80 protocol: TCP - - port: 443 - name: https + - name: https + port: 443 protocol: TCP selector: app: envoy @@ -1620,20 +1593,18 @@ metadata: namespace: projectcontour spec: replicas: 2 - strategy: - type: RollingUpdate - rollingUpdate: - # This value of maxSurge means that during a rolling update - # the new ReplicaSet will be created first. - maxSurge: 50% selector: matchLabels: app: contour + strategy: + rollingUpdate: + maxSurge: 50% + type: RollingUpdate template: metadata: annotations: - prometheus.io/scrape: "true" prometheus.io/port: "8000" + prometheus.io/scrape: "true" labels: app: contour spec: @@ -1658,9 +1629,25 @@ spec: - --contour-cert-file=/certs/tls.crt - --contour-key-file=/certs/tls.key - --config-path=/config/contour.yaml - command: ["contour"] + command: + - contour + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name image: docker.io/projectcontour/contour:master imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8000 name: contour ports: - containerPort: 8001 @@ -1669,56 +1656,41 @@ spec: - containerPort: 8000 name: debug protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: 8000 readinessProbe: - tcpSocket: - port: 8001 initialDelaySeconds: 15 periodSeconds: 10 + tcpSocket: + port: 8001 volumeMounts: - - name: contourcert - mountPath: /certs - readOnly: true - - name: cacert - mountPath: /ca - readOnly: true - - name: contour-config - mountPath: /config - readOnly: true - env: - - name: CONTOUR_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name + - mountPath: /certs + name: contourcert + readOnly: true + - mountPath: /ca + name: cacert + readOnly: true + - mountPath: /config + name: contour-config + readOnly: true dnsPolicy: ClusterFirst - serviceAccountName: contour securityContext: + runAsGroup: 65534 runAsNonRoot: true runAsUser: 65534 - runAsGroup: 65534 + serviceAccountName: contour volumes: - - name: contourcert - secret: - secretName: contourcert - - name: cacert - secret: - secretName: cacert - - name: contour-config - configMap: - name: contour - defaultMode: 0644 - items: - - key: contour.yaml - path: contour.yaml + - name: contourcert + secret: + secretName: contourcert + - name: cacert + secret: + secretName: cacert + - configMap: + defaultMode: 420 + items: + - key: contour.yaml + path: contour.yaml + name: contour-94dt6gg9ht + name: contour-config --- apiVersion: apps/v1 kind: DaemonSet @@ -1728,28 +1700,24 @@ metadata: name: envoy namespace: projectcontour spec: - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 10% selector: matchLabels: app: envoy template: metadata: annotations: - prometheus.io/scrape: "true" + prometheus.io/path: /stats/prometheus prometheus.io/port: "8002" - prometheus.io/path: "/stats/prometheus" + prometheus.io/scrape: "true" labels: app: envoy spec: containers: - - command: + - args: + - envoy + - shutdown-manager + command: - /bin/contour - args: - - envoy - - shutdown-manager image: docker.io/projectcontour/contour:master imagePullPolicy: IfNotPresent lifecycle: @@ -1773,9 +1741,6 @@ spec: - --log-level info command: - envoy - image: docker.io/envoyproxy/envoy:v1.14.1 - imagePullPolicy: IfNotPresent - name: envoy env: - name: CONTOUR_NAMESPACE valueFrom: @@ -1787,6 +1752,15 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name + image: docker.io/envoyproxy/envoy:v1.14.1 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + name: envoy ports: - containerPort: 80 hostPort: 80 @@ -1803,18 +1777,12 @@ spec: initialDelaySeconds: 3 periodSeconds: 4 volumeMounts: - - name: envoy-config - mountPath: /config - - name: envoycert - mountPath: /certs - - name: cacert - mountPath: /ca - lifecycle: - preStop: - httpGet: - path: /shutdown - port: 8090 - scheme: HTTP + - mountPath: /config + name: envoy-config + - mountPath: /certs + name: envoycert + - mountPath: /ca + name: cacert initContainers: - args: - bootstrap @@ -1826,32 +1794,73 @@ spec: - --envoy-key-file=/certs/tls.key command: - contour + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace image: docker.io/projectcontour/contour:master imagePullPolicy: IfNotPresent name: envoy-initconfig volumeMounts: - - name: envoy-config - mountPath: /config - - name: