Documentation ¶
Overview ¶
Package dag provides a data model, in the form of a directed acyclic graph, of the relationship between Kubernetes Ingress, Service, and Secret objects.
Index ¶
- Constants
- func ExtensionClusterName(meta types.NamespacedName) string
- func ValidateRegex(regex string) error
- type AuthorizationServerBufferSettings
- type Builder
- type CORSAllowOriginMatch
- type CORSAllowOriginMatchType
- type CORSPolicy
- type ClientCertificateDetails
- type Cluster
- type ClusterTimeoutPolicy
- type CookieHashOptions
- type CookieRewritePolicy
- type DAG
- func (d *DAG) EnsureSecureVirtualHost(listener, hostname string) *SecureVirtualHost
- func (d *DAG) EnsureService(meta types.NamespacedName, port, healthPort int, cache *KubernetesCache, ...) (*Service, error)
- func (d *DAG) EnsureVirtualHost(listener, hostname string) *VirtualHost
- func (d *DAG) GetClusters() []*Cluster
- func (d *DAG) GetDNSNameClusters() []*DNSNameCluster
- func (d *DAG) GetExtensionCluster(name string) *ExtensionCluster
- func (d *DAG) GetExtensionClusters() map[string]*ExtensionCluster
- func (d *DAG) GetSecrets() []*Secret
- func (d *DAG) GetSecureVirtualHost(listener, hostname string) *SecureVirtualHost
- func (d *DAG) GetSecureVirtualHostRoutes() map[*SecureVirtualHost][]*Route
- func (d *DAG) GetServiceClusters() []*ServiceCluster
- func (d *DAG) GetSingleListener(protocol string) (*Listener, error)
- func (d *DAG) GetVirtualHost(listener, hostname string) *VirtualHost
- func (d *DAG) GetVirtualHostRoutes() map[*VirtualHost][]*Route
- type DNSNameCluster
- type DelegationNotPermittedError
- type DirectResponse
- type ExactMatchCondition
- type ExtensionCluster
- type ExtensionServiceProcessor
- type ExternalAuthorization
- type GatewayAPIProcessor
- type GenericKeyDescriptorEntry
- type GlobalRateLimitPolicy
- type HTTPHealthCheckPolicy
- type HTTPProxyProcessor
- type HTTPStatusRange
- type HeaderHashOptions
- type HeaderMatchCondition
- type HeaderMatchDescriptorEntry
- type HeaderValue
- type HeaderValueMatchDescriptorEntry
- type HeadersPolicy
- type IPFilterRule
- type IngressProcessor
- type InternalRedirectPolicy
- type JWTProvider
- type JWTRule
- type KubernetesCache
- func (kc *KubernetesCache) Insert(obj any) bool
- func (kc *KubernetesCache) LookupBackendTLSPolicyByTargetRef(targetRef gatewayapi_v1alpha2.PolicyTargetReferenceWithSectionName) (*gatewayapi_v1alpha2.BackendTLSPolicy, bool)
- func (kc *KubernetesCache) LookupCAConfigMap(name types.NamespacedName) (*Secret, error)
- func (kc *KubernetesCache) LookupCASecret(name types.NamespacedName, targetNamespace string) (*Secret, error)
- func (kc *KubernetesCache) LookupCRLSecret(name types.NamespacedName, targetNamespace string) (*Secret, error)
- func (kc *KubernetesCache) LookupService(meta types.NamespacedName, port intstr.IntOrString) (*core_v1.Service, core_v1.ServicePort, error)
- func (kc *KubernetesCache) LookupTLSSecret(name types.NamespacedName, targetNamespace string) (*Secret, error)
- func (kc *KubernetesCache) LookupTLSSecretInsecure(name types.NamespacedName) (*Secret, error)
- func (kc *KubernetesCache) LookupUpstreamValidation(uv *contour_v1.UpstreamValidation, caCertificate types.NamespacedName, ...) (*PeerValidationContext, error)
- func (kc *KubernetesCache) Remove(obj any) bool
- type Listener
- type ListenerProcessor
- type LocalRateLimitPolicy
- type MatchCondition
- type MirrorPolicy
- type ObjectStatusWriter
- type Observer
- type ObserverFunc
- type PathRewritePolicy
- type PeerValidationContext
- type PrefixMatchCondition
- type PrefixMatchType
- type Processor
- type ProcessorFunc
- type QueryParamMatchCondition
- type QueryParameterHashOptions
- type RateLimitDescriptor
- type RateLimitDescriptorEntry
- type RateLimitPerRoute
- type RateLimitPolicy
- type Redirect
- type RegexMatchCondition
- type RemoteAddressDescriptorEntry
- type RemoteJWKS
- type RequestHashPolicy
- type RetryPolicy
- type Route
- type RouteTimeoutPolicy
- type Secret
- type SecretValidationStatus
- type SecureVirtualHost
- type Service
- type ServiceCluster
- func (s *ServiceCluster) AddService(name types.NamespacedName, port core_v1.ServicePort)
- func (s *ServiceCluster) AddWeightedService(weight uint32, name types.NamespacedName, port core_v1.ServicePort)
- func (s *ServiceCluster) DeepCopy() *ServiceCluster
- func (s *ServiceCluster) Rebalance()
- func (s *ServiceCluster) Validate() error
- type SlowStartConfig
- type Status
- type StatusWriter
- type TCPHealthCheckPolicy
- type TCPProxy
- type UpstreamTLS
- type VhRateLimitsType
- type VirtualHost
- type WeightedService
Constants ¶
const ( // HeaderMatchTypeExact matches a header value exactly. HeaderMatchTypeExact = "exact" // HeaderMatchTypeContains matches a header value if it contains the // provided value. HeaderMatchTypeContains = "contains" // HeaderMatchTypePresent matches a header if it is present in a request. HeaderMatchTypePresent = "present" // HeaderMatchTypeRegex matches a header if it matches the provided regular // expression. HeaderMatchTypeRegex = "regex" )
const ( // QueryParamMatchTypeExact matches a querystring parameter value exactly. QueryParamMatchTypeExact = "exact" // QueryParamMatchTypePrefix matches a querystring parameter value is // prefixed by a given string. QueryParamMatchTypePrefix = "prefix" // QueryParamMatchTypeSuffix matches a querystring parameter value is // suffixed by a given string. QueryParamMatchTypeSuffix = "suffix" // QueryParamMatchTypeRegex matches a querystring parameter value against // given regular expression. QueryParamMatchTypeRegex = "regex" // QueryParamMatchTypeContains matches a querystring parameter value // contains the given string. QueryParamMatchTypeContains = "contains" // QueryParamMatchTypePresent matches a querystring parameter if present. QueryParamMatchTypePresent = "present" )
const ( // InternalRedirectCrossSchemeNever deny following a redirect if the schemes are different. InternalRedirectCrossSchemeNever = "never" // InternalRedirectCrossSchemeSafeOnly allow following a redirect if the schemes // are the same, or if it is considered safe, which means if the downstream scheme is HTTPS, // both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme is HTTP, // only HTTP redirect targets are allowed. InternalRedirectCrossSchemeSafeOnly = "safeOnly" // InternalRedirectCrossSchemeAlways allow following a redirect whatever the schemes. InternalRedirectCrossSchemeAlways = "always" )
const ( KindHTTPRoute = "HTTPRoute" KindTLSRoute = "TLSRoute" KindGRPCRoute = "GRPCRoute" KindTCPRoute = "TCPRoute" KindGateway = "Gateway" )
const ( HTTP_LISTENER_NAME = "ingress_http" HTTPS_LISTENER_NAME = "ingress_https" )
nolint:revive
const ( // LoadBalancerPolicyWeightedLeastRequest specifies the backend with least // active requests will be chosen by the load balancer. LoadBalancerPolicyWeightedLeastRequest = "WeightedLeastRequest" // LoadBalancerPolicyRandom denotes the load balancer will choose a random // backend when routing a request. LoadBalancerPolicyRandom = "Random" // LoadBalancerPolicyRoundRobin denotes the load balancer will route // requests in a round-robin fashion among backend instances. LoadBalancerPolicyRoundRobin = "RoundRobin" // LoadBalancerPolicyCookie denotes load balancing will be performed via a // Contour specified cookie. LoadBalancerPolicyCookie = "Cookie" // LoadBalancerPolicyRequestHash denotes request attribute hashing is used // to make load balancing decisions. LoadBalancerPolicyRequestHash = "RequestHash" )
const ( // CACertificateKey is the key name for accessing TLS CA certificate bundles in Kubernetes Secrets. CACertificateKey = "ca.crt" // CRLKey is the key name for accessing CRL bundles in Kubernetes Secrets. CRLKey = "crl.pem" )
Variables ¶
This section is empty.
