From 39d0717824b6be625128abd9b4be45d95bb313a5 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 28 Sep 2023 17:33:37 +0800 Subject: [PATCH 01/31] init commit for extProc Signed-off-by: gang.liu --- apis/projectcontour/v1/detailedconditions.go | 3 + apis/projectcontour/v1/helpers.go | 25 +- apis/projectcontour/v1/httpproxy.go | 163 ++++++++++++ apis/projectcontour/v1alpha1/contourconfig.go | 5 + cmd/contour/serve.go | 34 +++ cmd/contour/servecontext.go | 23 ++ go.mod | 2 +- internal/dag/accessors.go | 1 + internal/dag/dag.go | 151 ++++++++++++ internal/dag/extension_processor.go | 1 + internal/dag/httpproxy_processor.go | 231 ++++++++++++++++-- internal/dag/httpproxy_processor_test.go | 4 +- internal/dag/policy.go | 8 +- internal/envoy/v3/cluster.go | 9 +- internal/envoy/v3/listener.go | 42 +++- internal/envoy/v3/route.go | 43 +++- internal/featuretests/v3/envoy.go | 23 ++ internal/fixture/httpproxy.go | 6 + internal/status/cache.go | 1 + internal/xdscache/v3/cluster.go | 3 +- internal/xdscache/v3/listener.go | 51 +++- internal/xdscache/v3/listener_test.go | 16 +- pkg/config/parameters.go | 37 +++ .../content/resources/compatibility-matrix.md | 1 + test/e2e/deployment.go | 3 + 25 files changed, 829 insertions(+), 57 deletions(-) diff --git a/apis/projectcontour/v1/detailedconditions.go b/apis/projectcontour/v1/detailedconditions.go index d7ac6e13856..65301d610b5 100644 --- a/apis/projectcontour/v1/detailedconditions.go +++ b/apis/projectcontour/v1/detailedconditions.go @@ -197,4 +197,7 @@ const ( // ConditionTypeListenerError describes an error condition relating // to the configuration of Listeners. ConditionTypeListenerError = "ListenerError" + + // ConditionTypeExtProcError describes an error condition related to external processing. + ConditionTypeExtProcError = "ExtProcError" ) diff --git a/apis/projectcontour/v1/helpers.go b/apis/projectcontour/v1/helpers.go index 409e6beda18..c24c1b92237 100644 --- a/apis/projectcontour/v1/helpers.go +++ b/apis/projectcontour/v1/helpers.go @@ -24,19 +24,18 @@ func (v *VirtualHost) AuthorizationConfigured() bool { } // DisableAuthorization returns true if this virtual host disables -// authorization. If an authorization server is present, the default +// authorization. If an authorization server is (un)present, the default // policy is to not disable. func (v *VirtualHost) DisableAuthorization() bool { - // No authorization, so it is disabled. if v.AuthorizationConfigured() { // No policy specified, default is to not disable. if v.Authorization.AuthPolicy == nil { return false } - return v.Authorization.AuthPolicy.Disabled } + // No authorization, so it is not disable. return false } @@ -51,6 +50,26 @@ func (v *VirtualHost) AuthorizationContext() map[string]string { return nil } +// ExtProcConfigured returns whether external processing are +// configured on this virtual host. +func (v *VirtualHost) ExtProcConfigured() bool { + return v.ExternalProcessor != nil +} + +// DisableExtProc returns true if this virtual host disables +// external processing. If an external processor is present, the default +// policy is to not disable. +func (v *VirtualHost) DisableExtProc() bool { + // No external processor(s), so it is disabled. + if v.ExtProcConfigured() { + if v.ExternalProcessor.ExtProcPolicy == nil { + return false + } + return v.ExternalProcessor.ExtProcPolicy.Disabled + } + return false +} + // GetPrefixReplacements returns replacement prefixes from the path // rewrite policy (if any). func (r *Route) GetPrefixReplacements() []ReplacePrefix { diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index db77734597f..3de1b19fbc2 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -291,6 +291,158 @@ type AuthorizationPolicy struct { Context map[string]string `json:"context,omitempty"` } +// Control how headers and trailers are handled +type HeaderSendMode int32 + +const ( + // The default HeaderSendMode depends on which part of the message is being + // processed. By default, request and response headers are sent, + // while trailers are skipped. + ProcessingMode_DEFAULT HeaderSendMode = 0 + // Send the header or trailer. + ProcessingMode_SEND HeaderSendMode = 1 + // Do not send the header or trailer. + ProcessingMode_SKIP HeaderSendMode = 2 +) + +// Control how the request and response bodies are handled +type BodySendMode int32 + +const ( + // Do not send the body at all. This is the default. + ProcessingMode_NONE BodySendMode = 0 + // Stream the body to the server in pieces as they arrive at the + // proxy. + ProcessingMode_STREAMED BodySendMode = 1 + // Buffer the message body in memory and send the entire body at once. + // If the body exceeds the configured buffer limit, then the + // downstream system will receive an error. + ProcessingMode_BUFFERED BodySendMode = 2 + // Buffer the message body in memory and send the entire body in one + // chunk. If the body exceeds the configured buffer limit, then the body contents + // up to the buffer limit will be sent. + ProcessingMode_BUFFERED_PARTIAL BodySendMode = 3 +) + +type HeaderMutationRules struct { + // By default, certain headers that could affect processing of subsequent + // filters or request routing cannot be modified. These headers are + // ``host``, ``:authority``, ``:scheme``, and ``:method``. Setting this parameter + // to true allows these headers to be modified as well. + AllowAllRouting bool + // If true, allow modification of envoy internal headers. By default, these + // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` + // configuration. Default is false. + AllowEnvoy bool + // If true, prevent modification of any system header, defined as a header + // that starts with a ``:`` character, regardless of any other settings. + // A processing server may still override the ``:status`` of an HTTP response + // using an ``ImmediateResponse`` message. Default is false. + DisallowSystem bool + // If true, prevent modifications of all header values, regardless of any + // other settings. A processing server may still override the ``:status`` + // of an HTTP response using an ``ImmediateResponse`` message. Default is false. + DisallowAll bool + // If true, and if the rules in this list cause a header mutation to be + // disallowed, then the filter using this configuration will terminate the + // request with a 500 error. In addition, regardless of the setting of this + // parameter, any attempt to set, add, or modify a disallowed header will + // cause the ``rejected_header_mutations`` counter to be incremented. + // Default is false. + DisallowIsError bool +} + +type ProcessingMode struct { + // How to handle the request header. Default is "SEND". + RequestHeaderMode HeaderSendMode + // How to handle the response header. Default is "SEND". + ResponseHeaderMode HeaderSendMode + // How to handle the request body. Default is "NONE". + RequestBodyMode BodySendMode + // How do handle the response body. Default is "NONE". + ResponseBodyMode BodySendMode + // How to handle the request trailers. Default is "SKIP". + RequestTrailerMode HeaderSendMode + // How to handle the response trailers. Default is "SKIP". + ResponseTrailerMode HeaderSendMode +} + +type GRPCService struct { + // ExtensionServiceRef specifies the extension resource that will authorize client requests. + // + // +optional + ExtensionServiceRef ExtensionServiceReference `json:"extensionRef,omitempty"` + + // ResponseTimeout configures maximum time to wait for a check response from the authorization server. + // Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + // Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + // The string "infinity" is also a valid input and specifies no timeout. + // + // +optional + // +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$` + ResponseTimeout string `json:"responseTimeout,omitempty"` + + // If FailOpen is true, the client request is forwarded to the upstream service + // even if the authorization server fails to respond. This field should not be + // set in most cases. It is intended for use only while migrating applications + // from internal authorization to Contour external authorization. + // + // +optional + FailOpen bool `json:"failOpen,omitempty"` +} + +// The External Processing filter allows an external service to act on HTTP traffic in a flexible way +// The external server must implement the v3 Envoy +// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). +type ExtProc struct { + // + // +optional + GRPCService *GRPCService + // + // +optional + ProcessingMode *ProcessingMode + // + // +optional + MutationRules *HeaderMutationRules +} + +type ExtProcOverride struct { + // + // +optional + GRPCService *GRPCService + // + // +optional + ProcessingMode *ProcessingMode +} + +type ExternalProcessor struct { + + // + // +optional + Processors []ExtProc `json:"processors,omitempty"` + + // ExtProcPolicy sets a external processing policy. + // This policy will be used unless overridden by individual routes. + // for the default global external processor, it's must be nil + // + // +optional + ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` +} + +// ExtProcPolicy modifies how requests/responses are operated. +type ExtProcPolicy struct { + // When true, this field disables client request external processing + // for the scope of the policy. + // + // +optional + Disabled bool `json:"disabled,omitempty"` + + // for global external processing, it's not exists + // + // +optional + Overrides *ExtProcOverride `json:"overrides,omitempty"` +} + // VirtualHost appears at most once. If it is present, the object is considered // to be a "root". type VirtualHost struct { @@ -338,6 +490,11 @@ type VirtualHost struct { // Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. // The rules defined here may be overridden in a Route. IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"` + + // ExternalProcessor are a list of external processors which allow to act on HTTP traffic in a flexible way. + // + // +optional + ExternalProcessor *ExternalProcessor `json:"externalProcessor,omitempty"` } // JWTProvider defines how to verify JWTs on requests. @@ -593,6 +750,12 @@ type Route struct { // Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. // The rules defined here override any rules set on the root HTTPProxy. IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"` + + // ExtProcPolicy updates the external processing policy that was set + // on the root HTTPProxy object for client requests/responses that + // match this route. + // +optional + ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` } type JWTVerificationPolicy struct { diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index 5699d5e1f30..d1e25ccd23f 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -67,6 +67,11 @@ type ContourConfigurationSpec struct { // +optional GlobalExternalAuthorization *contour_api_v1.AuthorizationServer `json:"globalExtAuth,omitempty"` + // GlobalExternalProcessor allows envoys external processing filters + // to be enabled for all virtual hosts. + // +optional + GlobalExternalProcessor *contour_api_v1.ExternalProcessor `json:"globalExternalProcessor,omitempty"` + // RateLimitService optionally holds properties of the Rate Limit Service // to be used for global rate limiting. // +optional diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 1d9a41a713d..3f2952107ae 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -446,6 +446,10 @@ func (s *Server) doServe() error { return err } + if listenerConfig.GlobalExternalProcessorConfig, err = s.setupGlobalExternalProcessor(contourConfiguration); err != nil { + return err + } + contourMetrics := metrics.NewMetrics(s.registry) // Endpoints updates are handled directly by the EndpointsTranslator @@ -530,6 +534,7 @@ func (s *Server) doServe() error { globalRateLimitService: contourConfiguration.RateLimitService, maxRequestsPerConnection: contourConfiguration.Envoy.Cluster.MaxRequestsPerConnection, perConnectionBufferLimitBytes: contourConfiguration.Envoy.Cluster.PerConnectionBufferLimitBytes, + globalExternalProcessor: contourConfiguration.GlobalExternalProcessor, }) // Build the core Kubernetes event handler. @@ -816,6 +821,33 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_ return globalExternalAuthConfig, nil } +func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.ContourConfigurationSpec) (*xdscache_v3.GlobalExtProcConfig, error) { + if contourCfg.GlobalExternalProcessor == nil { + return nil, nil + } + + globalExtProcCfg := &xdscache_v3.GlobalExtProcConfig{ + //Disabled: contourCfg.GlobalExternalProcessor.ProcessingPolicy.Disabled, + } + for _, ep := range contourCfg.GlobalExternalProcessor.Processors { + + // ensure the specified ExtensionService exists + extSvcCfg, err := s.getExtensionSvcConfig(ep.GRPCService.ExtensionServiceRef.Name, ep.GRPCService.ExtensionServiceRef.Namespace) + if err != nil { + return nil, err + } + + globalExtProcCfg.Processors = append(globalExtProcCfg.Processors, xdscache_v3.ExtProcConfig{ + ExtensionServiceConfig: extSvcCfg, + FailOpen: ep.GRPCService.FailOpen, + ProcessingMode: dag.ToProcessingMode(ep.ProcessingMode), + MutationRules: dag.ToMutationRules(ep.MutationRules), + }) + } + + return globalExtProcCfg, nil +} + func (s *Server) setupDebugService(debugConfig contour_api_v1alpha1.DebugConfig, builder *dag.Builder) error { debugsvc := &debug.Service{ Service: httpsvc.Service{ @@ -1063,6 +1095,7 @@ type dagBuilderConfig struct { maxRequestsPerConnection *uint32 perConnectionBufferLimitBytes *uint32 globalRateLimitService *contour_api_v1alpha1.RateLimitServiceConfig + globalExternalProcessor *contour_api_v1.ExternalProcessor } func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { @@ -1155,6 +1188,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { GlobalRateLimitService: dbc.globalRateLimitService, PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes, SetSourceMetadataOnRoutes: true, + GlobalExternalProcessor: dbc.globalExternalProcessor, }, } diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go index 629ef75280f..189ae246757 100644 --- a/cmd/contour/servecontext.go +++ b/cmd/contour/servecontext.go @@ -460,6 +460,28 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha } } + globalExtProc := &contour_api_v1.ExternalProcessor{} + if ctx.Config.GlobalExternalProcessor != nil { + for _, ep := range ctx.Config.GlobalExternalProcessor.Processors { + nsedName := k8s.NamespacedNameFrom(ep.ExtensionService) + extProc := contour_api_v1.ExtProc{ + GRPCService: &contour_api_v1.GRPCService{ + ExtensionServiceRef: contour_api_v1.ExtensionServiceReference{ + Name: nsedName.Name, + Namespace: nsedName.Namespace, + }, + ResponseTimeout: ctx.Config.GlobalExternalAuthorization.ResponseTimeout, + FailOpen: ctx.Config.GlobalExternalAuthorization.FailOpen, + }, + } + globalExtProc.Processors = append(globalExtProc.Processors, extProc) + } + + // globalExtProc.ProcessingPolicy = &contour_api_v1.ExternalProcessingPolicy{ + // Disabled: ctx.Config.GlobalExternalProcessor.ProcessingPolicy.Disabled, + // } + + } policy := &contour_api_v1alpha1.PolicyConfig{ RequestHeadersPolicy: &contour_api_v1alpha1.HeadersPolicy{ Set: ctx.Config.Policy.RequestHeadersPolicy.Set, @@ -584,6 +606,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha }, EnableExternalNameService: &ctx.Config.EnableExternalNameService, GlobalExternalAuthorization: globalExtAuth, + GlobalExternalProcessor: globalExtProc, RateLimitService: rateLimitService, Policy: policy, Metrics: &contourMetrics, diff --git a/go.mod b/go.mod index 2bfbd6d6b4a..c882fe79ae1 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,7 @@ require ( github.com/davecgh/go-spew v1.1.1 github.com/envoyproxy/go-control-plane v0.11.1 github.com/go-logr/logr v1.2.4 + github.com/golang/protobuf v1.5.3 github.com/google/go-cmp v0.5.9 github.com/google/go-github/v48 v48.2.