envoycert - mountPath: /certs + - mountPath: /config + name: envoy-config + - mountPath: /certs + name: envoycert readOnly: true - - name: cacert - mountPath: /ca + - mountPath: /ca + name: cacert readOnly: true + restartPolicy: Always + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - emptyDir: {} + name: envoy-config + - name: envoycert + secret: + secretName: envoycert + - name: cacert + secret: + secretName: cacert + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen + namespace: projectcontour +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: contour-certgen + spec: + containers: + - command: + - contour + - certgen + - --incluster + - --kube + - --namespace=$(CONTOUR_NAMESPACE) env: - name: CONTOUR_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - serviceAccountName: envoy - terminationGracePeriodSeconds: 300 - volumes: - - name: envoy-config - emptyDir: {} - - name: envoycert - secret: - secretName: envoycert - - name: cacert - secret: - secretName: cacert - restartPolicy: Always + image: docker.io/projectcontour/contour:master + imagePullPolicy: IfNotPresent + name: contour + restartPolicy: Never + securityContext: + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: contour-certgen + ttlSecondsAfterFinished: 0 diff --git a/examples/contour/00-common.yaml b/examples/contour/00-common.yaml deleted file mode 100644 index c037ee61b48..00000000000 --- a/examples/contour/00-common.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: projectcontour ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: contour - namespace: projectcontour ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: envoy - namespace: projectcontour diff --git a/examples/contour/01-contour-config.yaml b/examples/contour/01-contour-config.yaml deleted file mode 100644 index 80f20c319e0..00000000000 --- a/examples/contour/01-contour-config.yaml +++ /dev/null @@ -1,60 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: contour - namespace: projectcontour -data: - contour.yaml: | - # should contour expect to be running inside a k8s cluster - # incluster: true - # - # path to kubeconfig (if not running inside a k8s cluster) - # kubeconfig: /path/to/.kube/config - # - # Client request timeout to be passed to Envoy - # as the connection manager request_timeout. - # Defaults to 0, which Envoy interprets as disabled. - # Note that this is the timeout for the whole request, - # not an idle timeout. - # request-timeout: 0s - # disable ingressroute permitInsecure field - disablePermitInsecure: false - tls: - # minimum TLS version that Contour will negotiate - # minimum-protocol-version: "1.1" - # The following config shows the defaults for the leader election. - # leaderelection: - # configmap-name: leader-elect - # configmap-namespace: projectcontour - ### Logging options - # Default setting - accesslog-format: envoy - # To enable JSON logging in Envoy - # accesslog-format: json - # The default fields that will be logged are specified below. - # To customise this list, just add or remove entries. - # The canonical list is available at - # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields - # json-fields: - # - "@timestamp" - # - "authority" - # - "bytes_received" - # - "bytes_sent" - # - "downstream_local_address" - # - "downstream_remote_address" - # - "duration" - # - "method" - # - "path" - # - "protocol" - # - "request_id" - # - "requested_server_name" - # - "response_code" - # - "response_flags" - # - "uber_trace_id" - # - "upstream_cluster" - # - "upstream_host" - # - "upstream_local_address" - # - "upstream_service_time" - # - "user_agent" - # - "x_forwarded_for" diff --git a/examples/contour/02-job-certgen.yaml b/examples/contour/02-job-certgen.yaml deleted file mode 100644 index 8b4fb3bd87b..00000000000 --- a/examples/contour/02-job-certgen.yaml +++ /dev/null @@ -1,80 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: contour-certgen - namespace: projectcontour ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: contour - namespace: projectcontour -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: contour-certgen -subjects: -- kind: ServiceAccount - name: contour-certgen - namespace: projectcontour ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: contour-certgen - namespace: projectcontour -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - - watch - - create - - get - - put - - post - - patch ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: contour-certgen - namespace: projectcontour -spec: - ttlSecondsAfterFinished: 0 - template: - metadata: - labels: - app: "contour-certgen" - spec: - containers: - - name: contour - # This version is set to latest because Job specs are immutable; - # if we change this on each version, you can no longer upgrade - # just by applying the deployment YAML. - # See #2423, #2395, #2150, and #2030 for earlier questions about this. - image: docker.io/projectcontour/contour:latest - imagePullPolicy: Always - command: - - contour - - certgen - - --incluster - - --kube - - --namespace=$(CONTOUR_NAMESPACE) - env: - - name: CONTOUR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - restartPolicy: Never - serviceAccountName: contour-certgen - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - parallelism: 1 - completions: 1 - backoffLimit: 1 diff --git a/examples/contour/02-service-envoy.yaml b/examples/contour/02-service-envoy.yaml deleted file mode 100644 index 15606cfbaaf..00000000000 --- a/examples/contour/02-service-envoy.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: envoy - namespace: projectcontour - annotations: - # This annotation puts the AWS ELB into "TCP" mode so that it does not - # do HTTP negotiation for HTTPS connections at the ELB edge. - # The downside of this is the remote IP address of all connections will - # appear to be the internal address of the ELB. See docs/proxy-proto.md - # for information about enabling the PROXY protocol on the ELB to recover - # the original remote IP address. - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp -spec: - externalTrafficPolicy: Local - ports: - - port: 80 - name: http - protocol: TCP - - port: 443 - name: https - protocol: TCP - selector: - app: envoy - type: LoadBalancer diff --git a/examples/render/kustomization.yaml b/examples/render/kustomization.yaml deleted file mode 100644 index c4dbba3816b..00000000000 --- a/examples/render/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: - - contour.yaml diff --git a/hack/generate-crd-yaml.sh b/hack/generate-crd-yaml.sh index 2084117d4a8..330e9793ec7 100755 --- a/hack/generate-crd-yaml.sh +++ b/hack/generate-crd-yaml.sh @@ -6,16 +6,13 @@ set -o pipefail readonly HERE=$(cd $(dirname $0) && pwd) readonly REPO=$(cd ${HERE}/.. && pwd) -readonly TEMPDIR=$(mktemp -d crd.XXXXXX) - -trap "rm -rf $TEMPDIR; exit" 0 1 2 15 cd $REPO -# Controller-gen seems to use an unstable sort for the order of output of the CRDs -# so, output them to separate files, then concatenate those files. -# That should give a stable sort. +# Generate backwards-compatible CRDs. go run sigs.k8s.io/controller-tools/cmd/controller-gen \ - crd paths=./apis/... output:dir=$TEMPDIR + crd paths=./apis/... output:dir=${REPO}/config/components/types -ls $TEMPDIR/*.yaml | xargs cat | sed '/^$/d' > ${REPO}/examples/contour/01-crds.yaml +# Generate V1 CRDs for Kubernetes 1.6 or later. +go run sigs.k8s.io/controller-tools/cmd/controller-gen \ + crd:crdVersions=v1 paths=./apis/... output:dir=${REPO}/config/components/types-v1 diff --git a/hack/generate-deployment.sh b/hack/generate-deployment.sh index fe1a08e250a..0d359a0a25e 100755 --- a/hack/generate-deployment.sh +++ b/hack/generate-deployment.sh @@ -8,8 +8,7 @@ readonly HERE=$(cd $(dirname $0) && pwd) readonly REPO=$(cd ${HERE}/.. && pwd) readonly PROGNAME=$(basename $0) - -readonly TARGET="${REPO}/examples/render/contour.yaml" +readonly TARGET="${REPO}/config/quickstart.yaml" exec >$TARGET @@ -20,12 +19,13 @@ cat <&1 | grep -E -q '^\s+[MADRCU]'; then git commit -s -m "Update Contour Docker image to $NEWVERS." \ - examples/contour/03-contour.yaml \ - examples/contour/03-envoy.yaml \ - examples/render/contour.yaml + config/components/certgen/kustomization.yaml \ + config/components/envoy/kustomization.yaml \ + config/components/contour/kustomization.yaml fi git tag -F - "$NEWVERS" <&1 | grep -E -q '^\s+[MADRCU]'