Functions ¶
func ExtensionClusterName ¶ added in v1.13.0
func ExtensionClusterName(meta types.NamespacedName) string
ExtensionClusterName generates a unique Envoy cluster name for an ExtensionCluster. The namespaced name of an ExtensionCluster is globally unique, so we can simply use that as the cluster name. As long as we scope the context with the "extension" prefix there can't be a conflict. Note that the name doesn't include a hash of the contents because we want a 1-1 mapping between ExtensionServices and Envoy Clusters; we don't want a new Envoy Cluster just because a field changed.
func ValidateRegex ¶ added in v1.10.0
ValidateRegex returns an error if the supplied RE2 regex syntax is invalid.
Types ¶
type AuthorizationServerBufferSettings ¶ added in v1.20.0
type AuthorizationServerBufferSettings struct { // MaxRequestBytes sets the maximum size of message body // ExtAuthz filter will hold in-memory. // Envoy will return HTTP 413 and will not initiate the // authorization process when buffer reaches the number set // in this field. Refer to // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-http-ext-authz-v3-buffersettings // for more details. MaxRequestBytes uint32 // If AllowPartialMessage is true, // then Envoy will buffer the body until MaxRequestBytes are reached. AllowPartialMessage bool // If PackAsBytes is true, the body sent to Authorization Server is in raw bytes. PackAsBytes bool }
AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client request data and send it as part of authorization request
type Builder ¶
type Builder struct { // Source is the source of Kubernetes objects // from which to build a DAG. Source KubernetesCache // Processors is the ordered list of Processors to // use to build the DAG. Processors []Processor // Metrics contains Prometheus metrics. Metrics *metrics.Metrics }
Builder builds a DAG.
type CORSAllowOriginMatch ¶ added in v1.23.0
type CORSAllowOriginMatch struct { // Type is the type of matching to perform. // Wildcard matches are treated as exact matches. Type CORSAllowOriginMatchType // Value is the pattern to match against, the specifics of which // will depend on the type of match. Value string }
CORSAllowOriginMatch specifies how allowed origins should be matched.
type CORSAllowOriginMatchType ¶ added in v1.23.0
type CORSAllowOriginMatchType int
CORSAllowOriginMatchType differentiates different CORS origin matching methods.
const ( // CORSAllowOriginMatchExact will match an origin exactly. // Wildcard "*" matches should be configured as exact matches. CORSAllowOriginMatchExact CORSAllowOriginMatchType = iota // CORSAllowOriginMatchRegex denote a regex pattern will be used // to match the origin in a request. CORSAllowOriginMatchRegex )
type CORSPolicy ¶ added in v1.9.0
type CORSPolicy struct { // Specifies whether the resource allows credentials. AllowCredentials bool // AllowOrigin specifies the origins that will be allowed to do CORS requests. AllowOrigin []CORSAllowOriginMatch // AllowMethods specifies the content for the *access-control-allow-methods* header. AllowMethods []string // AllowHeaders specifies the content for the *access-control-allow-headers* header. AllowHeaders []string // ExposeHeaders Specifies the content for the *access-control-expose-headers* header. ExposeHeaders []string // MaxAge specifies the content for the *access-control-max-age* header. MaxAge timeout.Setting // AllowPrivateNetwork specifies whether to allow private network requests. AllowPrivateNetwork bool }
CORSPolicy allows setting the CORS policy
type ClientCertificateDetails ¶ added in v1.24.0
type ClientCertificateDetails struct { // Subject of the client cert. Subject bool // Client cert in URL encoded PEM format. Cert bool // Client cert chain (including the leaf cert) in URL encoded PEM format. Chain bool // DNS type Subject Alternative Names of the client cert. DNS bool // URI type Subject Alternative Name of the client cert. URI bool }
ClientCertificateDetails defines which parts of the client certificate will be forwarded.
type Cluster ¶ added in v1.0.0
type Cluster struct { // Upstream is the backend Kubernetes service traffic arriving // at this Cluster will be forwarded to. Upstream *Service // The relative weight of this Cluster compared to its siblings. Weight uint32 // The protocol to use to speak to this cluster. Protocol string // UpstreamValidation defines how to verify the backend service's certificate UpstreamValidation *PeerValidationContext // The load balancer strategy to use when picking a host in the cluster. // See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#enum-config-cluster-v3-cluster-lbpolicy LoadBalancerPolicy string // Cluster http health check policy *HTTPHealthCheckPolicy // Cluster tcp health check policy *TCPHealthCheckPolicy // RequestHeadersPolicy defines how headers are managed during forwarding RequestHeadersPolicy *HeadersPolicy // ResponseHeadersPolicy defines how headers are managed during forwarding ResponseHeadersPolicy *HeadersPolicy // CookieRewritePolicies is a list of policies that define how HTTP Set-Cookie // headers should be rewritten for responses on this route. CookieRewritePolicies []CookieRewritePolicy // SNI is used when a route proxies an upstream using tls. // SNI describes how the SNI is set on a Cluster and is configured via RequestHeadersPolicy.Host key. // Policies set on service are used before policies set on a route. Otherwise the value of the externalService // is used if the route is configured to proxy to an externalService type. // If the value is not set, then SNI is not changed. SNI string // DNSLookupFamily defines how external names are looked up // When configured as V4, the DNS resolver will only perform a lookup // for addresses in the IPv4 family. If V6 is configured, the DNS resolver // will only perform a lookup for addresses in the IPv6 family. // If AUTO is configured, the DNS resolver will first perform a lookup // for addresses in the IPv6 family and fallback to a lookup for addresses // in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for // both IPv4 and IPv6 families, and return all resolved addresses. // When this is used, Happy Eyeballs will be enabled for upstream connections. // Refer to Happy Eyeballs Support for more information. // Note: This only applies to externalName clusters. DNSLookupFamily string // ClientCertificate is the optional identifier of the TLS secret containing client certificate and // private key to be used when establishing TLS connection to upstream cluster. ClientCertificate *Secret // TimeoutPolicy specifies how to handle timeouts for this cluster. TimeoutPolicy ClusterTimeoutPolicy SlowStartConfig *SlowStartConfig // MaxRequestsPerConnection defines the maximum number of requests per connection to the upstream before it is closed. MaxRequestsPerConnection *uint32 // PerConnectionBufferLimitBytes defines the soft limit on size of the cluster’s new connection read and write buffers. PerConnectionBufferLimitBytes *uint32 // UpstreamTLS contains the TLS version and cipher suite configurations for upstream connections UpstreamTLS *UpstreamTLS }
Cluster holds the connection specific parameters that apply to traffic routed to an upstream service.