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 @@ -74,7 +75,6 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect diff --git a/internal/dag/accessors.go b/internal/dag/accessors.go index 8883a1d6ff1..66a8304b6d7 100644 --- a/internal/dag/accessors.go +++ b/internal/dag/accessors.go @@ -20,6 +20,7 @@ import ( "github.com/projectcontour/contour/internal/annotation" "github.com/projectcontour/contour/internal/xds" + v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" diff --git a/internal/dag/dag.go b/internal/dag/dag.go index 09918e17b21..1fd00d17a21 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -24,8 +24,11 @@ import ( "strings" "time" + "github.com/golang/protobuf/ptypes/duration" "github.com/projectcontour/contour/internal/status" "github.com/projectcontour/contour/internal/timeout" + + envoy_config_filter_http_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) @@ -366,6 +369,13 @@ type Route struct { // by IPFilterAllow. IPFilterRules []IPFilterRule + // ExtProcDisabled disable the filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + // + // TODO: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto#envoy-v3-api-msg-extensions-filters-http-ext-proc-v3-extprocoverrides + ExtProcDisabled bool + ExtProcOverrides *ExtProcOverrides + // Metadata fields that can be used for access logging. Kind string Namespace string @@ -766,6 +776,10 @@ type SecureVirtualHost struct { // the ExtAuthz filter. ExternalAuthorization *ExternalAuthorization + // ExtProcs contains the configurations for enabling + // the ExtProc filters. + ExtProcs []ExternalProcessor + // JWTProviders specify how to verify JWTs. JWTProviders []JWTProvider } @@ -834,6 +848,31 @@ type ExternalAuthorization struct { AuthorizationServerWithRequestBody *AuthorizationServerBufferSettings } +type ExternalProcessor struct { + // ExtProcService points to the extension that client + // requests are forwarded to for external processing. If nil, no + // external processing is enabled for this host. + ExtProcService *ExtensionCluster + + // ResponseTimeout sets how long the proxy should wait + // for extenal processor responses. + // This is the timeout for a specific request. + ResponseTimeout timeout.Setting + + // FailOpen sets whether authorization server + // failures should cause the client request to also fail. The + // only reason to set this to `true` is when you are migrating + // from internal to external authorization. + FailOpen bool + + // Specifies default options for how HTTP headers, trailers, and bodies are sent. + ProcessingMode *ProcessingMode + + // Rules that determine what modifications an external processing server may + // make to message headers. + MutationRules *HeaderMutationRules +} + // AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client // request data and send it as part of authorization request type AuthorizationServerBufferSettings struct { @@ -1235,3 +1274,115 @@ type SlowStartConfig struct { func (s *SlowStartConfig) String() string { return fmt.Sprintf("%s%f%d", s.Window.String(), s.Aggression, s.MinWeightPercent) } + +// Control how headers and trailers are handled +type HeaderSendMode int32 + +const ( + // The default HeaderSendMode depends on which part of the message is being + // processed. By default, request and response headers are sent, + // while trailers are skipped. + ProcessingMode_DEFAULT HeaderSendMode = 0 + // Send the header or trailer. + ProcessingMode_SEND HeaderSendMode = 1 + // Do not send the header or trailer. + ProcessingMode_SKIP HeaderSendMode = 2 +) + +// Control how the request and response bodies are handled +type BodySendMode int32 + +const ( + // Do not send the body at all. This is the default. + ProcessingMode_NONE BodySendMode = 0 + // Stream the body to the server in pieces as they arrive at the + // proxy. + ProcessingMode_STREAMED BodySendMode = 1 + // Buffer the message body in memory and send the entire body at once. + // If the body exceeds the configured buffer limit, then the + // downstream system will receive an error. + ProcessingMode_BUFFERED BodySendMode = 2 + // Buffer the message body in memory and send the entire body in one + // chunk. If the body exceeds the configured buffer limit, then the body contents + // up to the buffer limit will be sent. + ProcessingMode_BUFFERED_PARTIAL BodySendMode = 3 +) + +// TODO: lewgun +type GrpcService struct { + + // The timeout for the gRPC request. This is the timeout for a specific + // request. + Timeout *duration.Duration + + // Additional metadata to include in streams initiated to the GrpcService. This can be used for + // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to + // be injected. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers + // `. + InitialMetadata []*HeaderValue +} + +// Overrides that may be set on a per-route basis +type ExtProcOverrides struct { + // Set a different processing mode for this route than the default. + ProcessingMode *ProcessingMode + // Set a different gRPC service for this route than the default. + GrpcService *GrpcService +} + +type ProcessingMode struct { + // How to handle the request header. Default is "SEND". + RequestHeaderMode HeaderSendMode + // How to handle the response header. Default is "SEND". + ResponseHeaderMode HeaderSendMode + // How to handle the request body. Default is "NONE". + RequestBodyMode BodySendMode + // How do handle the response body. Default is "NONE". + ResponseBodyMode BodySendMode + // How to handle the request trailers. Default is "SKIP". + RequestTrailerMode HeaderSendMode + // How to handle the response trailers. Default is "SKIP". + ResponseTrailerMode HeaderSendMode +} + +type HeaderMutationRules struct { + // By default, certain headers that could affect processing of subsequent + // filters or request routing cannot be modified. These headers are + // ``host``, ``:authority``, ``:scheme``, and ``:method``. Setting this parameter + // to true allows these headers to be modified as well. + AllowAllRouting bool + // If true, allow modification of envoy internal headers. By default, these + // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` + // configuration. Default is false. + AllowEnvoy bool + // If true, prevent modification of any system header, defined as a header + // that starts with a ``:`` character, regardless of any other settings. + // A processing server may still override the ``:status`` of an HTTP response + // using an ``ImmediateResponse`` message. Default is false. + DisallowSystem bool + // If true, prevent modifications of all header values, regardless of any + // other settings. A processing server may still override the ``:status`` + // of an HTTP response using an ``ImmediateResponse`` message. Default is false. + DisallowAll bool + // If true, and if the rules in this list cause a header mutation to be + // disallowed, then the filter using this configuration will terminate the + // request with a 500 error. In addition, regardless of the setting of this + // parameter, any attempt to set, add, or modify a disallowed header will + // cause the ``rejected_header_mutations`` counter to be incremented. + // Default is false. + DisallowIsError bool +} + +func MakeProcessMode(mode *ProcessingMode) *envoy_config_filter_http_ext_proc_v3.ProcessingMode { + return &envoy_config_filter_http_ext_proc_v3.ProcessingMode{ + RequestHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.RequestHeaderMode), + ResponseHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.ResponseHeaderMode), + + RequestBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(mode.RequestBodyMode), + ResponseBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(mode.ResponseBodyMode), + + RequestTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.RequestTrailerMode), + ResponseTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.ResponseTrailerMode), + } +} diff --git a/internal/dag/extension_processor.go b/internal/dag/extension_processor.go index f8ae3df1abd..b48ec478534 100644 --- a/internal/dag/extension_processor.go +++ b/internal/dag/extension_processor.go @@ -23,6 +23,7 @@ import ( "github.com/projectcontour/contour/internal/k8s" "github.com/projectcontour/contour/internal/status" "github.com/projectcontour/contour/internal/xds" + "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index e2b2ddbfa1c..bef5fbd86c0 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -31,6 +31,7 @@ import ( "github.com/projectcontour/contour/internal/k8s" "github.com/projectcontour/contour/internal/status" "github.com/projectcontour/contour/internal/timeout" + "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" ) @@ -42,12 +43,34 @@ const defaultMaxRequestBytes uint32 = 1024 func defaultExtensionRef(ref contour_api_v1.ExtensionServiceReference) contour_api_v1.ExtensionServiceReference { if ref.APIVersion == "" { ref.APIVersion = contour_api_v1alpha1.GroupVersion.String() - } return ref } +func ToProcessingMode(pm *contour_api_v1.ProcessingMode) *ProcessingMode { + return &ProcessingMode{ + RequestHeaderMode: HeaderSendMode(pm.RequestHeaderMode), + ResponseHeaderMode: HeaderSendMode(pm.ResponseHeaderMode), + + RequestBodyMode: BodySendMode(pm.RequestBodyMode), + ResponseBodyMode: BodySendMode(pm.ResponseBodyMode), + + RequestTrailerMode: HeaderSendMode(pm.RequestTrailerMode), + ResponseTrailerMode: HeaderSendMode(pm.ResponseTrailerMode), + } +} + +func ToMutationRules(rule *contour_api_v1.HeaderMutationRules) *HeaderMutationRules { + return &HeaderMutationRules{ + AllowAllRouting: rule.AllowAllRouting, + AllowEnvoy: rule.AllowEnvoy, + DisallowSystem: rule.DisallowSystem, + DisallowAll: rule.DisallowAll, + DisallowIsError: rule.DisallowIsError, + } +} + // HTTPProxyProcessor translates HTTPProxies into DAG // objects and adds them to the DAG. type HTTPProxyProcessor struct { @@ -112,6 +135,9 @@ type HTTPProxyProcessor struct { // configurable and off by default in order to support the feature // without requiring all existing test cases to change. SetSourceMetadataOnRoutes bool + + // GlobalExternalProcessor defines how requests/responses will be operatred + GlobalExternalProcessor *contour_api_v1.ExternalProcessor } // Run translates HTTPProxies into DAG objects and @@ -195,6 +221,17 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) { return } + if proxy.Spec.VirtualHost.TLS == nil && proxy.Spec.VirtualHost.ExternalProcessor != nil { + for _, ep := range proxy.Spec.VirtualHost.ExternalProcessor.Processors { + if len(ep.GRPCService.ExtensionServiceRef.Name) > 0 { + validCond.AddError(contour_api_v1.ConditionTypeExtProcError, "ExtProcNotPermitted", + "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef can only be defined for root HTTPProxies that terminate TLS") + return + } + } + + } + if len(proxy.Spec.VirtualHost.IPAllowFilterPolicy) > 0 && len(proxy.Spec.VirtualHost.IPDenyFilterPolicy) > 0 { validCond.AddError(contour_api_v1.ConditionTypeIPFilterError, "IncompatibleIPAddressFilters", "Spec.VirtualHost.IPAllowFilterPolicy and Spec.VirtualHost.IPDepnyFilterPolicy cannot both be defined.") @@ -282,6 +319,13 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) { return } + // same as above + if tls.EnableFallbackCertificate && proxy.Spec.VirtualHost.ExtProcConfigured() { + validCond.AddError(contour_api_v1.ConditionTypeTLSError, "TLSIncompatibleFeatures", + "Spec.Virtualhost.TLS fallback & external processing are incompatible") + return + } + // If FallbackCertificate is enabled, but no cert passed, set error if tls.EnableFallbackCertificate { if p.FallbackCertificate == nil { @@ -363,6 +407,10 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) { return } + if !p.computeSecureVirtualHostExtProc(validCond, proxy, svhost) { + return + } + providerNames := sets.NewString() for _, jwtProvider := range proxy.Spec.VirtualHost.JWTProviders { if providerNames.Has(jwtProvider.Name) { @@ -534,7 +582,11 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) { } if p.GlobalExternalAuthorization != nil && !proxy.Spec.VirtualHost.DisableAuthorization() { - p.computeVirtualHostAuthorization(p.GlobalExternalAuthorization, validCond, proxy) + _ = p.computeVirtualHostAuthorization(p.GlobalExternalAuthorization, validCond, proxy) + } + + if p.GlobalExternalProcessor != nil && !proxy.Spec.VirtualHost.DisableExtProc() { + _ = p.computeVirtualHostExtProcs(p.GlobalExternalProcessor, validCond, proxy) } insecure.IPFilterAllow, insecure.IPFilterRules, err = toIPFilterRules(proxy.Spec.VirtualHost.IPAllowFilterPolicy, proxy.Spec.VirtualHost.IPDenyFilterPolicy, validCond) @@ -740,6 +792,11 @@ func (p *HTTPProxyProcessor) computeRoutes( return nil } + if err := routeExtProcValid(route.ExtProcPolicy); err != nil { + validCond.AddError(contour_api_v1.ConditionTypeRouteError, "RouteExtProcNotValid", err.Error()) + return nil + } + if err := pathMatchConditionsValid(route.Conditions); err != nil { validCond.AddErrorf(contour_api_v1.ConditionTypeRouteError, "PathMatchConditionsNotValid", "route: %s", err) @@ -862,6 +919,27 @@ func (p *HTTPProxyProcessor) computeRoutes( } } + // If the enclosing root proxy enabled external processing, + // enable it on the route and propagate defaults + // downwards. + if rootProxy.Spec.VirtualHost.ExtProcConfigured() || p.GlobalExternalProcessor != nil { + // When the ext_proc filter(s) is added to a + // vhost, it is in enabled state, but we can + // disable it per route. We emulate disabling + // it at the vhost layer by defaulting the state + // from the root proxy. + disabled := rootProxy.Spec.VirtualHost.DisableExtProc() + + // Take the default for enabling authorization + // from the virtual host. If this route has a + // policy, let that override. + if route.ExtProcPolicy != nil { + disabled = route.ExtProcPolicy.Disabled + r.ExtProcOverrides = toExtProcOverrides(route.ExtProcPolicy.Overrides) + } + r.ExtProcDisabled = disabled + } + if len(route.GetPrefixReplacements()) > 0 { if !r.HasPathPrefix() { validCond.AddError(contour_api_v1.ConditionTypePrefixReplaceError, "MustHavePrefix", @@ -1088,6 +1166,15 @@ func (p *HTTPProxyProcessor) computeRoutes( return routes } +func toExtProcOverrides(override *contour_api_v1.ExtProcOverride) *ExtProcOverrides { + return &ExtProcOverrides{ + ProcessingMode: ToProcessingMode(override.ProcessingMode), + + //TODO: lewgun + //GrpcService: GrpcService(v.GRPCService.ExtensionServiceRef.Name, extProc.ExtProcService.SNI, extProc.ResponseTimeout), &GrpcService{}, + } +} + // toIPFilterRules converts ip filter settings from the api into the // dag representation func toIPFilterRules(allowPolicy, denyPolicy []contour_api_v1.IPFilterPolicy, validCond *contour_api_v1.DetailedCondition) (allow bool, filters []IPFilterRule, err error) { @@ -1142,7 +1229,12 @@ func toIPFilterRules(allowPolicy, denyPolicy []contour_api_v1.IPFilterPolicy, va // following the chain of spec.tcpproxy.include references. It returns true if processing // was successful, otherwise false if an error was encountered. The details of the error // will be recorded on the status of the relevant HTTPProxy object, -func (p *HTTPProxyProcessor) processHTTPProxyTCPProxy(validCond *contour_api_v1.DetailedCondition, httpproxy *contour_api_v1.HTTPProxy, visited []*contour_api_v1.HTTPProxy, host string) bool { +func (p *HTTPProxyProcessor) processHTTPProxyTCPProxy( + validCond *contour_api_v1.DetailedCondition, + httpproxy *contour_api_v1.HTTPProxy, + visited []*contour_api_v1.HTTPProxy, + host string) bool { + tcpproxy := httpproxy.Spec.TCPProxy if tcpproxy == nil { // nothing to do @@ -1245,7 +1337,6 @@ func (p *HTTPProxyProcessor) processHTTPProxyTCPProxy(validCond *contour_api_v1. } if dest.Spec.VirtualHost != nil { - validCond.AddErrorf(contour_api_v1.ConditionTypeTCPProxyIncludeError, "RootIncludesRoot", "root httpproxy cannot include another root httpproxy (%s/%s)", dest.Namespace, dest.Name) return false @@ -1331,21 +1422,22 @@ func (p *HTTPProxyProcessor) rootAllowed(namespace string) bool { } func (p *HTTPProxyProcessor) computeVirtualHostAuthorization(auth *contour_api_v1.AuthorizationServer, validCond *contour_api_v1.DetailedCondition, httpproxy *contour_api_v1.HTTPProxy) *ExternalAuthorization { - ok, ext := validateExternalAuthExtensionService(defaultExtensionRef(auth.ExtensionServiceRef), + ok, ext := validateExtensionService( + defaultExtensionRef(auth.ExtensionServiceRef), validCond, httpproxy, - p.dag.GetExtensionCluster, - ) + contour_api_v1.ConditionTypeAuthError, + p.dag.GetExtensionCluster) if !ok { return nil } - ok, respTimeout := determineExternalAuthTimeout(auth.ResponseTimeout, validCond, ext) + ok, respTimeout := determineExtensionServiceTimeout(contour_api_v1.ConditionTypeAuthError, auth.ResponseTimeout, validCond, ext) if !ok { return nil } - globalExternalAuthorization := &ExternalAuthorization{ + extAuth := &ExternalAuthorization{ AuthorizationService: ext, AuthorizationFailOpen: auth.FailOpen, AuthorizationResponseTimeout: *respTimeout, @@ -1356,19 +1448,68 @@ func (p *HTTPProxyProcessor) computeVirtualHostAuthorization(auth *contour_api_v if auth.WithRequestBody.MaxRequestBytes != 0 { maxRequestBytes = auth.WithRequestBody.MaxRequestBytes } - globalExternalAuthorization.AuthorizationServerWithRequestBody = &AuthorizationServerBufferSettings{ + extAuth.AuthorizationServerWithRequestBody = &AuthorizationServerBufferSettings{ MaxRequestBytes: maxRequestBytes, AllowPartialMessage: auth.WithRequestBody.AllowPartialMessage, PackAsBytes: auth.WithRequestBody.PackAsBytes, } } - return globalExternalAuthorization + return extAuth +} + +func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( + extProcessor *contour_api_v1.ExternalProcessor, + validCond *contour_api_v1.DetailedCondition, + httpproxy *contour_api_v1.HTTPProxy) []ExternalProcessor { + + var extProcs []ExternalProcessor + for _, proc := range extProcessor.Processors { + ok, extSvc := validateExtensionService( + defaultExtensionRef(proc.GRPCService.ExtensionServiceRef), + validCond, + httpproxy, + contour_api_v1.ConditionTypeExtProcError, + p.dag.GetExtensionCluster) + if !ok { + return nil + } + ok, respTimeout := determineExtensionServiceTimeout(contour_api_v1.ConditionTypeExtProcError, proc.GRPCService.ResponseTimeout, validCond, extSvc) + if !ok { + return nil + } + + extProcs = append(extProcs, ExternalProcessor{ + ExtProcService: extSvc, + ResponseTimeout: *respTimeout, + FailOpen: proc.GRPCService.FailOpen, + ProcessingMode: ToProcessingMode(proc.ProcessingMode), + MutationRules: ToMutationRules(proc.MutationRules), + }) + + } + + return extProcs } -func validateExternalAuthExtensionService(ref contour_api_v1.ExtensionServiceReference, validCond *contour_api_v1.DetailedCondition, httpproxy *contour_api_v1.HTTPProxy, getExtensionCluster func(name string) *ExtensionCluster) (bool, *ExtensionCluster) { +const versionErorrFormat = "%s specifies an unsupported resource version %q" +const extSvcNotFound = "%s extension service %q not found" + +func validateExtensionService( + ref contour_api_v1.ExtensionServiceReference, + validCond *contour_api_v1.DetailedCondition, + httpproxy *contour_api_v1.HTTPProxy, + errorType string, + extensionClusterGetter func(name string) *ExtensionCluster, +) (bool, *ExtensionCluster) { if ref.APIVersion != contour_api_v1alpha1.GroupVersion.String() { - validCond.AddErrorf(contour_api_v1.ConditionTypeAuthError, "AuthBadResourceVersion", - "Spec.Virtualhost.Authorization.extensionRef specifies an unsupported resource version %q", ref.APIVersion) + reason := "AuthBadResourceVersion" + field := "Spec.Virtualhost.Authorization.extensionRef" + + if errorType == contour_api_v1.ConditionTypeExtProcError { + reason = "ExtProcBadResourceVersion" + field = "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef" + } + validCond.AddErrorf(errorType, reason, versionErorrFormat, field, ref.APIVersion) return false, nil } @@ -1378,21 +1519,32 @@ func validateExternalAuthExtensionService(ref contour_api_v1.ExtensionServiceRef Namespace: stringOrDefault(ref.Namespace, httpproxy.Namespace), } - ext := getExtensionCluster(ExtensionClusterName(extensionName)) + ext := extensionClusterGetter(ExtensionClusterName(extensionName)) if ext == nil { - validCond.AddErrorf(contour_api_v1.ConditionTypeAuthError, "ExtensionServiceNotFound", - "Spec.Virtualhost.Authorization.ServiceRef extension service %q not found", extensionName) + field := "Spec.Virtualhost.Authorization.ServiceRef" + if errorType == contour_api_v1.ConditionTypeExtProcError { + field = "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef" + } + validCond.AddErrorf(errorType, "ExtensionServiceNotFound", extSvcNotFound, field, extensionName) return false, ext } - return true, ext } -func determineExternalAuthTimeout(responseTimeout string, validCond *contour_api_v1.DetailedCondition, ext *ExtensionCluster) (bool, *timeout.Setting) { +const extSvcRespTimeoutFormat = "%s is invalid: %q" + +func determineExtensionServiceTimeout(errorType string, responseTimeout string, validCond *contour_api_v1.DetailedCondition, ext *ExtensionCluster) (bool, *timeout.Setting) { tout, err := timeout.Parse(responseTimeout) if err != nil { - validCond.AddErrorf(contour_api_v1.ConditionTypeAuthError, "AuthResponseTimeoutInvalid", - "Spec.Virtualhost.Authorization.ResponseTimeout is invalid: %s", err) + + reason := "AuthResponseTimeoutInvalid" + field := "Spec.Virtualhost.Authorization.ResponseTimeout" + + if errorType != contour_api_v1.ConditionTypeAuthError { + reason = "ExtProcResponseTimeoutInvalid" + field = "Spec.VirtualHost.ExternalProcessor.Processors[*].ResponseTimeout" + } + validCond.AddErrorf(errorType, reason, extSvcRespTimeoutFormat, field, err) return false, nil } @@ -1403,20 +1555,42 @@ func determineExternalAuthTimeout(responseTimeout string, validCond *contour_api return true, &tout } +func (p *HTTPProxyProcessor) computeSecureVirtualHostExtProc( + validCond *contour_api_v1.DetailedCondition, + httpproxy *contour_api_v1.HTTPProxy, + svhost *SecureVirtualHost) bool { + + if httpproxy.Spec.VirtualHost.ExtProcConfigured() && !httpproxy.Spec.VirtualHost.DisableExtProc() { + eps := p.computeVirtualHostExtProcs(httpproxy.Spec.VirtualHost.ExternalProcessor, validCond, httpproxy) + if eps == nil { + return false + } + svhost.ExtProcs = eps + + } else if p.GlobalExternalProcessor != nil && !httpproxy.Spec.VirtualHost.DisableExtProc() { + eps := p.computeVirtualHostExtProcs(p.GlobalExternalProcessor, validCond, httpproxy) + if eps == nil { + return false + } + svhost.ExtProcs = eps + } + + return true +} + func (p *HTTPProxyProcessor) computeSecureVirtualHostAuthorization(validCond *contour_api_v1.DetailedCondition, httpproxy *contour_api_v1.HTTPProxy, svhost *SecureVirtualHost) bool { if httpproxy.Spec.VirtualHost.AuthorizationConfigured() && !httpproxy.Spec.VirtualHost.DisableAuthorization() { authorization := p.computeVirtualHostAuthorization(httpproxy.Spec.VirtualHost.Authorization, validCond, httpproxy) if authorization == nil { return false } - svhost.ExternalAuthorization = authorization + } else if p.GlobalExternalAuthorization != nil && !httpproxy.Spec.VirtualHost.DisableAuthorization() { globalAuthorization := p.computeVirtualHostAuthorization(p.GlobalExternalAuthorization, validCond, httpproxy) if globalAuthorization == nil { return false } - svhost.ExternalAuthorization = globalAuthorization } @@ -1860,6 +2034,17 @@ func routeActionCountValid(route contour_api_v1.Route) error { return nil } +func routeExtProcValid(policy *contour_api_v1.ExtProcPolicy) error { + if policy == nil { + return nil + } + + if policy.Overrides != nil && policy.Disabled { + return fmt.Errorf("cannot specify both ExtProcPolicy.Overrides and ExtProcPolicy.Disabled ") + } + return nil +} + // redirectRoutePolicy builds a *dag.Redirect for the supplied redirect policy. func redirectRoutePolicy(redirect *contour_api_v1.HTTPRequestRedirectPolicy) (*Redirect, error) { if redirect == nil { diff --git a/internal/dag/httpproxy_processor_test.go b/internal/dag/httpproxy_processor_test.go index 52f984ba17b..3f215d01a61 100644 --- a/internal/dag/httpproxy_processor_test.go +++ b/internal/dag/httpproxy_processor_test.go @@ -803,7 +803,7 @@ func TestValidateExternalAuthExtensionService(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { validCond := &contour_api_v1.DetailedCondition{} - gotBool, got := validateExternalAuthExtensionService(tc.ref, validCond, tc.httpproxy, tc.getExtensionCluster) + gotBool, got := validateExtensionService(tc.ref, validCond, tc.httpproxy, contour_api_v1.ConditionTypeAuthError, tc.getExtensionCluster) require.Equal(t, tc.want, got) require.Equal(t, tc.wantBool, gotBool) require.Equal(t, tc.wantValidCond, validCond) @@ -866,7 +866,7 @@ func TestDetermineExternalAuthTimeout(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { validCond := &contour_api_v1.DetailedCondition{} - gotBool, got := determineExternalAuthTimeout(tc.responseTimeout, validCond, tc.ext) + gotBool, got := determineExtensionServiceTimeout(tc.responseTimeout, validCond, tc.ext) require.Equal(t, tc.want, got) require.Equal(t, tc.wantBool, gotBool) require.Equal(t, tc.wantValidCond, validCond) diff --git a/internal/dag/policy.go b/internal/dag/policy.go index 8f6966ccbbf..f8d6e3d1397 100644 --- a/internal/dag/policy.go +++ b/internal/dag/policy.go @@ -21,7 +21,11 @@ import ( "strings" "time" + "github.com/sirupsen/logrus" networking_v1 "k8s.io/api/networking/v1" + utilerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/validation" gatewayapi_v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gatewayapi_v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" @@ -29,10 +33,6 @@ import ( "github.com/projectcontour/contour/internal/annotation" "github.com/projectcontour/contour/internal/ref" "github.com/projectcontour/contour/internal/timeout" - "github.com/sirupsen/logrus" - utilerrors "k8s.io/apimachinery/pkg/util/errors" - "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/apimachinery/pkg/util/validation" ) const ( diff --git a/internal/envoy/v3/cluster.go b/internal/envoy/v3/cluster.go index e39beedadee..70ec65e8f68 100644 --- a/internal/envoy/v3/cluster.go +++ b/internal/envoy/v3/cluster.go @@ -22,15 +22,16 @@ import ( envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_extensions_upstream_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3" envoy_type "github.com/envoyproxy/go-control-plane/envoy/type/v3" + "google.golang.org/protobuf/types/known/anypb" + "google.golang.org/protobuf/types/known/durationpb" + "google.golang.org/protobuf/types/known/wrapperspb" + "k8s.io/apimachinery/pkg/types" + "github.com/projectcontour/contour/internal/dag" "github.com/projectcontour/contour/internal/envoy" "github.com/projectcontour/contour/internal/protobuf" "github.com/projectcontour/contour/internal/timeout" "github.com/projectcontour/contour/internal/xds" - "google.golang.org/protobuf/types/known/anypb" - "google.golang.org/protobuf/types/known/durationpb" - "google.golang.org/protobuf/types/known/wrapperspb" - "k8s.io/apimachinery/pkg/types" ) func clusterDefaults() *envoy_cluster_v3.Cluster { diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 2707700875a..1025333be0b 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -21,12 +21,14 @@ import ( "time" accesslog "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3" + envoy_mutation_rules_v3 "github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3" envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" envoy_gzip_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/compression/gzip/compressor/v3" envoy_compressor_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/compressor/v3" envoy_cors_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cors/v3" envoy_config_filter_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3" + envoy_config_filter_http_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" envoy_config_filter_http_grpc_stats_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3" envoy_grpc_web_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3" envoy_jwt_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3" @@ -41,14 +43,15 @@ import ( envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" envoy_type "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" + "google.golang.org/protobuf/types/known/durationpb" + "google.golang.org/protobuf/types/known/wrapperspb" + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/dag" "github.com/projectcontour/contour/internal/envoy" "github.com/projectcontour/contour/internal/protobuf" "github.com/projectcontour/contour/internal/sorter" "github.com/projectcontour/contour/internal/timeout" - "google.golang.org/protobuf/types/known/durationpb" - "google.golang.org/protobuf/types/known/wrapperspb" ) type HTTPVersionType = http.HttpConnectionManager_CodecType @@ -381,6 +384,13 @@ func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBu return b } +func (b *httpConnectionManagerBuilder) AddFilters(filters []*http.HttpFilter) *httpConnectionManagerBuilder { + for _, f := range filters { + b.AddFilter(f) + } + return b +} + // AddFilter appends f to the list of filters for this HTTPConnectionManager. f // may be nil, in which case it is ignored. Note that Router filters // (filters with TypeUrl `type.googleapis.com/envoy.extensions.filters.http.router.v3.Router`) @@ -764,6 +774,34 @@ end } } +// FilterExtProc returns an `ext_proc` filter configured with the +// requested parameters. +func FilterExtProc(extProc *dag.ExternalProcessor) *http.HttpFilter { + extProcConfig := envoy_config_filter_http_ext_proc_v3.ExternalProcessor{ + GrpcService: GrpcService(extProc.ExtProcService.Name, extProc.ExtProcService.SNI, extProc.ResponseTimeout), + FailureModeAllow: extProc.FailOpen, + ProcessingMode: dag.MakeProcessMode(extProc.ProcessingMode), + MessageTimeout: envoy.Timeout(timeout.DefaultSetting()), + MaxMessageTimeout: envoy.Timeout(timeout.DefaultSetting()), + DisableClearRouteCache: false, + AllowModeOverride: true, + MutationRules: &envoy_mutation_rules_v3.HeaderMutationRules{ + AllowAllRouting: &wrapperspb.BoolValue{Value: extProc.MutationRules.AllowAllRouting}, + AllowEnvoy: &wrapperspb.BoolValue{Value: extProc.MutationRules.AllowEnvoy}, + DisallowSystem: &wrapperspb.BoolValue{Value: extProc.MutationRules.DisallowSystem}, + DisallowAll: &wrapperspb.BoolValue{Value: extProc.MutationRules.DisallowAll}, + DisallowIsError: &wrapperspb.BoolValue{Value: extProc.MutationRules.DisallowIsError}, + }, + } + + return &http.HttpFilter{ + Name: "envoy.filters.http.ext_proc", + ConfigType: &http.HttpFilter_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny(&extProcConfig), + }, + } +} + // FilterExternalAuthz returns an `ext_authz` filter configured with the // requested parameters. func FilterExternalAuthz(externalAuthorization *dag.ExternalAuthorization) *http.HttpFilter { diff --git a/internal/envoy/v3/route.go b/internal/envoy/v3/route.go index 609dcc2c76d..1ccbe48cda8 100644 --- a/internal/envoy/v3/route.go +++ b/internal/envoy/v3/route.go @@ -21,27 +21,28 @@ import ( "strings" "text/template" - envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" - envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_config_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3" envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" envoy_cors_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cors/v3" envoy_config_filter_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3" + envoy_config_filter_http_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" envoy_jwt_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3" lua "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3" envoy_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3" envoy_internal_redirect_previous_routes_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/internal_redirect/previous_routes/v3" envoy_internal_redirect_safe_cross_scheme_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/internal_redirect/safe_cross_scheme/v3" matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" - "github.com/projectcontour/contour/internal/dag" - "github.com/projectcontour/contour/internal/envoy" - "github.com/projectcontour/contour/internal/protobuf" - "github.com/projectcontour/contour/internal/sorter" + envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/wrapperspb" + + "github.com/projectcontour/contour/internal/dag" + "github.com/projectcontour/contour/internal/envoy" + "github.com/projectcontour/contour/internal/protobuf" + "github.com/projectcontour/contour/internal/sorter" ) // VirtualHostAndRoutes converts a DAG virtual host and routes to an Envoy virtual host. @@ -152,6 +153,14 @@ func buildRoute(dagRoute *dag.Route, vhostName string, secure bool) *envoy_route route.TypedPerFilterConfig["envoy.filters.http.ext_authz"] = routeAuthzContext(dagRoute.AuthContext) } + // Apply per-route external processing policy modifications. + if dagRoute.ExtProcDisabled { + route.TypedPerFilterConfig["envoy.filters.http.ext_proc"] = routeExtProcDisabled() + + } else if dagRoute.ExtProcOverrides != nil { + route.TypedPerFilterConfig["envoy.filters.http.ext_proc"] = routeExtProcOverrides(dagRoute.ExtProcOverrides) + } + // If JWT verification is enabled, add per-route filter // config referencing a requirement in the main filter // config. @@ -177,6 +186,28 @@ func buildRoute(dagRoute *dag.Route, vhostName string, secure bool) *envoy_route return route } +// routeExtProcDisabled returns a per-route config to disable extProc for this particular vhost or route. +func routeExtProcDisabled() *anypb.Any { + return protobuf.MustMarshalAny( + &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute{ + Override: &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute_Disabled{ + Disabled: true, + }, + }, + ) +} + +func routeExtProcOverrides(overrides *dag.ExtProcOverrides) *anypb.Any { + return protobuf.MustMarshalAny( + &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute{ + Override: &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute_Overrides{ + // TODO: lewgun + //Overrides: true, + }, + }, + ) +} + // routeAuthzDisabled returns a per-route config to disable authorization. func routeAuthzDisabled() *anypb.Any { return protobuf.MustMarshalAny( diff --git a/internal/featuretests/v3/envoy.go b/internal/featuretests/v3/envoy.go index a7f74e08ac2..db7d9a3a07f 100644 --- a/internal/featuretests/v3/envoy.go +++ b/internal/featuretests/v3/envoy.go @@ -514,6 +514,29 @@ func authzFilterFor( Get() } +// TODO: lewgun +// extProcFilterFor does the same as httpsFilterFor but inserts a +// `ext_authz` filter with the specified configuration into the +// filter chain. +func extProcFilterFor( + vhost string, + authz *envoy_config_filter_http_ext_authz_v3.ExtAuthz, +) *envoy_listener_v3.Filter { + return envoy_v3.HTTPConnectionManagerBuilder(). + AddFilter(envoy_v3.FilterMisdirectedRequests(vhost)). + DefaultFilters(). + AddFilter(&http.HttpFilter{ + Name: "envoy.filters.http.ext_authz", + ConfigType: &http.HttpFilter_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny(authz), + }, + }). + RouteConfigName(path.Join("https", vhost)). + MetricsPrefix(xdscache_v3.ENVOY_HTTPS_LISTENER). + AccessLoggers(envoy_v3.FileAccessLogEnvoy("/dev/stdout", "", nil, contour_api_v1alpha1.LogLevelInfo)). + Get() +} + func jwtAuthnFilterFor( vhost string, jwt *envoy_jwt_v3.JwtAuthentication, diff --git a/internal/fixture/httpproxy.go b/internal/fixture/httpproxy.go index bb28a189c59..256b4a25368 100644 --- a/internal/fixture/httpproxy.go +++ b/internal/fixture/httpproxy.go @@ -89,3 +89,9 @@ func (b *ProxyBuilder) WithAuthServer(auth contour_api_v1.AuthorizationServer) * b.Spec.VirtualHost.Authorization = &auth return b } + +func (b *ProxyBuilder) WithExternalProcessor(extProc *contour_api_v1.ExternalProcessor) *ProxyBuilder { + b.ensureTLS() + b.Spec.VirtualHost.ExternalProcessor = extProc + return b +} diff --git a/internal/status/cache.go b/internal/status/cache.go index 0274427eeb0..a7b034ab840 100644 --- a/internal/status/cache.go +++ b/internal/status/cache.go @@ -20,6 +20,7 @@ import ( contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/projectcontour/contour/internal/k8s" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" diff --git a/internal/xdscache/v3/cluster.go b/internal/xdscache/v3/cluster.go index 134efedbb12..61d0df9ff90 100644 --- a/internal/xdscache/v3/cluster.go +++ b/internal/xdscache/v3/cluster.go @@ -19,13 +19,14 @@ import ( envoy_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" resource "github.com/envoyproxy/go-control-plane/pkg/resource/v3" + "google.golang.org/protobuf/proto" + "github.com/projectcontour/contour/internal/contour" "github.com/projectcontour/contour/internal/dag" "github.com/projectcontour/contour/internal/envoy" envoy_v3 "github.com/projectcontour/contour/internal/envoy/v3" "github.com/projectcontour/contour/internal/protobuf" "github.com/projectcontour/contour/internal/sorter" - "google.golang.org/protobuf/proto" ) // ClusterCache manages the contents of the gRPC CDS cache. diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index c9cf6d04aaf..2d444aff676 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -22,6 +22,9 @@ import ( http "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" resource "github.com/envoyproxy/go-control-plane/pkg/resource/v3" + "google.golang.org/protobuf/proto" + "k8s.io/apimachinery/pkg/types" + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/contour" "github.com/projectcontour/contour/internal/contourconfig" @@ -31,8 +34,6 @@ import ( "github.com/projectcontour/contour/internal/sorter" "github.com/projectcontour/contour/internal/timeout" "github.com/projectcontour/contour/pkg/config" - "google.golang.org/protobuf/proto" - "k8s.io/apimachinery/pkg/types" ) // nolint:revive @@ -137,10 +138,14 @@ type ListenerConfig struct { // used. RateLimitConfig *RateLimitConfig - // GlobalExternalAuthConfig optionally configures the global external authorization Service to be + // GlobalExternalAuthConfig optionally configures the global external authz Services to be // used. GlobalExternalAuthConfig *GlobalExternalAuthConfig + // GlobalExternalProcessorConfig optionally configures the global external processing Services to be + // used. + GlobalExternalProcessorConfig *GlobalExtProcConfig + // TracingConfig optionally configures the tracing collector Service to be // used. TracingConfig *TracingConfig @@ -198,6 +203,18 @@ type GlobalExternalAuthConfig struct { WithRequestBody *dag.AuthorizationServerBufferSettings } +type ExtProcConfig struct { + ExtensionServiceConfig + FailOpen bool + + ProcessingMode *dag.ProcessingMode + MutationRules *dag.HeaderMutationRules +} + +type GlobalExtProcConfig struct { + Processors []ExtProcConfig +} + // httpAccessLog returns the access log for the HTTP (non TLS) // listener or DEFAULT_HTTP_ACCESS_LOG if not configured. func (lvc *ListenerConfig) httpAccessLog() string { @@ -421,6 +438,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { NumTrustedHops(cfg.XffNumTrustedHops). MaxRequestsPerConnection(cfg.MaxRequestsPerConnection). AddFilter(httpGlobalExternalAuthConfig(cfg.GlobalExternalAuthConfig)). + AddFilters(httpGlobalExtProcConfig(cfg.GlobalExternalProcessorConfig)). Tracing(envoy_v3.TracingConfig(envoyTracingConfig(cfg.TracingConfig))). AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))). EnableWebsockets(listener.EnableWebsockets). @@ -467,6 +485,11 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { authFilter = envoy_v3.FilterExternalAuthz(vh.ExternalAuthorization) } + var extProcFilters []*http.HttpFilter + for _, ep := range vh.ExtProcs { + extProcFilters = append(extProcFilters, envoy_v3.FilterExtProc(&ep)) + } + // Create a uniquely named HTTP connection manager for // this vhost, so that the SNI name the client requests // only grants access to that host. See RFC 6066 for @@ -479,6 +502,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { AddFilter(envoy_v3.FilterMisdirectedRequests(vh.VirtualHost.Name)). DefaultFilters(). AddFilter(authFilter). + AddFilters(extProcFilters). AddFilter(envoy_v3.FilterJWTAuth(vh.JWTProviders)). RouteConfigName(httpsRouteConfigName(listener, vh.VirtualHost.Name)). MetricsPrefix(listener.Name). @@ -624,6 +648,27 @@ func httpGlobalExternalAuthConfig(config *GlobalExternalAuthConfig) *http.HttpFi } +func httpGlobalExtProcConfig(config *GlobalExtProcConfig) []*http.HttpFilter { + if config == nil { + return nil + } + + var filters []*http.HttpFilter + for _, epCfg := range config.Processors { + filters = append(filters, envoy_v3.FilterExtProc(&dag.ExternalProcessor{ + ExtProcService: &dag.ExtensionCluster{ + Name: dag.ExtensionClusterName(epCfg.ExtensionServiceConfig.ExtensionService), + SNI: epCfg.ExtensionServiceConfig.SNI, + }, + FailOpen: epCfg.FailOpen, + ResponseTimeout: epCfg.ExtensionServiceConfig.Timeout, + ProcessingMode: epCfg.ProcessingMode, + MutationRules: epCfg.MutationRules, + })) + } + return filters +} + func envoyGlobalRateLimitConfig(config *RateLimitConfig) *envoy_v3.GlobalRateLimitConfig { if config == nil { return nil diff --git a/internal/xdscache/v3/listener_test.go b/internal/xdscache/v3/listener_test.go index 186215e39c7..108f490bd6c 100644 --- a/internal/xdscache/v3/listener_test.go +++ b/internal/xdscache/v3/listener_test.go @@ -18,8 +18,6 @@ import ( "testing" "time" - "google.golang.org/protobuf/types/known/wrapperspb" - envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" ratelimit_config_v3 "github.com/envoyproxy/go-control-plane/envoy/config/ratelimit/v3" @@ -27,6 +25,14 @@ import ( http "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" + "google.golang.org/protobuf/proto" + "google.golang.org/protobuf/types/known/durationpb" + "google.golang.org/protobuf/types/known/wrapperspb" + v1 "k8s.io/api/core/v1" + networking_v1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/contourconfig" @@ -36,12 +42,6 @@ import ( "github.com/projectcontour/contour/internal/protobuf" "github.com/projectcontour/contour/internal/ref" "github.com/projectcontour/contour/internal/timeout" - "google.golang.org/protobuf/proto" - "google.golang.org/protobuf/types/known/durationpb" - v1 "k8s.io/api/core/v1" - networking_v1 "k8s.io/api/networking/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" ) func TestListenerCacheContents(t *testing.T) { diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index 462361d226c..f253f880220 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -651,6 +651,9 @@ type Parameters struct { // Tracing holds the relevant configuration for exporting trace data to OpenTelemetry. Tracing *Tracing `yaml:"tracing,omitempty"` + + // GlobalExternalProcessor optionally holds properties of the global external processing configurations. + GlobalExternalProcessor *GlobalExternalProcessor `yaml:"globalExternalProcessor,omitempty"` } // Tracing defines properties for exporting trace data to OpenTelemetry. @@ -759,6 +762,40 @@ type GlobalAuthorizationPolicy struct { Context map[string]string `yaml:"context,omitempty"` } +// The External Processing filter allows an external service to act on HTTP traffic in a flexible way +// The external server must implement the v3 Envoy +// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). +type ExternalProcessor struct { + // ExtensionService identifies the extension service defining the RLS, + // formatted as /. + ExtensionService string `yaml:"extensionService,omitempty"` + + // ResponseTimeout configures maximum time to wait for a check response from the expProc server. + // Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + // Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + // The string "infinity" is also a valid input and specifies no timeout. + // + // +optional + ResponseTimeout string `yaml:"responseTimeout,omitempty"` + + // If FailOpen is true, the client request is forwarded to the upstream service + // even if the authorization server fails to respond. This field should not be + // set in most cases. It is intended for use only while migrating applications + // from internal authorization to Contour external authorization. + // + // +optional + FailOpen bool `yaml:"failOpen,omitempty"` +} + +// The External Processing filter allows an external service to act on HTTP traffic in a flexible way +// The external server must implement the v3 Envoy +// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). +type GlobalExternalProcessor struct { + // + // +optional + Processors []ExternalProcessor +} + // RateLimitService defines properties of a global Rate Limit Service. type RateLimitService struct { // ExtensionService identifies the extension service defining the RLS, diff --git a/site/content/resources/compatibility-matrix.md b/site/content/resources/compatibility-matrix.md index e8a3d9f4780..cad6946eb78 100644 --- a/site/content/resources/compatibility-matrix.md +++ b/site/content/resources/compatibility-matrix.md @@ -100,6 +100,7 @@ If you are providing your own Envoy it must be compiled with the following exten - envoy.filters.http.health_check - envoy.filters.http.lua - envoy.filters.http.router + - envoy.filters.http.ext_proc - Listener filters - envoy.filters.listener.http_inspector diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index a4d95900910..8ed5cd6af6e 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -111,6 +111,9 @@ type Deployment struct { GlobalExtAuthDeployment *apps_v1.Deployment GlobalExtAuthService *v1.Service GlobalExtAuthExtensionService *contour_api_v1alpha1.ExtensionService + + //TODO: lewgun + GlobalExtProcExtensionService *contour_api_v1alpha1.ExtensionService } // UnmarshalResources unmarshals resources from rendered Contour manifest in From 98f43def43d0b80250f027d5982cad66d9b5e024 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Sat, 7 Oct 2023 16:58:08 +0800 Subject: [PATCH 02/31] build pass Signed-off-by: gang.liu --- internal/dag/dag.go | 20 +----- internal/dag/httpproxy_processor.go | 79 ++++++++++++++++++------ internal/dag/httpproxy_processor_test.go | 2 +- internal/envoy/v3/route.go | 15 ++++- 4 files changed, 76 insertions(+), 40 deletions(-) diff --git a/internal/dag/dag.go b/internal/dag/dag.go index 1fd00d17a21..cfe33417c21 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -24,7 +24,6 @@ import ( "strings" "time" - "github.com/golang/protobuf/ptypes/duration" "github.com/projectcontour/contour/internal/status" "github.com/projectcontour/contour/internal/timeout" @@ -1308,27 +1307,14 @@ const ( ProcessingMode_BUFFERED_PARTIAL BodySendMode = 3 ) -// TODO: lewgun -type GrpcService struct { - - // The timeout for the gRPC request. This is the timeout for a specific - // request. - Timeout *duration.Duration - - // Additional metadata to include in streams initiated to the GrpcService. This can be used for - // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to - // be injected. For more information, including details on header value syntax, see the - // documentation on :ref:`custom request headers - // `. - InitialMetadata []*HeaderValue -} - // Overrides that may be set on a per-route basis type ExtProcOverrides struct { // Set a different processing mode for this route than the default. ProcessingMode *ProcessingMode + // Set a different gRPC service for this route than the default. - GrpcService *GrpcService + ExtProcService *ExtensionCluster + ResponseTimeout *timeout.Setting } type ProcessingMode struct { diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index bef5fbd86c0..2f067136423 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -935,7 +935,13 @@ func (p *HTTPProxyProcessor) computeRoutes( // policy, let that override. if route.ExtProcPolicy != nil { disabled = route.ExtProcPolicy.Disabled - r.ExtProcOverrides = toExtProcOverrides(route.ExtProcPolicy.Overrides) + if route.ExtProcPolicy.Overrides != nil { + overrides := toExtProcOverrides(route.ExtProcPolicy.Overrides, validCond, proxy.Namespace, p.dag.GetExtensionCluster) + if overrides == nil { + return nil + } + r.ExtProcOverrides = overrides + } } r.ExtProcDisabled = disabled } @@ -1166,12 +1172,34 @@ func (p *HTTPProxyProcessor) computeRoutes( return routes } -func toExtProcOverrides(override *contour_api_v1.ExtProcOverride) *ExtProcOverrides { - return &ExtProcOverrides{ - ProcessingMode: ToProcessingMode(override.ProcessingMode), +func toExtProcOverrides( + override *contour_api_v1.ExtProcOverride, + validCond *contour_api_v1.DetailedCondition, + defaultNamespace string, + extClusterGetter func(name string) *ExtensionCluster, +) *ExtProcOverrides { + ok, extSvc := validateExtensionService( + defaultExtensionRef(override.GRPCService.ExtensionServiceRef), + validCond, + defaultNamespace, + contour_api_v1.ConditionTypeExtProcError, + extClusterGetter) + if !ok { + return nil + } + ok, respTimeout := determineExtensionServiceTimeout( + contour_api_v1.ConditionTypeExtProcError, + override.GRPCService.ResponseTimeout, + validCond, + extSvc) + if !ok { + return nil + } - //TODO: lewgun - //GrpcService: GrpcService(v.GRPCService.ExtensionServiceRef.Name, extProc.ExtProcService.SNI, extProc.ResponseTimeout), &GrpcService{}, + return &ExtProcOverrides{ + ProcessingMode: ToProcessingMode(override.ProcessingMode), + ExtProcService: extSvc, + ResponseTimeout: respTimeout, } } @@ -1421,24 +1449,27 @@ func (p *HTTPProxyProcessor) rootAllowed(namespace string) bool { return false } -func (p *HTTPProxyProcessor) computeVirtualHostAuthorization(auth *contour_api_v1.AuthorizationServer, validCond *contour_api_v1.DetailedCondition, httpproxy *contour_api_v1.HTTPProxy) *ExternalAuthorization { - ok, ext := validateExtensionService( +func (p *HTTPProxyProcessor) computeVirtualHostAuthorization( + auth *contour_api_v1.AuthorizationServer, + validCond *contour_api_v1.DetailedCondition, + httpproxy *contour_api_v1.HTTPProxy) *ExternalAuthorization { + ok, extSvc := validateExtensionService( defaultExtensionRef(auth.ExtensionServiceRef), validCond, - httpproxy, + httpproxy.Namespace, contour_api_v1.ConditionTypeAuthError, p.dag.GetExtensionCluster) if !ok { return nil } - ok, respTimeout := determineExtensionServiceTimeout(contour_api_v1.ConditionTypeAuthError, auth.ResponseTimeout, validCond, ext) + ok, respTimeout := determineExtensionServiceTimeout(contour_api_v1.ConditionTypeAuthError, auth.ResponseTimeout, validCond, extSvc) if !ok { return nil } extAuth := &ExternalAuthorization{ - AuthorizationService: ext, + AuthorizationService: extSvc, AuthorizationFailOpen: auth.FailOpen, AuthorizationResponseTimeout: *respTimeout, } @@ -1467,7 +1498,7 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( ok, extSvc := validateExtensionService( defaultExtensionRef(proc.GRPCService.ExtensionServiceRef), validCond, - httpproxy, + httpproxy.Namespace, contour_api_v1.ConditionTypeExtProcError, p.dag.GetExtensionCluster) if !ok { @@ -1497,9 +1528,9 @@ const extSvcNotFound = "%s extension service %q not found" func validateExtensionService( ref contour_api_v1.ExtensionServiceReference, validCond *contour_api_v1.DetailedCondition, - httpproxy *contour_api_v1.HTTPProxy, + defaultNamespace string, errorType string, - extensionClusterGetter func(name string) *ExtensionCluster, + extClusterGetter func(name string) *ExtensionCluster, ) (bool, *ExtensionCluster) { if ref.APIVersion != contour_api_v1alpha1.GroupVersion.String() { reason := "AuthBadResourceVersion" @@ -1516,10 +1547,10 @@ func validateExtensionService( // Lookup the extension service reference. extensionName := types.NamespacedName{ Name: ref.Name, - Namespace: stringOrDefault(ref.Namespace, httpproxy.Namespace), + Namespace: stringOrDefault(ref.Namespace, defaultNamespace), } - ext := extensionClusterGetter(ExtensionClusterName(extensionName)) + ext := extClusterGetter(ExtensionClusterName(extensionName)) if ext == nil { field := "Spec.Virtualhost.Authorization.ServiceRef" if errorType == contour_api_v1.ConditionTypeExtProcError { @@ -1531,12 +1562,16 @@ func validateExtensionService( return true, ext } -const extSvcRespTimeoutFormat = "%s is invalid: %q" +const extSvcRespTimeoutFormat = "%s is invalid: %q" -func determineExtensionServiceTimeout(errorType string, responseTimeout string, validCond *contour_api_v1.DetailedCondition, ext *ExtensionCluster) (bool, *timeout.Setting) { - tout, err := timeout.Parse(responseTimeout) - if err != nil { +func determineExtensionServiceTimeout( + errorType string, + respTimeout string, + validCond *contour_api_v1.DetailedCondition, + ext *ExtensionCluster) (bool, *timeout.Setting) { + tout, err := timeout.Parse(respTimeout) + if err != nil { reason := "AuthResponseTimeoutInvalid" field := "Spec.Virtualhost.Authorization.ResponseTimeout" @@ -2042,6 +2077,10 @@ func routeExtProcValid(policy *contour_api_v1.ExtProcPolicy) error { if policy.Overrides != nil && policy.Disabled { return fmt.Errorf("cannot specify both ExtProcPolicy.Overrides and ExtProcPolicy.Disabled ") } + + if policy.Disabled { + return nil + } return nil } diff --git a/internal/dag/httpproxy_processor_test.go b/internal/dag/httpproxy_processor_test.go index 3f215d01a61..f5c8b575e6a 100644 --- a/internal/dag/httpproxy_processor_test.go +++ b/internal/dag/httpproxy_processor_test.go @@ -803,7 +803,7 @@ func TestValidateExternalAuthExtensionService(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { validCond := &contour_api_v1.DetailedCondition{} - gotBool, got := validateExtensionService(tc.ref, validCond, tc.httpproxy, contour_api_v1.ConditionTypeAuthError, tc.getExtensionCluster) + gotBool, got := validateExtensionService(tc.ref, validCond, tc.httpproxy.Namespace, contour_api_v1.ConditionTypeAuthError, tc.getExtensionCluster) require.Equal(t, tc.want, got) require.Equal(t, tc.wantBool, gotBool) require.Equal(t, tc.wantValidCond, validCond) diff --git a/internal/envoy/v3/route.go b/internal/envoy/v3/route.go index 1ccbe48cda8..57f73062a73 100644 --- a/internal/envoy/v3/route.go +++ b/internal/envoy/v3/route.go @@ -198,11 +198,22 @@ func routeExtProcDisabled() *anypb.Any { } func routeExtProcOverrides(overrides *dag.ExtProcOverrides) *anypb.Any { + pm := &envoy_config_filter_http_ext_proc_v3.ProcessingMode{ + RequestHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(overrides.ProcessingMode.RequestHeaderMode), + ResponseHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(overrides.ProcessingMode.ResponseHeaderMode), + RequestBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(overrides.ProcessingMode.RequestBodyMode), + ResponseBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(overrides.ProcessingMode.ResponseBodyMode), + RequestTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(overrides.ProcessingMode.RequestTrailerMode), + ResponseTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(overrides.ProcessingMode.ResponseTrailerMode), + } + return protobuf.MustMarshalAny( &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute{ Override: &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute_Overrides{ - // TODO: lewgun - //Overrides: true, + Overrides: &envoy_config_filter_http_ext_proc_v3.ExtProcOverrides{ + ProcessingMode: pm, + GrpcService: GrpcService(overrides.ExtProcService.Name, overrides.ExtProcService.SNI, *overrides.ResponseTimeout), + }, }, }, ) From ca308a46c0f94dc005726bceb1f5a224e9def217 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Mon, 9 Oct 2023 14:00:52 +0800 Subject: [PATCH 03/31] insert extProc by phase(TODO) Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index 732a740ecb1..46ce3e674a5 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -391,10 +391,31 @@ type GRPCService struct { FailOpen bool `json:"failOpen,omitempty"` } +type ProcessingPhase string + +const ( + UnspecifiedPhase ProcessingPhase = "UnspecifiedPhase" + AuthN ProcessingPhase = "AuthN" + AuthZ ProcessingPhase = "AuthZ" + CORS ProcessingPhase = "CORS" + RateLimit ProcessingPhase = "RateLimit" +) + // The External Processing filter allows an external service to act on HTTP traffic in a flexible way // The external server must implement the v3 Envoy // external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). type ExtProc struct { + + // TODO: lewgun + // https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + // Phase determines where in the filter chain this extProc is to be injected. + Phase ProcessingPhase + + // Priority determines ordering of extProc in the same phase. When multiple extProc are applied to the same workload in the same phase, + // they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, + // they will follow the order in which extProc(s) are added, Defaults to 0. + Priority int32 + // // +optional GRPCService *GRPCService From f7a19060d218f93b5e3736f3359f0fd0e113a637 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Mon, 9 Oct 2023 16:48:52 +0800 Subject: [PATCH 04/31] make generate Signed-off-by: gang.liu --- Makefile | 3 +- apis/projectcontour/v1/httpproxy.go | 63 +- .../v1/zz_generated.deepcopy.go | 158 ++++ .../v1alpha1/zz_generated.deepcopy.go | 5 + examples/contour/01-crds.yaml | 815 ++++++++++++++++++ examples/render/contour-deployment.yaml | 815 ++++++++++++++++++ .../render/contour-gateway-provisioner.yaml | 815 ++++++++++++++++++ examples/render/contour-gateway.yaml | 815 ++++++++++++++++++ examples/render/contour.yaml | 815 ++++++++++++++++++ .../docs/main/config/api-reference.html | 671 +++++++++++++- 10 files changed, 4954 insertions(+), 21 deletions(-) diff --git a/Makefile b/Makefile index 385325be2bf..df568f70fd7 100644 --- a/Makefile +++ b/Makefile @@ -225,7 +225,8 @@ lint-flags: .PHONY: generate generate: ## Re-generate generated code and documentation -generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go +# generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go +generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go .PHONY: generate-rbac generate-rbac: diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index 46ce3e674a5..00036684dbf 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -329,42 +329,64 @@ type HeaderMutationRules struct { // filters or request routing cannot be modified. These headers are // ``host``, ``:authority``, ``:scheme``, and ``:method``. Setting this parameter // to true allows these headers to be modified as well. - AllowAllRouting bool + // + // +optional + AllowAllRouting bool `json:"allowAllRouting,omitempty"` // If true, allow modification of envoy internal headers. By default, these // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` // configuration. Default is false. - AllowEnvoy bool + // + // +optional + AllowEnvoy bool `json:"allowEnvoy,omitempty"` // If true, prevent modification of any system header, defined as a header // that starts with a ``:`` character, regardless of any other settings. // A processing server may still override the ``:status`` of an HTTP response // using an ``ImmediateResponse`` message. Default is false. - DisallowSystem bool + // + // +optional + DisallowSystem bool `json:"disallowSystem,omitempty"` // If true, prevent modifications of all header values, regardless of any // other settings. A processing server may still override the ``:status`` // of an HTTP response using an ``ImmediateResponse`` message. Default is false. - DisallowAll bool + // + // +optional + DisallowAll bool `json:"disallowAll,omitempty"` // If true, and if the rules in this list cause a header mutation to be // disallowed, then the filter using this configuration will terminate the // request with a 500 error. In addition, regardless of the setting of this // parameter, any attempt to set, add, or modify a disallowed header will // cause the ``rejected_header_mutations`` counter to be incremented. // Default is false. - DisallowIsError bool + // + // +optional + DisallowIsError bool `json:"disallowIsError,omitempty"` } type ProcessingMode struct { // How to handle the request header. Default is "SEND". - RequestHeaderMode HeaderSendMode + // + // +optional + RequestHeaderMode HeaderSendMode `json:"requestHeaderMode,omitempty"` // How to handle the response header. Default is "SEND". - ResponseHeaderMode HeaderSendMode + // + // +optional + ResponseHeaderMode HeaderSendMode `json:"responseHeaderMode,omitempty"` // How to handle the request body. Default is "NONE". - RequestBodyMode BodySendMode + // + // +optional + RequestBodyMode BodySendMode `json:"requestBodyMode,omitempty"` // How do handle the response body. Default is "NONE". - ResponseBodyMode BodySendMode + // + // +optional + ResponseBodyMode BodySendMode `json:"responseBodyMode,omitempty"` // How to handle the request trailers. Default is "SKIP". - RequestTrailerMode HeaderSendMode + // + // +optional + RequestTrailerMode HeaderSendMode `json:"requestTrailerMode,omitempty"` // How to handle the response trailers. Default is "SKIP". - ResponseTrailerMode HeaderSendMode + // + // +optional + ResponseTrailerMode HeaderSendMode `json:"responseTrailerMode,omitempty"` } type GRPCService struct { @@ -409,31 +431,34 @@ type ExtProc struct { // TODO: lewgun // https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase // Phase determines where in the filter chain this extProc is to be injected. - Phase ProcessingPhase + // + // +optional + Phase ProcessingPhase `json:"phase,omitempty"` // Priority determines ordering of extProc in the same phase. When multiple extProc are applied to the same workload in the same phase, // they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, // they will follow the order in which extProc(s) are added, Defaults to 0. - Priority int32 - // // +optional - GRPCService *GRPCService + Priority int32 `json:"priority,omitempty"` + // + // +optional + GRPCService *GRPCService `json:"grpcService,omitempty"` // // +optional - ProcessingMode *ProcessingMode + ProcessingMode *ProcessingMode `json:"processingMode,omitempty"` // // +optional - MutationRules *HeaderMutationRules + MutationRules *HeaderMutationRules `json:"mutationRules,omitempty"` } type ExtProcOverride struct { // // +optional - GRPCService *GRPCService + GRPCService *GRPCService `json:"grpcService,omitempty"` // // +optional - ProcessingMode *ProcessingMode + ProcessingMode *ProcessingMode `json:"processingMode,omitempty"` } type ExternalProcessor struct { diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go index 3c3537ef24e..cb360528096 100644 --- a/apis/projectcontour/v1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1/zz_generated.deepcopy.go @@ -268,6 +268,81 @@ func (in *DownstreamValidation) DeepCopy() *DownstreamValidation { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtProc) DeepCopyInto(out *ExtProc) { + *out = *in + if in.GRPCService != nil { + in, out := &in.GRPCService, &out.GRPCService + *out = new(GRPCService) + **out = **in + } + if in.ProcessingMode != nil { + in, out := &in.ProcessingMode, &out.ProcessingMode + *out = new(ProcessingMode) + **out = **in + } + if in.MutationRules != nil { + in, out := &in.MutationRules, &out.MutationRules + *out = new(HeaderMutationRules) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProc. +func (in *ExtProc) DeepCopy() *ExtProc { + if in == nil { + return nil + } + out := new(ExtProc) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtProcOverride) DeepCopyInto(out *ExtProcOverride) { + *out = *in + if in.GRPCService != nil { + in, out := &in.GRPCService, &out.GRPCService + *out = new(GRPCService) + **out = **in + } + if in.ProcessingMode != nil { + in, out := &in.ProcessingMode, &out.ProcessingMode + *out = new(ProcessingMode) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProcOverride. +func (in *ExtProcOverride) DeepCopy() *ExtProcOverride { + if in == nil { + return nil + } + out := new(ExtProcOverride) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtProcPolicy) DeepCopyInto(out *ExtProcPolicy) { + *out = *in + if in.Overrides != nil { + in, out := &in.Overrides, &out.Overrides + *out = new(ExtProcOverride) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProcPolicy. +func (in *ExtProcPolicy) DeepCopy() *ExtProcPolicy { + if in == nil { + return nil + } + out := new(ExtProcPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtensionServiceReference) DeepCopyInto(out *ExtensionServiceReference) { *out = *in @@ -283,6 +358,49 @@ func (in *ExtensionServiceReference) DeepCopy() *ExtensionServiceReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalProcessor) DeepCopyInto(out *ExternalProcessor) { + *out = *in + if in.Processors != nil { + in, out := &in.Processors, &out.Processors + *out = make([]ExtProc, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ExtProcPolicy != nil { + in, out := &in.ExtProcPolicy, &out.ExtProcPolicy + *out = new(ExtProcPolicy) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalProcessor. +func (in *ExternalProcessor) DeepCopy() *ExternalProcessor { + if in == nil { + return nil + } + out := new(ExternalProcessor) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GRPCService) DeepCopyInto(out *GRPCService) { + *out = *in + out.ExtensionServiceRef = in.ExtensionServiceRef +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCService. +func (in *GRPCService) DeepCopy() *GRPCService { + if in == nil { + return nil + } + out := new(GRPCService) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GenericKeyDescriptor) DeepCopyInto(out *GenericKeyDescriptor) { *out = *in @@ -586,6 +704,21 @@ func (in *HeaderMatchCondition) DeepCopy() *HeaderMatchCondition { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HeaderMutationRules) DeepCopyInto(out *HeaderMutationRules) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderMutationRules. +func (in *HeaderMutationRules) DeepCopy() *HeaderMutationRules { + if in == nil { + return nil + } + out := new(HeaderMutationRules) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HeaderValue) DeepCopyInto(out *HeaderValue) { *out = *in @@ -786,6 +919,21 @@ func (in *PathRewritePolicy) DeepCopy() *PathRewritePolicy { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProcessingMode) DeepCopyInto(out *ProcessingMode) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessingMode. +func (in *ProcessingMode) DeepCopy() *ProcessingMode { + if in == nil { + return nil + } + out := new(ProcessingMode) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *QueryParameterHashOptions) DeepCopyInto(out *QueryParameterHashOptions) { *out = *in @@ -1132,6 +1280,11 @@ func (in *Route) DeepCopyInto(out *Route) { *out = make([]IPFilterPolicy, len(*in)) copy(*out, *in) } + if in.ExtProcPolicy != nil { + in, out := &in.ExtProcPolicy, &out.ExtProcPolicy + *out = new(ExtProcPolicy) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route. @@ -1486,6 +1639,11 @@ func (in *VirtualHost) DeepCopyInto(out *VirtualHost) { *out = make([]IPFilterPolicy, len(*in)) copy(*out, *in) } + if in.ExternalProcessor != nil { + in, out := &in.ExternalProcessor, &out.ExternalProcessor + *out = new(ExternalProcessor) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualHost. diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go index d889c429aa5..f3a7092abd7 100644 --- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go @@ -179,6 +179,11 @@ func (in *ContourConfigurationSpec) DeepCopyInto(out *ContourConfigurationSpec) *out = new(v1.AuthorizationServer) (*in).DeepCopyInto(*out) } + if in.GlobalExternalProcessor != nil { + in, out := &in.GlobalExternalProcessor, &out.GlobalExternalProcessor + *out = new(v1.ExternalProcessor) + (*in).DeepCopyInto(*out) + } if in.RateLimitService != nil { in, out := &in.RateLimitService, &out.RateLimitService *out = new(RateLimitServiceConfig) diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 98b9fe9cebd..f553ab15da6 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -555,6 +555,244 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual routes. + for the default global external processor, it's must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the + resource that targets the referent will be used. + \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from internal + authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a valid + input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing GRPC + protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the resource + that targets the referent will be used. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the authorization + server fails to respond. This field should not be + set in most cases. It is intended for use only while + migrating applications from internal authorization + to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", + "m", "h". The string "infinity" is also a valid input + and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are ``host``, + ``:authority``, ``:scheme``, and ``:method``. Setting + this parameter to true allows these headers to be + modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy internal + headers. By default, these start with ``x-envoy`` + but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all header + values, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then the + filter using this configuration will terminate the + request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt to set, + add, or modify a disallowed header will cause the + ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any system + header, defined as a header that starts with a ``:`` + character, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc in + the same phase. When multiple extProc are applied to the + same workload in the same phase, they will be applied + by priority, in descending order, If priority is not set + or two extProc exist with the same value, they will follow + the order in which extProc(s) are added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. Default + is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 @@ -4005,6 +4243,249 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", @@ -5399,6 +5880,97 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean + extProcPolicy: + description: ExtProcPolicy updates the external processing policy + that was set on the root HTTPProxy object for client requests/responses + that match this route. + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -6927,6 +7499,249 @@ spec: - allowMethods - allowOrigin type: object + externalProcessor: + description: ExternalProcessor are a list of external processors + which allow to act on HTTP traffic in a flexible way. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object fqdn: description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 4caa7156abd..b0280b47287 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -774,6 +774,244 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual routes. + for the default global external processor, it's must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the + resource that targets the referent will be used. + \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from internal + authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a valid + input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing GRPC + protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the resource + that targets the referent will be used. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the authorization + server fails to respond. This field should not be + set in most cases. It is intended for use only while + migrating applications from internal authorization + to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", + "m", "h". The string "infinity" is also a valid input + and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are ``host``, + ``:authority``, ``:scheme``, and ``:method``. Setting + this parameter to true allows these headers to be + modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy internal + headers. By default, these start with ``x-envoy`` + but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all header + values, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then the + filter using this configuration will terminate the + request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt to set, + add, or modify a disallowed header will cause the + ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any system + header, defined as a header that starts with a ``:`` + character, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc in + the same phase. When multiple extProc are applied to the + same workload in the same phase, they will be applied + by priority, in descending order, If priority is not set + or two extProc exist with the same value, they will follow + the order in which extProc(s) are added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. Default + is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 @@ -4224,6 +4462,249 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", @@ -5618,6 +6099,97 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean + extProcPolicy: + description: ExtProcPolicy updates the external processing policy + that was set on the root HTTPProxy object for client requests/responses + that match this route. + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -7146,6 +7718,249 @@ spec: - allowMethods - allowOrigin type: object + externalProcessor: + description: ExternalProcessor are a list of external processors + which allow to act on HTTP traffic in a flexible way. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object fqdn: description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index b0097c823ca..152fb177ca5 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -566,6 +566,244 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual routes. + for the default global external processor, it's must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the + resource that targets the referent will be used. + \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from internal + authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a valid + input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing GRPC + protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the resource + that targets the referent will be used. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the authorization + server fails to respond. This field should not be + set in most cases. It is intended for use only while + migrating applications from internal authorization + to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", + "m", "h". The string "infinity" is also a valid input + and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are ``host``, + ``:authority``, ``:scheme``, and ``:method``. Setting + this parameter to true allows these headers to be + modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy internal + headers. By default, these start with ``x-envoy`` + but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all header + values, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then the + filter using this configuration will terminate the + request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt to set, + add, or modify a disallowed header will cause the + ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any system + header, defined as a header that starts with a ``:`` + character, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc in + the same phase. When multiple extProc are applied to the + same workload in the same phase, they will be applied + by priority, in descending order, If priority is not set + or two extProc exist with the same value, they will follow + the order in which extProc(s) are added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. Default + is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 @@ -4016,6 +4254,249 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", @@ -5410,6 +5891,97 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean + extProcPolicy: + description: ExtProcPolicy updates the external processing policy + that was set on the root HTTPProxy object for client requests/responses + that match this route. + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -6938,6 +7510,249 @@ spec: - allowMethods - allowOrigin type: object + externalProcessor: + description: ExternalProcessor are a list of external processors + which allow to act on HTTP traffic in a flexible way. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object fqdn: description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index 9843bce947b..b911a8802d0 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -777,6 +777,244 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual routes. + for the default global external processor, it's must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the + resource that targets the referent will be used. + \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from internal + authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a valid + input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing GRPC + protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the resource + that targets the referent will be used. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the authorization + server fails to respond. This field should not be + set in most cases. It is intended for use only while + migrating applications from internal authorization + to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", + "m", "h". The string "infinity" is also a valid input + and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are ``host``, + ``:authority``, ``:scheme``, and ``:method``. Setting + this parameter to true allows these headers to be + modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy internal + headers. By default, these start with ``x-envoy`` + but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all header + values, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then the + filter using this configuration will terminate the + request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt to set, + add, or modify a disallowed header will cause the + ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any system + header, defined as a header that starts with a ``:`` + character, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc in + the same phase. When multiple extProc are applied to the + same workload in the same phase, they will be applied + by priority, in descending order, If priority is not set + or two extProc exist with the same value, they will follow + the order in which extProc(s) are added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. Default + is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 @@ -4227,6 +4465,249 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", @@ -5621,6 +6102,97 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean + extProcPolicy: + description: ExtProcPolicy updates the external processing policy + that was set on the root HTTPProxy object for client requests/responses + that match this route. + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -7149,6 +7721,249 @@ spec: - allowMethods - allowOrigin type: object + externalProcessor: + description: ExternalProcessor are a list of external processors + which allow to act on HTTP traffic in a flexible way. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object fqdn: description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index f5fdc105ce2..e6574da2e0d 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -774,6 +774,244 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual routes. + for the default global external processor, it's must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the + resource that targets the referent will be used. + \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from internal + authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a valid + input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing GRPC + protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this + field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this + field is not specifies, the namespace of the resource + that targets the referent will be used. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the authorization + server fails to respond. This field should not be + set in most cases. It is intended for use only while + migrating applications from internal authorization + to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time + to wait for a check response from the authorization + server. Timeout durations are expressed in the Go + [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", + "m", "h". The string "infinity" is also a valid input + and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are ``host``, + ``:authority``, ``:scheme``, and ``:method``. Setting + this parameter to true allows these headers to be + modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy internal + headers. By default, these start with ``x-envoy`` + but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all header + values, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then the + filter using this configuration will terminate the + request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt to set, + add, or modify a disallowed header will cause the + ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any system + header, defined as a header that starts with a ``:`` + character, regardless of any other settings. A processing + server may still override the ``:status`` of an HTTP + response using an ``ImmediateResponse`` message. Default + is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc in + the same phase. When multiple extProc are applied to the + same workload in the same phase, they will be applied + by priority, in descending order, If priority is not set + or two extProc exist with the same value, they will follow + the order in which extProc(s) are added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. Default + is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. Default + is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. Default + is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 @@ -4224,6 +4462,249 @@ spec: type: boolean type: object type: object + globalExternalProcessor: + description: GlobalExternalProcessor allows envoys external processing + filters to be enabled for all virtual hosts. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object health: description: "Health defines the endpoints Contour uses to serve health checks. \n Contour's default is { address: \"0.0.0.0\", @@ -5618,6 +6099,97 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean + extProcPolicy: + description: ExtProcPolicy updates the external processing policy + that was set on the root HTTPProxy object for client requests/responses + that match this route. + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -7146,6 +7718,249 @@ spec: - allowMethods - allowOrigin type: object + externalProcessor: + description: ExternalProcessor are a list of external processors + which allow to act on HTTP traffic in a flexible way. + properties: + extProcPolicy: + description: ExtProcPolicy sets a external processing policy. + This policy will be used unless overridden by individual + routes. for the default global external processor, it's + must be nil + properties: + disabled: + description: When true, this field disables client request + external processing for the scope of the policy. + type: boolean + overrides: + description: for global external processing, it's not + exists + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will authorize client + requests. + properties: + apiVersion: + description: API version of the referent. + If this field is not specified, the default + "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if + the authorization server fails to respond. This + field should not be set in most cases. It is + intended for use only while migrating applications + from internal authorization to Contour external + authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also + a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. + Default is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. + Default is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: object + processors: + items: + description: The External Processing filter allows an external + service to act on HTTP traffic in a flexible way The external + server must implement the v3 Envoy external processing + GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + properties: + grpcService: + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If + this field is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If + this field is not specifies, the namespace + of the resource that targets the referent + will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request + is forwarded to the upstream service even if the + authorization server fails to respond. This field + should not be set in most cases. It is intended + for use only while migrating applications from + internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum + time to wait for a check response from the authorization + server. Timeout durations are expressed in the + Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", + "s", "m", "h". The string "infinity" is also a + valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + properties: + allowAllRouting: + description: By default, certain headers that could + affect processing of subsequent filters or request + routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers + to be modified as well. + type: boolean + allowEnvoy: + description: If true, allow modification of envoy + internal headers. By default, these start with + ``x-envoy`` but this may be overridden in the + ``Bootstrap`` configuration. Default is false. + type: boolean + disallowAll: + description: If true, prevent modifications of all + header values, regardless of any other settings. + A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + disallowIsError: + description: If true, and if the rules in this list + cause a header mutation to be disallowed, then + the filter using this configuration will terminate + the request with a 500 error. In addition, regardless + of the setting of this parameter, any attempt + to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter + to be incremented. Default is false. + type: boolean + disallowSystem: + description: If true, prevent modification of any + system header, defined as a header that starts + with a ``:`` character, regardless of any other + settings. A processing server may still override + the ``:status`` of an HTTP response using an ``ImmediateResponse`` + message. Default is false. + type: boolean + type: object + phase: + description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase + Phase determines where in the filter chain this extProc + is to be injected.' + type: string + priority: + description: Priority determines ordering of extProc + in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will + be applied by priority, in descending order, If priority + is not set or two extProc exist with the same value, + they will follow the order in which extProc(s) are + added, Defaults to 0. + format: int32 + type: integer + processingMode: + properties: + requestBodyMode: + description: How to handle the request body. Default + is "NONE". + format: int32 + type: integer + requestHeaderMode: + description: How to handle the request header. Default + is "SEND". + format: int32 + type: integer + requestTrailerMode: + description: How to handle the request trailers. + Default is "SKIP". + format: int32 + type: integer + responseBodyMode: + description: How do handle the response body. Default + is "NONE". + format: int32 + type: integer + responseHeaderMode: + description: How to handle the response header. + Default is "SEND". + format: int32 + type: integer + responseTrailerMode: + description: How to handle the response trailers. + Default is "SKIP". + format: int32 + type: integer + type: object + type: object + type: array + type: object fqdn: description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index b91773147ef..41c0ee11835 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -482,6 +482,41 @@