type ClusterTimeoutPolicy ¶ added in v1.21.0
type ClusterTimeoutPolicy struct { // IdleConnectionTimeout is the timeout applied to idle connection. IdleConnectionTimeout timeout.Setting // ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. ConnectTimeout time.Duration }
ClusterTimeoutPolicy defines the timeout policy for a cluster.
type CookieHashOptions ¶ added in v1.12.0
type CookieHashOptions struct { // CookieName is the name of the header to hash. CookieName string // TTL is how long the cookie should be valid for. TTL time.Duration // Path is the request path the cookie is valid for. Path string }
CookieHashOptions contains options for hashing a HTTP cookie.
type CookieRewritePolicy ¶ added in v1.19.0
type CookieRewritePolicy struct { Name string Path *string Domain *string // Using an uint since pointer to boolean gets dereferenced in golang // text templates so we have no way of distinguishing if unset or set to false. // 0 means unset, 1 means false, 2 means true Secure uint SameSite *string }
CookieRewritePolicy defines how attributes of an HTTP Set-Cookie header can be rewritten.
type DAG ¶
type DAG struct { // StatusCache holds a cache of status updates to send. StatusCache status.Cache Listeners map[string]*Listener ExtensionClusters []*ExtensionCluster // Set this to true if Contour is configured with a Gateway // and Listeners are derived from the Gateway's Listeners, or // false otherwise. HasDynamicListeners bool }
func (*DAG) EnsureSecureVirtualHost ¶ added in v1.9.0
func (d *DAG) EnsureSecureVirtualHost(listener, hostname string) *SecureVirtualHost
EnsureSecureVirtualHost adds a secure virtual host with the provided name to the DAG if it does not already exist, and returns it.
func (*DAG) EnsureService ¶ added in v1.9.0
func (d *DAG) EnsureService(meta types.NamespacedName, port, healthPort int, cache *KubernetesCache, enableExternalNameSvc bool) (*Service, error)
EnsureService looks for a Kubernetes service in the cache matching the provided namespace, name and port, and returns a DAG service for it. If a matching service cannot be found in the cache, an error is returned.
func (*DAG) EnsureVirtualHost ¶ added in v1.9.0
func (d *DAG) EnsureVirtualHost(listener, hostname string) *VirtualHost
EnsureVirtualHost adds a virtual host with the provided name to the DAG if it does not already exist, and returns it.
func (*DAG) GetClusters ¶ added in v1.20.0
func (*DAG) GetDNSNameClusters ¶ added in v1.23.0
func (d *DAG) GetDNSNameClusters() []*DNSNameCluster
func (*DAG) GetExtensionCluster ¶ added in v1.9.0
func (d *DAG) GetExtensionCluster(name string) *ExtensionCluster
GetExtensionCluster returns the extension cluster in the DAG that matches the provided name, or nil if no matching extension cluster is found.
func (*DAG) GetExtensionClusters ¶ added in v1.9.0
func (d *DAG) GetExtensionClusters() map[string]*ExtensionCluster
GetExtensionClusters returns all extension clusters in the DAG.
func (*DAG) GetSecrets ¶ added in v1.20.0
func (*DAG) GetSecureVirtualHost ¶ added in v1.9.0
func (d *DAG) GetSecureVirtualHost(listener, hostname string) *SecureVirtualHost
GetSecureVirtualHost returns the secure virtual host in the DAG that matches the provided name, or nil if no matching secure virtual host is found.
func (*DAG) GetSecureVirtualHostRoutes ¶ added in v1.20.0
func (d *DAG) GetSecureVirtualHostRoutes() map[*SecureVirtualHost][]*Route
func (*DAG) GetServiceClusters ¶ added in v1.20.0
func (d *DAG) GetServiceClusters() []*ServiceCluster
func (*DAG) GetSingleListener ¶ added in v1.26.0
GetSingleListener returns the sole listener with the specified protocol, or an error if there is not exactly one listener with that protocol.
func (*DAG) GetVirtualHost ¶ added in v1.9.0
func (d *DAG) GetVirtualHost(listener, hostname string) *VirtualHost
GetVirtualHost returns the virtual host in the DAG that matches the provided name, or nil if no matching virtual host is found.
func (*DAG) GetVirtualHostRoutes ¶ added in v1.20.0
func (d *DAG) GetVirtualHostRoutes() map[*VirtualHost][]*Route
type DNSNameCluster ¶ added in v1.23.0
type DNSNameCluster struct { Address string Scheme string Port int DNSLookupFamily string UpstreamValidation *PeerValidationContext UpstreamTLS *UpstreamTLS }
DNSNameCluster is a cluster that routes directly to a DNS name (i.e. not a Kubernetes service).
type DelegationNotPermittedError ¶ added in v1.26.0
type DelegationNotPermittedError struct {
// contains filtered or unexported fields
}
DelegationNotPermittedError is returned by KubernetesCache's Secret accessor methods when delegation is not set up.
func NewDelegationNotPermittedError ¶ added in v1.26.0
func NewDelegationNotPermittedError(err error) DelegationNotPermittedError
type DirectResponse ¶ added in v1.15.0
type DirectResponse struct { // StatusCode is the HTTP response status to be returned. StatusCode uint32 // Body is the content of the response body. Body string }
DirectResponse allows for a specific HTTP status code and body to be the response to a route request vs routing to an envoy cluster.
type ExactMatchCondition ¶ added in v1.14.0
type ExactMatchCondition struct {
Path string
}
ExactMatchCondition matches the entire path of a URL.
func (*ExactMatchCondition) String ¶ added in v1.14.0
func (ec *ExactMatchCondition) String() string
type ExtensionCluster ¶ added in v1.9.0
type ExtensionCluster struct { // Name is the (globally unique) name of the corresponding Envoy cluster resource. Name string // Upstream is the cluster that receives network traffic. Upstream ServiceCluster // The protocol to use to speak to this cluster. Protocol string // UpstreamValidation defines how to verify the backend service's certificate UpstreamValidation *PeerValidationContext // The load balancer type to use when picking a host in the cluster. // See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#enum-config-cluster-v3-cluster-lbpolicy LoadBalancerPolicy string // RouteTimeoutPolicy specifies how to handle timeouts to this extension. RouteTimeoutPolicy RouteTimeoutPolicy // TimeoutPolicy specifies how to handle timeouts for this cluster. ClusterTimeoutPolicy ClusterTimeoutPolicy // SNI is used when a route proxies an upstream using TLS. SNI string // ClientCertificate is the optional identifier of the TLS secret containing client certificate and // private key to be used when establishing TLS connection to upstream cluster. ClientCertificate *Secret // UpstreamTLS contains the TLS version and cipher suite configurations for upstream connections UpstreamTLS *UpstreamTLS }
ExtensionCluster generates an Envoy cluster (aka ClusterLoadAssignment) for an ExtensionService resource.
type ExtensionServiceProcessor ¶ added in v1.9.0
type ExtensionServiceProcessor struct { logrus.FieldLogger // ClientCertificate is the optional identifier of the TLS // secret containing client certificate and private key to be // used when establishing TLS connection to upstream cluster. ClientCertificate *types.NamespacedName // ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. ConnectTimeout time.Duration // UpstreamTLS defines the TLS settings like min/max version // and cipher suites for upstream connections. UpstreamTLS *UpstreamTLS }
func (*ExtensionServiceProcessor) Run ¶ added in v1.9.0
func (p *ExtensionServiceProcessor) Run(dag *DAG, cache *KubernetesCache)
type ExternalAuthorization ¶ added in v1.25.0
type ExternalAuthorization struct { // AuthorizationService points to the extension that client // requests are forwarded to for authorization. If nil, no // authorization is enabled for this host. AuthorizationService *ExtensionCluster // AuthorizationResponseTimeout sets how long the proxy should wait // for authorization server responses. AuthorizationResponseTimeout timeout.Setting // AuthorizationFailOpen sets whether authorization server // failures should cause the client request to also fail. The // only reason to set this to `true` is when you are migrating // from internal to external authorization. AuthorizationFailOpen bool // AuthorizationServerWithRequestBody specifies configuration // for buffering request data sent to AuthorizationServer AuthorizationServerWithRequestBody *AuthorizationServerBufferSettings }
ExternalAuthorization contains the configuration for enabling the ExtAuthz filter.
type GatewayAPIProcessor ¶ added in v1.13.0
type GatewayAPIProcessor struct { logrus.FieldLogger // EnableExternalNameService allows processing of ExternalNameServices // This is normally disabled for security reasons. // See https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for details. EnableExternalNameService bool // ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. ConnectTimeout time.Duration // MaxRequestsPerConnection defines the maximum number of requests per connection to the upstream before it is closed. MaxRequestsPerConnection *uint32 // PerConnectionBufferLimitBytes defines the soft limit on size of the cluster’s new connection read and write buffers. PerConnectionBufferLimitBytes *uint32 // SetSourceMetadataOnRoutes defines whether to set the Kind, // Namespace and Name fields on generated DAG routes. This is // configurable and off by default in order to support the feature // without requiring all existing test cases to change. SetSourceMetadataOnRoutes bool // GlobalCircuitBreakerDefaults defines global circuit breaker defaults. GlobalCircuitBreakerDefaults *contour_v1alpha1.GlobalCircuitBreakerDefaults // UpstreamTLS defines the TLS settings like min/max version // and cipher suites for upstream connections. UpstreamTLS *UpstreamTLS // contains filtered or unexported fields }
GatewayAPIProcessor translates Gateway API types into DAG objects and adds them to the DAG.
func (*GatewayAPIProcessor) Run ¶ added in v1.13.0
func (p *GatewayAPIProcessor) Run(dag *DAG, source *KubernetesCache)
Run translates Gateway API types into DAG objects and adds them to the DAG.
type GenericKeyDescriptorEntry ¶ added in v1.15.0
GenericKeyDescriptorEntry configures a descriptor entry that has a static key & value.
type GlobalRateLimitPolicy ¶ added in v1.13.0
type GlobalRateLimitPolicy struct {
Descriptors []*RateLimitDescriptor
}
GlobalRateLimitPolicy holds global rate limiting parameters.
type HTTPHealthCheckPolicy ¶ added in v1.2.0
type HTTPHealthCheckPolicy struct { Path string Host string Interval time.Duration Timeout time.Duration UnhealthyThreshold uint32 HealthyThreshold uint32 ExpectedStatuses []HTTPStatusRange }
HTTPHealthCheckPolicy http health check policy
type HTTPProxyProcessor ¶ added in v1.9.0
type HTTPProxyProcessor struct { // DisablePermitInsecure disables the use of the // permitInsecure field in HTTPProxy. DisablePermitInsecure bool // FallbackCertificate is the optional identifier of the // TLS secret to use by default when SNI is not set on a // request. FallbackCertificate *types.NamespacedName // EnableExternalNameService allows processing of ExternalNameServices // This is normally disabled for security reasons. // See https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for details. EnableExternalNameService bool // DNSLookupFamily defines how external names are looked up // When configured as V4, the DNS resolver will only perform a lookup // for addresses in the IPv4 family. If V6 is configured, the DNS resolver // will only perform a lookup for addresses in the IPv6 family. // If AUTO is configured, the DNS resolver will first perform a lookup // for addresses in the IPv6 family and fallback to a lookup for addresses // in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for // both IPv4 and IPv6 families, and return all resolved addresses. // When this is used, Happy Eyeballs will be enabled for upstream connections. // Refer to Happy Eyeballs Support for more information. // Note: This only applies to externalName clusters. DNSLookupFamily contour_v1alpha1.ClusterDNSFamilyType // ClientCertificate is the optional identifier of the TLS secret containing client certificate and // private key to be used when establishing TLS connection to upstream cluster. ClientCertificate *types.NamespacedName // Request headers that will be set on all routes (optional). RequestHeadersPolicy *HeadersPolicy // Response headers that will be set on all routes (optional). ResponseHeadersPolicy *HeadersPolicy // GlobalExternalAuthorization defines how requests will be authorized. GlobalExternalAuthorization *contour_v1.AuthorizationServer // ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. ConnectTimeout time.Duration // MaxRequestsPerConnection defines the maximum number of requests per connection to the upstream before it is closed. MaxRequestsPerConnection *uint32 // PerConnectionBufferLimitBytes defines the soft limit on size of the listener’s new connection read and write buffers. PerConnectionBufferLimitBytes *uint32 // GlobalRateLimitService defines Envoy's Global RateLimit Service configuration. GlobalRateLimitService *contour_v1alpha1.RateLimitServiceConfig // SetSourceMetadataOnRoutes defines whether to set the Kind, // Namespace and Name fields on generated DAG routes. This is // configurable and off by default in order to support the feature // without requiring all existing test cases to change. SetSourceMetadataOnRoutes bool // GlobalCircuitBreakerDefaults defines global circuit breaker defaults. GlobalCircuitBreakerDefaults *contour_v1alpha1.GlobalCircuitBreakerDefaults // UpstreamTLS defines the TLS settings like min/max version // and cipher suites for upstream connections. UpstreamTLS *UpstreamTLS // contains filtered or unexported fields }
HTTPProxyProcessor translates HTTPProxies into DAG objects and adds them to the DAG.
func (*HTTPProxyProcessor) GlobalAuthorizationConfigured ¶ added in v1.25.0
func (p *HTTPProxyProcessor) GlobalAuthorizationConfigured() bool
func (*HTTPProxyProcessor) GlobalAuthorizationContext ¶ added in v1.25.0
func (p *HTTPProxyProcessor) GlobalAuthorizationContext() map[string]string
GlobalAuthorizationContext returns the authorization policy context (if present).
func (*HTTPProxyProcessor) Run ¶ added in v1.9.0
func (p *HTTPProxyProcessor) Run(dag *DAG, source *KubernetesCache)
Run translates HTTPProxies into DAG objects and adds them to the DAG.
type HTTPStatusRange ¶ added in v1.26.0
type HeaderHashOptions ¶ added in v1.12.0
type HeaderHashOptions struct { // HeaderName is the name of the header to hash. HeaderName string }
HeaderHashOptions contains options for hashing a HTTP header.
type HeaderMatchCondition ¶ added in v1.7.0
type HeaderMatchCondition struct { Name string Value string MatchType string Invert bool IgnoreCase bool TreatMissingAsEmpty bool }
HeaderMatchCondition matches request headers by MatchType
func (*HeaderMatchCondition) String ¶ added in v1.7.0
func (hc *HeaderMatchCondition) String() string
type HeaderMatchDescriptorEntry ¶ added in v1.15.0
HeaderMatchDescriptorEntry configures a descriptor entry that's populated only if the specified header is present on the request.