AuthorizationSer +

BodySendMode +(int32 alias)

+

+(Appears on: +ProcessingMode) +

+

+

Control how the request and response bodies are handled

+

+ + + + + + + + + + + + + + + + +
ValueDescription

2

Buffer the message body in memory and send the entire body at once. +If the body exceeds the configured buffer limit, then the +downstream system will receive an error.

+

3

Buffer the message body in memory and send the entire body in one +chunk. If the body exceeds the configured buffer limit, then the body contents +up to the buffer limit will be sent.

+

0

Do not send the body at all. This is the default.

+

1

Stream the body to the server in pieces as they arrive at the +proxy.

+

CORSHeaderValue (string alias)

@@ -1115,11 +1150,202 @@

DownstreamValidation +

ExtProc +

+

+(Appears on: +ExternalProcessor) +

+

+

The External Processing filter allows an external service to act on HTTP traffic in a flexible way +The external server must implement the v3 Envoy +external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto).

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+phase +
+ + +ProcessingPhase + + +		 +(Optional) +

TODO: lewgun +https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase +Phase determines where in the filter chain this extProc is to be injected.

+
+priority +
+ +int32 + +		 +(Optional) +

Priority determines ordering of extProc in the same phase. When multiple extProc are applied to the same workload in the same phase, +they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, +they will follow the order in which extProc(s) are added, Defaults to 0.

+
+grpcService +
+ + +GRPCService + + +		 +(Optional) +
+processingMode +
+ + +ProcessingMode + + +		 +(Optional) +
+mutationRules +
+ + +HeaderMutationRules + + +		 +(Optional) +
+

ExtProcOverride +

+

+(Appears on: +ExtProcPolicy) +

+

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+grpcService +
+ + +GRPCService + + +		 +(Optional) +
+processingMode +
+ + +ProcessingMode + + +		 +(Optional) +
+

ExtProcPolicy +

+

+(Appears on: +ExternalProcessor, +Route) +

+

+

ExtProcPolicy modifies how requests/responses are operated.

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+disabled +
+ +bool + +		 +(Optional) +

When true, this field disables client request external processing +for the scope of the policy.

+
+overrides +
+ + +ExtProcOverride + + +		 +(Optional) +

for global external processing, it’s not exists

+

ExtensionServiceReference

(Appears on: -AuthorizationServer) +AuthorizationServer, +GRPCService)

ExtensionServiceReference names an ExtensionService resource.

@@ -1176,6 +1402,122 @@

ExtensionServiceReferenc +

ExternalProcessor +

+

+(Appears on: +VirtualHost, +ContourConfigurationSpec) +

+

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+processors +
+ + +[]ExtProc + + +		 +(Optional) +
+extProcPolicy +
+ + +ExtProcPolicy + + +		 +(Optional) +

ExtProcPolicy sets a external processing policy. +This policy will be used unless overridden by individual routes. +for the default global external processor, it’s must be nil

+
+

GRPCService +

+

+(Appears on: +ExtProc, +ExtProcOverride) +

+

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+extensionRef +
+ + +ExtensionServiceReference + + +		 +(Optional) +

ExtensionServiceRef specifies the extension resource that will authorize client requests.

+
+responseTimeout +
+ +string + +		 +(Optional) +

ResponseTimeout configures maximum time to wait for a check response from the authorization server. +Timeout durations are expressed in the Go Duration format. +Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. +The string “infinity” is also a valid input and specifies no timeout.

+
+failOpen +
+ +bool + +		 +(Optional) +

If FailOpen is true, the client request is forwarded to the upstream service +even if the authorization server fails to respond. This field should not be +set in most cases. It is intended for use only while migrating applications +from internal authorization to Contour external authorization.

+

GenericKeyDescriptor

@@ -2044,6 +2386,133 @@

HeaderMatchCondition +

HeaderMutationRules +

+

+(Appears on: +ExtProc) +

+

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+allowAllRouting +
+ +bool + +		 +(Optional) +

By default, certain headers that could affect processing of subsequent +filters or request routing cannot be modified. These headers are +host, :authority, :scheme, and :method. Setting this parameter +to true allows these headers to be modified as well.

+
+allowEnvoy +
+ +bool + +		 +(Optional) +

If true, allow modification of envoy internal headers. By default, these +start with x-envoy but this may be overridden in the Bootstrap +configuration. Default is false.

+
+disallowSystem +
+ +bool + +		 +(Optional) +

If true, prevent modification of any system header, defined as a header +that starts with a : character, regardless of any other settings. +A processing server may still override the :status of an HTTP response +using an ImmediateResponse message. Default is false.

+
+disallowAll +
+ +bool + +		 +(Optional) +

If true, prevent modifications of all header values, regardless of any +other settings. A processing server may still override the :status +of an HTTP response using an ImmediateResponse message. Default is false.

+
+disallowIsError +
+ +bool + +		 +(Optional) +

If true, and if the rules in this list cause a header mutation to be +disallowed, then the filter using this configuration will terminate the +request with a 500 error. In addition, regardless of the setting of this +parameter, any attempt to set, add, or modify a disallowed header will +cause the rejected_header_mutations counter to be incremented. +Default is false.