type HeaderValue ¶ added in v1.1.0
type HeaderValueMatchDescriptorEntry ¶ added in v1.15.0
type HeaderValueMatchDescriptorEntry struct { Headers []HeaderMatchCondition ExpectMatch bool Value string }
type HeadersPolicy ¶ added in v1.1.0
type HeadersPolicy struct { // HostRewrite defines if a host should be rewritten on upstream requests HostRewrite string // HostRewriteHeader defines if a host should be rewritten on upstream requests // via a header value. only applicable for routes. HostRewriteHeader string Add map[string]string Set map[string]string Remove []string }
HeadersPolicy defines how headers are managed during forwarding
type IPFilterRule ¶ added in v1.25.0
type IngressProcessor ¶ added in v1.9.0
type IngressProcessor struct { logrus.FieldLogger // ClientCertificate is the optional identifier of the TLS secret containing client certificate and // private key to be used when establishing TLS connection to upstream cluster. ClientCertificate *types.NamespacedName // EnableExternalNameService allows processing of ExternalNameServices // This is normally disabled for security reasons. // See https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for details. EnableExternalNameService bool // Request headers that will be set on all routes (optional). RequestHeadersPolicy *HeadersPolicy // Response headers that will be set on all routes (optional). ResponseHeadersPolicy *HeadersPolicy // ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. ConnectTimeout time.Duration // MaxRequestsPerConnection defines the maximum number of requests per connection to the upstream before it is closed. MaxRequestsPerConnection *uint32 // PerConnectionBufferLimitBytes defines the soft limit on size of the cluster’s new connection read and write buffers. PerConnectionBufferLimitBytes *uint32 // SetSourceMetadataOnRoutes defines whether to set the Kind, // Namespace and Name fields on generated DAG routes. This is // configurable and off by default in order to support the feature // without requiring all existing test cases to change. SetSourceMetadataOnRoutes bool // GlobalCircuitBreakerDefaults defines global circuit breaker defaults. GlobalCircuitBreakerDefaults *contour_v1alpha1.GlobalCircuitBreakerDefaults // UpstreamTLS defines the TLS settings like min/max version // and cipher suites for upstream connections. UpstreamTLS *UpstreamTLS // contains filtered or unexported fields }
IngressProcessor translates Ingresses into DAG objects and adds them to the DAG.
func (*IngressProcessor) Run ¶ added in v1.9.0
func (p *IngressProcessor) Run(dag *DAG, source *KubernetesCache)
Run translates Ingresses into DAG objects and adds them to the DAG.
type InternalRedirectPolicy ¶ added in v1.25.0
type InternalRedirectPolicy struct { // MaxInternalRedirects An internal redirect is not handled, unless the number // of previous internal redirects that a downstream request has // encountered is lower than this value MaxInternalRedirects uint32 // RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. // Only 301, 302, 303, 307 and 308 are valid values RedirectResponseCodes []uint32 // AllowCrossSchemeRedirect specifies how to handle a redirect when the downstream url // and the redirect target url have different scheme. AllowCrossSchemeRedirect string // If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has // been followed by a previous redirect from the current route. DenyRepeatedRouteRedirect bool }
InternalRedirectPolicy defines if envoy should handle redirect response internally instead of sending it downstream. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-internalredirectpolicy
type JWTProvider ¶ added in v1.23.0
type JWTProvider struct { Name string Issuer string Audiences []string RemoteJWKS RemoteJWKS ForwardJWT bool }
type JWTRule ¶ added in v1.23.0
type JWTRule struct { PathMatchCondition MatchCondition HeaderMatchConditions []HeaderMatchCondition ProviderName string }
type KubernetesCache ¶
type KubernetesCache struct { // RootNamespaces specifies the namespaces where root // HTTPProxies can be defined. If empty, roots can be defined in any // namespace. RootNamespaces []string // Names of ingress classes to cache HTTPProxies/Ingresses for. If not // set, objects with no ingress class or DEFAULT_INGRESS_CLASS will be // cached. IngressClassNames []string // ConfiguredGatewayToCache is the optional name of the specific Gateway to cache. // If set, only the Gateway with this namespace/name will be kept. ConfiguredGatewayToCache *types.NamespacedName // Secrets that are referred from the configuration file. ConfiguredSecretRefs []*types.NamespacedName // Metrics contains Prometheus metrics. Metrics *metrics.Metrics Client client.Reader logrus.FieldLogger // contains filtered or unexported fields }
A KubernetesCache holds Kubernetes objects and associated configuration and produces DAG values.
func (*KubernetesCache) Insert ¶
func (kc *KubernetesCache) Insert(obj any) bool
Insert inserts obj into the KubernetesCache. Insert returns true if the cache accepted the object, or false if the value is not interesting to the cache. If an object with a matching type, name, and namespace exists, it will be overwritten.
func (*KubernetesCache) LookupBackendTLSPolicyByTargetRef ¶ added in v1.28.0
func (kc *KubernetesCache) LookupBackendTLSPolicyByTargetRef(targetRef gatewayapi_v1alpha2.PolicyTargetReferenceWithSectionName) (*gatewayapi_v1alpha2.BackendTLSPolicy, bool)
LookupBackendTLSPolicyByTargetRef returns the Kubernetes BackendTLSPolicies that matches the provided targetRef with a SectionName, if possible. A BackendTLSPolicy may be returned if there is a BackendTLSPolicy matching the targetRef but has no SectionName.
For example, there could be two BackendTLSPolicies matching Service "foo". One of them matches SectionName "https", but the other has no SectionName and functions as a catch-all policy for service "foo".
The namespace on the provided targetRef will be used to match the namespace on the backendTLSPolicy. If not set it is assumed to be the default namespace.
If a policy is found, true is returned.
func (*KubernetesCache) LookupCAConfigMap ¶ added in v1.28.0
func (kc *KubernetesCache) LookupCAConfigMap(name types.NamespacedName) (*Secret, error)
LookupCAConfigMap returns ConfigMap converted into dag.Secret with CA certificate from cache.
func (*KubernetesCache) LookupCASecret ¶ added in v1.24.0
func (kc *KubernetesCache) LookupCASecret(name types.NamespacedName, targetNamespace string) (*Secret, error)
LookupCASecret returns Secret with CA certificate from cache. If name (referred Secret) is in different namespace than targetNamespace (the referring object), then delegation check is performed.
func (*KubernetesCache) LookupCRLSecret ¶ added in v1.24.0
func (kc *KubernetesCache) LookupCRLSecret(name types.NamespacedName, targetNamespace string) (*Secret, error)
LookupCRLSecret returns Secret with CRL from the cache. If name (referred Secret) is in different namespace than targetNamespace (the referring object), then delegation check is performed.
func (*KubernetesCache) LookupService ¶ added in v1.9.0
func (kc *KubernetesCache) LookupService(meta types.NamespacedName, port intstr.IntOrString) (*core_v1.Service, core_v1.ServicePort, error)
LookupService returns the Kubernetes service and port matching the provided parameters, or an error if a match can't be found.
func (*KubernetesCache) LookupTLSSecret ¶ added in v1.24.0
func (kc *KubernetesCache) LookupTLSSecret(name types.NamespacedName, targetNamespace string) (*Secret, error)
LookupTLSSecret returns Secret with TLS certificate and private key from cache. If name (referred Secret) is in different namespace than targetNamespace (the referring object), then delegation check is performed.
func (*KubernetesCache) LookupTLSSecretInsecure ¶ added in v1.26.0
func (kc *KubernetesCache) LookupTLSSecretInsecure(name types.NamespacedName) (*Secret, error)
LookupTLSSecretInsecure returns Secret with TLS certificate and private key from cache. No delegation check is performed.
func (*KubernetesCache) LookupUpstreamValidation ¶ added in v1.9.0
func (kc *KubernetesCache) LookupUpstreamValidation(uv *contour_v1.UpstreamValidation, caCertificate types.NamespacedName, targetNamespace string) (*PeerValidationContext, error)
LookupUpstreamValidation constructs PeerValidationContext with CA certificate from the cache. If name (referred Secret) is in different namespace than targetNamespace (the referring object), then delegation check is performed.
func (*KubernetesCache) Remove ¶
func (kc *KubernetesCache) Remove(obj any) bool
Remove removes obj from the KubernetesCache. Remove returns a boolean indicating if the cache changed after the remove operation.
type Listener ¶ added in v0.10.0
type Listener struct { // Name is the unique name of the listener. Name string // Protocol is the listener protocol. Must be // "http" or "https". Protocol string // Address is the TCP address to listen on. // If blank 0.0.0.0, or ::/0 for IPv6, is assumed. Address string // Port is the TCP port to listen on. Port int // RouteConfigName is the Listener name component to use when // constructing RouteConfig names. If empty, the Listener // name will be used. RouteConfigName string // FallbackCertRouteConfigName is the name to use for the fallback // cert route config, if one is generated. If empty, the // Listener name will be used. FallbackCertRouteConfigName string // Store virtual hosts/secure virtual hosts in both // a slice and a map. The map makes gets more efficient // while building the DAG, but ultimately we need to // produce sorted output which requires the slice. VirtualHosts []*VirtualHost SecureVirtualHosts []*SecureVirtualHost // TCPProxy configures an L4 TCP proxy for this Listener. // This cannot be used with VirtualHosts/SecureVirtualHosts // on a given Listener. TCPProxy *TCPProxy // EnableWebsockets defines whether to enable the websocket // upgrade. EnableWebsockets bool // contains filtered or unexported fields }
A Listener represents a TCP socket that accepts incoming connections.
type ListenerProcessor ¶ added in v1.9.0
ListenerProcessor adds an HTTP and an HTTPS listener to the DAG.
func (*ListenerProcessor) Run ¶ added in v1.9.0
func (p *ListenerProcessor) Run(dag *DAG, cache *KubernetesCache)
Run adds HTTP and HTTPS listeners to the DAG.
type LocalRateLimitPolicy ¶ added in v1.12.0
type LocalRateLimitPolicy struct { MaxTokens uint32 TokensPerFill uint32 FillInterval time.Duration ResponseStatusCode uint32 ResponseHeadersToAdd map[string]string }
LocalRateLimitPolicy holds local rate limiting parameters.
type MatchCondition ¶ added in v1.7.0
type MirrorPolicy ¶ added in v1.0.0
MirrorPolicy defines the mirroring policy for a route.
type ObjectStatusWriter ¶ added in v1.0.0
type ObjectStatusWriter struct {
// contains filtered or unexported fields
}
func (*ObjectStatusWriter) SetInvalid ¶ added in v1.0.0
func (osw *ObjectStatusWriter) SetInvalid(format string, args ...any)
func (*ObjectStatusWriter) SetValid ¶ added in v1.0.0
func (osw *ObjectStatusWriter) SetValid()
func (*ObjectStatusWriter) WithObject ¶ added in v1.0.0
func (osw *ObjectStatusWriter) WithObject(obj meta_v1.Object) (_ *ObjectStatusWriter, commit func())
WithObject returns a new ObjectStatusWriter with a copy of the current ObjectStatusWriter's values, including its status if set. This is convenient if the object shares a relationship with its parent. The caller should arrange for the commit function to be called to write the final status of the object.
func (*ObjectStatusWriter) WithValue ¶ added in v1.0.0
func (osw *ObjectStatusWriter) WithValue(key, val string) *ObjectStatusWriter
type Observer ¶ added in v1.8.0
type Observer interface {
OnChange(*DAG)
}
Observer is an interface for receiving notification of DAG updates.
func ComposeObservers ¶ added in v1.8.0
ComposeObservers returns a new Observer that calls each of its arguments in turn.
type ObserverFunc ¶ added in v1.8.0
type ObserverFunc func(*DAG)
ObserverFunc is a function that implements the Observer interface by calling itself. It can be nil.
func (ObserverFunc) OnChange ¶ added in v1.8.0
func (f ObserverFunc) OnChange(d *DAG)
type PathRewritePolicy ¶ added in v1.24.0
type PathRewritePolicy struct { // Replace the part of the path matched by a prefix match // with this value. PrefixRewrite string // Replace the full path with this value. FullPathRewrite string // Replace the part of the path matched by the specified // regex with "/" (intended for removing a prefix). PrefixRegexRemove string }
PathRewritePolicy defines a policy for rewriting the path of the request during forwarding. At most one field should be populated.
type PeerValidationContext ¶ added in v1.4.0
type PeerValidationContext struct { // CACertificate holds a reference to the Secret containing the CA to be used to // verify the upstream connection. CACertificates []*Secret // SubjectNames holds optional subject names which Envoy will check against the // certificate presented by the upstream. The first entry must match the value of SubjectName SubjectNames []string // SkipClientCertValidation when set to true will ensure Envoy requests but // does not verify peer certificates. SkipClientCertValidation bool // ForwardClientCertificate adds the selected data from the passed client TLS certificate // to the x-forwarded-client-cert header. ForwardClientCertificate *ClientCertificateDetails // CRL holds a reference to the Secret containing the Certificate Revocation List. // It is used to check for revocation of the peer certificate. CRL *Secret // OnlyVerifyLeafCertCrl when set to true, only the certificate at the end of the // certificate chain will be subject to validation by CRL. OnlyVerifyLeafCertCrl bool // OptionalClientCertificate when set to true will ensure Envoy does not require // that the client sends a certificate but if one is sent it will process it. OptionalClientCertificate bool }
PeerValidationContext defines how to validate the certificate on the upstream service.
func (*PeerValidationContext) GetCACertificate ¶ added in v1.4.0
func (pvc *PeerValidationContext) GetCACertificate() []byte
GetCACertificate returns the CA certificate from PeerValidationContext.
func (*PeerValidationContext) GetCRL ¶ added in v1.22.0
func (pvc *PeerValidationContext) GetCRL() []byte
GetCRL returns the Certificate Revocation List.
func (*PeerValidationContext) GetSubjectNames ¶ added in v1.28.0
func (pvc *PeerValidationContext) GetSubjectNames() []string
GetSubjectName returns the SubjectNames from PeerValidationContext.
type PrefixMatchCondition ¶ added in v1.7.0
type PrefixMatchCondition struct { Prefix string PrefixMatchType PrefixMatchType }
PrefixMatchCondition matches the start of a URL.
func (*PrefixMatchCondition) String ¶ added in v1.7.0
func (pc *PrefixMatchCondition) String() string
type PrefixMatchType ¶ added in v1.14.0
type PrefixMatchType int
PrefixMatchType represents different types of prefix matching alternatives.
const ( // PrefixMatchString represents a prefix match that functions like a // string prefix match, i.e. prefix /foo matches /foobar PrefixMatchString PrefixMatchType = iota // PrefixMatchSegment represents a prefix match that only matches full path // segments, i.e. prefix /foo matches /foo/bar but not /foobar PrefixMatchSegment )
type Processor ¶ added in v1.9.0
type Processor interface { // Run executes the processor. Run(dag *DAG, source *KubernetesCache) }
Processor constructs part of a DAG.
type ProcessorFunc ¶ added in v1.9.0
type ProcessorFunc func(*DAG, *KubernetesCache)
ProcessorFunc adapts a function to the Processor interface.
func (ProcessorFunc) Run ¶ added in v1.9.0
func (pf ProcessorFunc) Run(dag *DAG, source *KubernetesCache)
type QueryParamMatchCondition ¶ added in v1.22.0
QueryParamMatchCondition matches querystring parameters by MatchType
func (*QueryParamMatchCondition) String ¶ added in v1.22.0
func (qc *QueryParamMatchCondition) String() string
type QueryParameterHashOptions ¶ added in v1.21.0
type QueryParameterHashOptions struct { // ParameterName is the name of the query parameter to hash. ParameterName string }
QueryParameterHashOptions contains options for hashing a request query parameter.
type RateLimitDescriptor ¶ added in v1.13.0
type RateLimitDescriptor struct {
Entries []RateLimitDescriptorEntry
}
RateLimitDescriptor is a list of rate limit descriptor entries.
type RateLimitDescriptorEntry ¶ added in v1.13.0
type RateLimitDescriptorEntry struct { GenericKey *GenericKeyDescriptorEntry HeaderMatch *HeaderMatchDescriptorEntry HeaderValueMatch *HeaderValueMatchDescriptorEntry RemoteAddress *RemoteAddressDescriptorEntry }
RateLimitDescriptorEntry is an entry in a rate limit descriptor. Exactly one field should be non-nil.
type RateLimitPerRoute ¶ added in v1.27.0
type RateLimitPerRoute struct {
VhRateLimits VhRateLimitsType
}
RateLimitPerRoute configures how the route should handle the rate limits defined by the virtual host.
type RateLimitPolicy ¶ added in v1.12.0
type RateLimitPolicy struct { Local *LocalRateLimitPolicy Global *GlobalRateLimitPolicy }
RateLimitPolicy holds rate limiting parameters.
type Redirect ¶ added in v1.20.0
type Redirect struct { // Hostname is the host name to redirect to. Hostname string // Scheme is the scheme (http or https) to // use in the redirect. Scheme string // PortNumber is the port to redirect to, // if any. PortNumber uint32 // StatusCode is the HTTP response code to // use. Valid options are 301 or 302. StatusCode int // PathRewritePolicy is the policy for rewriting // the path during redirect. PathRewritePolicy *PathRewritePolicy }
Redirect allows for a 301/302 redirect to be the response to a route request vs. routing to an envoy cluster.
type RegexMatchCondition ¶ added in v1.7.0
type RegexMatchCondition struct {
Regex string
}
RegexMatchCondition matches the URL by regular expression.
func (*RegexMatchCondition) String ¶ added in v1.7.0
func (rc *RegexMatchCondition) String() string
type RemoteAddressDescriptorEntry ¶ added in v1.15.0
type RemoteAddressDescriptorEntry struct{}
RemoteAddressDescriptorEntry configures a descriptor entry that contains the remote address (i.e. client IP).
type RemoteJWKS ¶ added in v1.23.0
type RequestHashPolicy ¶ added in v1.12.0
type RequestHashPolicy struct { // Terminal determines if the request attribute is present, hash // calculation should stop with this element. Terminal bool // HeaderHashOptions is set when a header hash is desired. HeaderHashOptions *HeaderHashOptions // CookieHashOptions is set when a cookie hash is desired. CookieHashOptions *CookieHashOptions // HashSourceIP is set to true when source ip hashing is desired. HashSourceIP bool // QueryParameterHashOptions is set when a query parameter hash is desired. QueryParameterHashOptions *QueryParameterHashOptions }
RequestHashPolicy holds configuration for calculating hashes on an individual request attribute.
type RetryPolicy ¶ added in v1.0.0
type RetryPolicy struct { // RetryOn specifies the conditions under which retry takes place. // If empty, retries will not be performed. RetryOn string // RetriableStatusCodes specifies the HTTP status codes under which retry takes place. RetriableStatusCodes []uint32 // NumRetries specifies the allowed number of retries. // Ignored if RetryOn is blank, or defaults to 1 if RetryOn is set. NumRetries uint32 // PerTryTimeout specifies the timeout per retry attempt. // Ignored if RetryOn is blank. PerTryTimeout timeout.Setting }
RetryPolicy defines the retry / number / timeout options
type Route ¶
type Route struct { // PathMatchCondition specifies a MatchCondition to match on the request path. // Must not be nil. PathMatchCondition MatchCondition // HeaderMatchConditions specifies a set of additional Conditions to // match on the request headers. HeaderMatchConditions []HeaderMatchCondition // QueryParamMatchConditions specifies a set of additional Conditions to // match on the querystring parameters. QueryParamMatchConditions []QueryParamMatchCondition // Priority specifies the relative priority of the Route when compared to other // Routes that may have equivalent match conditions. A lower value here means the // Route has a higher priority. Priority uint8 Clusters []*Cluster // Should this route generate a 301 upgrade if accessed // over HTTP? HTTPSUpgrade bool // AuthDisabled is set if authorization should be disabled // for this route. If authorization is disabled, the AuthContext // field has no effect. AuthDisabled bool // AuthContext sets the authorization context (if authorization is enabled). AuthContext map[string]string // Is this a websocket route? // TODO(dfc) this should go on the service Websocket bool // TimeoutPolicy defines the timeout request/idle TimeoutPolicy RouteTimeoutPolicy // RetryPolicy defines the retry / number / timeout options for a route RetryPolicy *RetryPolicy // Indicates that during forwarding, the matched prefix (or path) should be swapped with this value PathRewritePolicy *PathRewritePolicy // MirrorPolicies is a list defining the mirroring policies for this Route. MirrorPolicies []*MirrorPolicy // RequestHeadersPolicy defines how headers are managed during forwarding RequestHeadersPolicy *HeadersPolicy // ResponseHeadersPolicy defines how headers are managed during forwarding ResponseHeadersPolicy *HeadersPolicy // CookieRewritePolicies is a list of policies that define how HTTP Set-Cookie // headers should be rewritten for responses on this route. CookieRewritePolicies []CookieRewritePolicy // RateLimitPolicy defines if/how requests for the route are rate limited. RateLimitPolicy *RateLimitPolicy // RateLimitPerRoute defines how the route should handle rate limits defined by the virtual host. RateLimitPerRoute *RateLimitPerRoute // RequestHashPolicies is a list of policies for configuring hashes on // request attributes. RequestHashPolicies []RequestHashPolicy // DirectResponse allows for a specific HTTP status code // to be the response to a route request vs routing to // an envoy cluster. DirectResponse *DirectResponse // Redirect allows for a 301 Redirect to be the response // to a route request vs. routing to an envoy cluster. Redirect *Redirect // JWTProvider names a JWT provider defined on the virtual // host to be used to validate JWTs on requests to this route. JWTProvider string // InternalRedirectPolicy defines if envoy should handle redirect // response internally instead of sending it downstream. InternalRedirectPolicy *InternalRedirectPolicy // IPFilterAllow determines how the IPFilterRules should be applied. // If true, traffic is allowed only if it matches a rule. // If false, traffic is allowed only if it doesn't match any rule. IPFilterAllow bool // IPFilterRules is a list of ipv4/6 filter rules for which matching // requests should be filtered. The behavior of the filters is governed // by IPFilterAllow. IPFilterRules []IPFilterRule // Metadata fields that can be used for access logging. Kind string Namespace string Name string }
Route defines the properties of a route to a Cluster.
func (*Route) HasPathExact ¶ added in v1.25.0
HasPathExact returns whether this route has a ExactPathCondition.
func (*Route) HasPathPrefix ¶ added in v1.1.0
HasPathPrefix returns whether this route has a PrefixPathCondition.
func (*Route) HasPathRegex ¶ added in v1.1.0
HasPathRegex returns whether this route has a RegexPathCondition.
type RouteTimeoutPolicy ¶ added in v1.21.0
type RouteTimeoutPolicy struct { // ResponseTimeout is the timeout applied to the response // from the backend server. ResponseTimeout timeout.Setting // IdleStreamTimeout is the timeout applied to idle connection during single request-response. // Stream is HTTP/2 and HTTP/3 concept, for HTTP/1 it refers to single request-response within connection. IdleStreamTimeout timeout.Setting }
RouteTimeoutPolicy defines the timeout policy for a route.
type Secret ¶
type Secret struct { Object *core_v1.Secret ValidTLSSecret *SecretValidationStatus ValidCASecret *SecretValidationStatus ValidCRLSecret *SecretValidationStatus }
Secret represents a K8s Secret for TLS usage as a DAG Vertex. A Secret is a leaf in the DAG.
func (*Secret) PrivateKey ¶ added in v1.0.0
PrivateKey returns the secret's tls private key
type SecretValidationStatus ¶ added in v1.24.0
type SecretValidationStatus struct {
Error error
}
type SecureVirtualHost ¶
type SecureVirtualHost struct { VirtualHost // TLS minimum protocol version. Defaults to envoy_transport_socket_tls_v3.TlsParameters_TLS_AUTO MinTLSVersion string // TLS maximum protocol version. Defaults to envoy_transport_socket_tls_v3.TlsParameters_TLSv1_3 MaxTLSVersion string // The cert and key for this host. Secret *Secret // FallbackCertificate FallbackCertificate *Secret // Service to TCP proxy all incoming connections. *TCPProxy // DownstreamValidation defines how to verify the client's certificate. DownstreamValidation *PeerValidationContext // ExternalAuthorization contains the configuration for enabling // the ExtAuthz filter. ExternalAuthorization *ExternalAuthorization // JWTProviders specify how to verify JWTs. JWTProviders []JWTProvider }
A SecureVirtualHost represents a HTTP host protected by TLS.
func (*SecureVirtualHost) Valid ¶ added in v1.0.0
func (s *SecureVirtualHost) Valid() bool
type Service ¶
type Service struct { Weighted WeightedService // Protocol is the layer 7 protocol of this service // One of "", "h2", "h2c", or "tls". Protocol string // Max connections is maximum number of connections // that Envoy will make to the upstream cluster. MaxConnections uint32 // MaxPendingRequests is maximum number of pending // requests that Envoy will allow to the upstream cluster. MaxPendingRequests uint32 // MaxRequests is the maximum number of parallel requests that // Envoy will make to the upstream cluster. MaxRequests uint32 // MaxRetries is the maximum number of parallel retries that // Envoy will allow to the upstream cluster. MaxRetries uint32 // PerHostMaxConnections is the maximum number of connections // that Envoy will allow to each individual host in a cluster. PerHostMaxConnections uint32 // ExternalName is an optional field referencing a dns entry for Service type "ExternalName" ExternalName string }
Service represents a single Kubernetes' Service's Port.
type ServiceCluster ¶ added in v1.9.0
type ServiceCluster struct { // ClusterName is a globally unique name for this ServiceCluster. // It is eventually used as the Envoy ClusterLoadAssignment // name, and must not be empty. ClusterName string // Services are the load balancing targets. This slice must not be empty. Services []WeightedService }
ServiceCluster capture the set of Kubernetes Services that will compose the endpoints for a Envoy cluster. Traffic is balanced across the Service slice based on the weight of the elements.
func (*ServiceCluster) AddService ¶ added in v1.9.0
func (s *ServiceCluster) AddService(name types.NamespacedName, port core_v1.ServicePort)
AddService adds the given service with a default weight of 1.
func (*ServiceCluster) AddWeightedService ¶ added in v1.9.0
func (s *ServiceCluster) AddWeightedService(weight uint32, name types.NamespacedName, port core_v1.ServicePort)
AddWeightedService adds the given service with the given weight.
func (*ServiceCluster) DeepCopy ¶ added in v1.9.0
func (s *ServiceCluster) DeepCopy() *ServiceCluster
DeepCopy performs a deep copy of ServiceClusters TODO(jpeach): apply deepcopy-gen to DAG objects.
func (*ServiceCluster) Rebalance ¶ added in v1.9.0
func (s *ServiceCluster) Rebalance()
Rebalance rewrites the weights for the service cluster so that if no weights are specifies, the traffic is evenly distributed. This matches the behavior of weighted routes. Note that this is a destructive operation.
func (*ServiceCluster) Validate ¶ added in v1.9.0
func (s *ServiceCluster) Validate() error
Validate checks whether this ServiceCluster satisfies its semantic invariants.
type SlowStartConfig ¶ added in v1.23.0
SlowStartConfig holds configuration for gradually increasing amount of traffic to a newly added endpoint.
func (*SlowStartConfig) String ¶ added in v1.23.0
func (s *SlowStartConfig) String() string
type StatusWriter ¶ added in v1.0.0
type StatusWriter struct {
// contains filtered or unexported fields
}
func (*StatusWriter) WithObject ¶ added in v1.0.0
func (sw *StatusWriter) WithObject(obj meta_v1.Object) (_ *ObjectStatusWriter, commit func())
WithObject returns an ObjectStatusWriter that can be used to set the state of the object. The state can be set as many times as necessary. The state of the object can be made permanent by calling the commit function returned from WithObject. The caller should pass the ObjectStatusWriter to functions interested in writing status, but keep the commit function for itself. The commit function should be either called via a defer, or directly if statuses are being set in a loop (as defers will not fire until the end of the function).
type TCPHealthCheckPolicy ¶ added in v1.2.0
type TCPHealthCheckPolicy struct { Interval time.Duration Timeout time.Duration UnhealthyThreshold uint32 HealthyThreshold uint32 }
TCPHealthCheckPolicy tcp health check policy
type TCPProxy ¶ added in v0.8.0
type TCPProxy struct { // Clusters is the, possibly weighted, set // of upstream services to forward decrypted traffic. Clusters []*Cluster }
TCPProxy represents a cluster of TCP endpoints.
type UpstreamTLS ¶ added in v1.28.0
type UpstreamTLS struct { MinimumProtocolVersion string MaximumProtocolVersion string CipherSuites []string }
UpstreamTLS holds the TLS configuration for upstream connections
type VhRateLimitsType ¶ added in v1.27.0
type VhRateLimitsType int
const ( // VhRateLimitsOverride (Default) will use the virtual host rate limits unless the route has a rate limit policy. VhRateLimitsOverride VhRateLimitsType = iota // VhRateLimitsInclude will use the virtual host rate limits even if the route has a rate limit policy. VhRateLimitsInclude // VhRateLimitsIgnore will ignore the virtual host rate limits even if the route does not have a rate limit policy. VhRateLimitsIgnore )
type VirtualHost ¶
type VirtualHost struct { // Name is the fully qualified domain name of a network host, // as defined by RFC 3986. Name string // CORSPolicy is the cross-origin policy to apply to the VirtualHost. CORSPolicy *CORSPolicy // RateLimitPolicy defines if/how requests for the virtual host // are rate limited. RateLimitPolicy *RateLimitPolicy // IPFilterAllow determines how the IPFilterRules should be applied. // If true, traffic is allowed only if it matches a rule. // If false, traffic is allowed only if it doesn't match any rule. IPFilterAllow bool // IPFilterRules is a list of ipv4/6 filter rules for which matching // requests should be filtered. The behavior of the filters is governed // by IPFilterAllow. IPFilterRules []IPFilterRule Routes map[string]*Route }
A VirtualHost represents a named L4/L7 service.
func (*VirtualHost) AddRoute ¶ added in v1.21.0
func (v *VirtualHost) AddRoute(route *Route)
Add route to VirtualHosts.Routes map.
func (*VirtualHost) HasConflictRoute ¶ added in v1.29.0
func (v *VirtualHost) HasConflictRoute(route *Route) bool
HasConflictRoute returns true if there is existing Path + Headers + QueryParams combination match this route candidate and also they are same kind of Route.
func (*VirtualHost) Valid ¶ added in v1.0.0
func (v *VirtualHost) Valid() bool
type WeightedService ¶ added in v1.9.0
type WeightedService struct { // Weight is the integral load balancing weight. Weight uint32 // ServiceName is the core_v1.Service name. ServiceName string // ServiceNamespace is the core_v1.Service namespace. ServiceNamespace string // ServicePort is the port to which we forward traffic. ServicePort core_v1.ServicePort // HealthPort is the port for healthcheck. HealthPort core_v1.ServicePort }
WeightedService represents the load balancing weight of a particular core_v1.Weighted port.