+
+

HeaderSendMode +(int32 alias)

+

+(Appears on: +ProcessingMode) +

+

+

Control how headers and trailers are handled

+

+ + + + + + + + + + + + + + +
ValueDescription

0

The default HeaderSendMode depends on which part of the message is being +processed. By default, request and response headers are sent, +while trailers are skipped.

+

1

Send the header or trailer.

+

2

Do not send the header or trailer.

+

HeaderValue

@@ -2714,6 +3183,142 @@

PathRewritePolicy +

ProcessingMode +

+

+(Appears on: +ExtProc, +ExtProcOverride) +

+

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+requestHeaderMode +
+ + +HeaderSendMode + + +		 +(Optional) +

How to handle the request header. Default is “SEND”.

+
+responseHeaderMode +
+ + +HeaderSendMode + + +		 +(Optional) +

How to handle the response header. Default is “SEND”.

+
+requestBodyMode +
+ + +BodySendMode + + +		 +(Optional) +

How to handle the request body. Default is “NONE”.

+
+responseBodyMode +
+ + +BodySendMode + + +		 +(Optional) +

How do handle the response body. Default is “NONE”.

+
+requestTrailerMode +
+ + +HeaderSendMode + + +		 +(Optional) +

How to handle the request trailers. Default is “SKIP”.

+
+responseTrailerMode +
+ + +HeaderSendMode + + +		 +(Optional) +

How to handle the response trailers. Default is “SKIP”.

+
+

ProcessingPhase +(string alias)

+

+(Appears on: +ExtProc) +

+

+

+ + + + + + + + + + + + + + + + + + +
ValueDescription

"AuthN"

"AuthZ"

"CORS"

"RateLimit"

"UnspecifiedPhase"

QueryParameterHashOptions

@@ -3857,6 +4462,23 @@

Route The rules defined here override any rules set on the root HTTPProxy.

+ + +extProcPolicy +
+ + +ExtProcPolicy + + + + +(Optional) +

ExtProcPolicy updates the external processing policy that was set +on the root HTTPProxy object for client requests/responses that +match this route.

+ +

Service @@ -4859,6 +5481,21 @@

VirtualHost The rules defined here may be overridden in a Route.

+ + +externalProcessor +
+ + +ExternalProcessor + + + + +(Optional) +

ExternalProcessor are a list of external processors which allow to act on HTTP traffic in a flexible way.

+ +
@@ -5074,6 +5711,22 @@

ContourConfiguration +globalExternalProcessor +
+ + +ExternalProcessor + + + + +(Optional) +

GlobalExternalProcessor allows envoys external processing filters +to be enabled for all virtual hosts.

+ + + + rateLimitService
@@ -5816,6 +6469,22 @@

ContourConfiguratio +globalExternalProcessor +
+ + +ExternalProcessor + + + + +(Optional) +

GlobalExternalProcessor allows envoys external processing filters +to be enabled for all virtual hosts.

+ + + + rateLimitService
From 84bafd40fed0595feeb52f7eb9bff066020c9ba7 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Wed, 11 Oct 2023 17:43:45 +0800 Subject: [PATCH 05/31] set default for extProc's params Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 1 + cmd/contour/serve.go | 5 +---- internal/dag/httpproxy_processor.go | 16 ++++++++++++++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index 00036684dbf..6d1bbed9b20 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -363,6 +363,7 @@ type HeaderMutationRules struct { } type ProcessingMode struct { + //TODO: lewgun string? // How to handle the request header. Default is "SEND". // // +optional diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 3f2952107ae..2f35aaef731 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -826,11 +826,8 @@ func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.Co return nil, nil } - globalExtProcCfg := &xdscache_v3.GlobalExtProcConfig{ - //Disabled: contourCfg.GlobalExternalProcessor.ProcessingPolicy.Disabled, - } + globalExtProcCfg := &xdscache_v3.GlobalExtProcConfig{} for _, ep := range contourCfg.GlobalExternalProcessor.Processors { - // ensure the specified ExtensionService exists extSvcCfg, err := s.getExtensionSvcConfig(ep.GRPCService.ExtensionServiceRef.Name, ep.GRPCService.ExtensionServiceRef.Namespace) if err != nil { diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index 7f1808d4491..7f033be9550 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -49,6 +49,18 @@ func defaultExtensionRef(ref contour_api_v1.ExtensionServiceReference) contour_a } func ToProcessingMode(pm *contour_api_v1.ProcessingMode) *ProcessingMode { + + // TODO: move to somewhere? + if pm == nil { + pm = &contour_api_v1.ProcessingMode{ + RequestHeaderMode: 1, + ResponseHeaderMode: 1, + RequestBodyMode: 0, + ResponseBodyMode: 0, + RequestTrailerMode: 2, + ResponseTrailerMode: 2, + } + } return &ProcessingMode{ RequestHeaderMode: HeaderSendMode(pm.RequestHeaderMode), ResponseHeaderMode: HeaderSendMode(pm.ResponseHeaderMode), @@ -62,6 +74,10 @@ func ToProcessingMode(pm *contour_api_v1.ProcessingMode) *ProcessingMode { } func ToMutationRules(rule *contour_api_v1.HeaderMutationRules) *HeaderMutationRules { + // TODO: move to somewhere? + if rule == nil { + rule = &contour_api_v1.HeaderMutationRules{} + } return &HeaderMutationRules{ AllowAllRouting: rule.AllowAllRouting, AllowEnvoy: rule.AllowEnvoy, From 922668f93ab9328a2b610dbcc5a21fc47f1e449a Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 12 Oct 2023 18:15:25 +0800 Subject: [PATCH 06/31] clean up Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 3 +-- internal/dag/httpproxy_processor.go | 3 --- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index 6d1bbed9b20..d349a5bb037 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -470,7 +470,7 @@ type ExternalProcessor struct { // ExtProcPolicy sets a external processing policy. // This policy will be used unless overridden by individual routes. - // for the default global external processor, it's must be nil + // NOTES: for the default global external processor, it's must be nil // // +optional ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` @@ -484,7 +484,6 @@ type ExtProcPolicy struct { // +optional Disabled bool `json:"disabled,omitempty"` - // for global external processing, it's not exists // // +optional Overrides *ExtProcOverride `json:"overrides,omitempty"` diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index 7f033be9550..f892a7961a4 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -2097,9 +2097,6 @@ func routeExtProcValid(policy *contour_api_v1.ExtProcPolicy) error { return fmt.Errorf("cannot specify both ExtProcPolicy.Overrides and ExtProcPolicy.Disabled ") } - if policy.Disabled { - return nil - } return nil } From 9c54782a32c752a3f60f06671e2c6bc3aa36a74f Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Fri, 13 Oct 2023 18:03:16 +0800 Subject: [PATCH 07/31] more todo Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 8 ++++++-- apis/projectcontour/v1alpha1/contourconfig.go | 2 +- cmd/contour/serve.go | 4 ++++ internal/dag/httpproxy_processor.go | 20 +++++++++++++------ 4 files changed, 25 insertions(+), 9 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index d349a5bb037..afcb3f6f0bf 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -470,7 +470,9 @@ type ExternalProcessor struct { // ExtProcPolicy sets a external processing policy. // This policy will be used unless overridden by individual routes. - // NOTES: for the default global external processor, it's must be nil + // + // TODO: split? + // NOTE: for the default global external processor, it's must be nil (fatal or warnning) // // +optional ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` @@ -484,6 +486,8 @@ type ExtProcPolicy struct { // +optional Disabled bool `json:"disabled,omitempty"` + // TODO: split? + // NOTE: for VirtualHost's external processor, it's must be nil (fatal or warnning) // // +optional Overrides *ExtProcOverride `json:"overrides,omitempty"` @@ -540,7 +544,7 @@ type VirtualHost struct { // ExternalProcessor are a list of external processors which allow to act on HTTP traffic in a flexible way. // // +optional - ExternalProcessor *ExternalProcessor `json:"externalProcessor,omitempty"` + ExternalProcessor *ExternalProcessor `json:"externalProcessor,omitempty"` // TODO: rename to: extProc } // JWTProvider defines how to verify JWTs on requests. diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index d1e25ccd23f..30e32dac91a 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -70,7 +70,7 @@ type ContourConfigurationSpec struct { // GlobalExternalProcessor allows envoys external processing filters // to be enabled for all virtual hosts. // +optional - GlobalExternalProcessor *contour_api_v1.ExternalProcessor `json:"globalExternalProcessor,omitempty"` + GlobalExternalProcessor *contour_api_v1.ExternalProcessor `json:"globalExternalProcessor,omitempty"` // TODO: rename to: globalExtProc // RateLimitService optionally holds properties of the Rate Limit Service // to be used for global rate limiting. diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 2f35aaef731..3ef19976244 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -826,6 +826,10 @@ func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.Co return nil, nil } + if contourCfg.GlobalExternalProcessor.ExtProcPolicy != nil { + return nil, fmt.Errorf("GlobalExternalProcessor.ExtProcPolicy cannot be defined.") + } + globalExtProcCfg := &xdscache_v3.GlobalExtProcConfig{} for _, ep := range contourCfg.GlobalExternalProcessor.Processors { // ensure the specified ExtensionService exists diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index f892a7961a4..3abc0dcb892 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -237,14 +237,22 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) { return } - if proxy.Spec.VirtualHost.TLS == nil && proxy.Spec.VirtualHost.ExternalProcessor != nil { - for _, ep := range proxy.Spec.VirtualHost.ExternalProcessor.Processors { - if len(ep.GRPCService.ExtensionServiceRef.Name) > 0 { - validCond.AddError(contour_api_v1.ConditionTypeExtProcError, "ExtProcNotPermitted", - "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef can only be defined for root HTTPProxies that terminate TLS") - return + extProc := proxy.Spec.VirtualHost.ExternalProcessor + if extProc != nil { + if proxy.Spec.VirtualHost.TLS == nil { + for _, ep := range extProc.Processors { + if len(ep.GRPCService.ExtensionServiceRef.Name) > 0 { + validCond.AddError(contour_api_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", + "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef can only be defined for root HTTPProxies that terminate TLS") + return + } } } + if extProc.ExtProcPolicy != nil && extProc.ExtProcPolicy.Overrides != nil { + validCond.AddError(contour_api_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", + "Spec.VirtualHost.ExternalProcessor.ExtProcPolicy.Overrides cannot be defined.") + return + } } From 07363a8efaf47beeff4e24f3f1dfdbc13b9c9a01 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Mon, 16 Oct 2023 18:24:21 +0800 Subject: [PATCH 08/31] more log Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 93 ++++++++++++++----- apis/projectcontour/v1alpha1/contourconfig.go | 2 +- pkg/config/parameters.go | 3 +- 3 files changed, 71 insertions(+), 27 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index afcb3f6f0bf..e4b716f6f72 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -291,7 +291,7 @@ type AuthorizationPolicy struct { Context map[string]string `json:"context,omitempty"` } -// Control how headers and trailers are handled +// HeaderSendMode control how headers and trailers are handled type HeaderSendMode int32 const ( @@ -299,31 +299,38 @@ const ( // processed. By default, request and response headers are sent, // while trailers are skipped. ProcessingMode_DEFAULT HeaderSendMode = 0 + // Send the header or trailer. ProcessingMode_SEND HeaderSendMode = 1 + // Do not send the header or trailer. ProcessingMode_SKIP HeaderSendMode = 2 ) -// Control how the request and response bodies are handled +// BodySendMode control how the request and response bodies are handled type BodySendMode int32 const ( // Do not send the body at all. This is the default. ProcessingMode_NONE BodySendMode = 0 + // Stream the body to the server in pieces as they arrive at the // proxy. ProcessingMode_STREAMED BodySendMode = 1 + // Buffer the message body in memory and send the entire body at once. // If the body exceeds the configured buffer limit, then the // downstream system will receive an error. ProcessingMode_BUFFERED BodySendMode = 2 + // Buffer the message body in memory and send the entire body in one // chunk. If the body exceeds the configured buffer limit, then the body contents // up to the buffer limit will be sent. ProcessingMode_BUFFERED_PARTIAL BodySendMode = 3 ) +// HeaderMutationRules specifies what headers may be manipulated by a processing filter. +// This set of rules makes it possible to control which modifications a filter may make. type HeaderMutationRules struct { // By default, certain headers that could affect processing of subsequent // filters or request routing cannot be modified. These headers are @@ -332,12 +339,14 @@ type HeaderMutationRules struct { // // +optional AllowAllRouting bool `json:"allowAllRouting,omitempty"` + // If true, allow modification of envoy internal headers. By default, these // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` // configuration. Default is false. // // +optional AllowEnvoy bool `json:"allowEnvoy,omitempty"` + // If true, prevent modification of any system header, defined as a header // that starts with a ``:`` character, regardless of any other settings. // A processing server may still override the ``:status`` of an HTTP response @@ -345,12 +354,14 @@ type HeaderMutationRules struct { // // +optional DisallowSystem bool `json:"disallowSystem,omitempty"` + // If true, prevent modifications of all header values, regardless of any // other settings. A processing server may still override the ``:status`` // of an HTTP response using an ``ImmediateResponse`` message. Default is false. // // +optional DisallowAll bool `json:"disallowAll,omitempty"` + // If true, and if the rules in this list cause a header mutation to be // disallowed, then the filter using this configuration will terminate the // request with a 500 error. In addition, regardless of the setting of this @@ -362,41 +373,48 @@ type HeaderMutationRules struct { DisallowIsError bool `json:"disallowIsError,omitempty"` } +// ProcessingMode describes which parts of an HTTP request and response are sent to a remote server +// and how they are delivered. type ProcessingMode struct { - //TODO: lewgun string? // How to handle the request header. Default is "SEND". // // +optional RequestHeaderMode HeaderSendMode `json:"requestHeaderMode,omitempty"` + // How to handle the response header. Default is "SEND". // // +optional ResponseHeaderMode HeaderSendMode `json:"responseHeaderMode,omitempty"` + // How to handle the request body. Default is "NONE". // // +optional RequestBodyMode BodySendMode `json:"requestBodyMode,omitempty"` + // How do handle the response body. Default is "NONE". // // +optional ResponseBodyMode BodySendMode `json:"responseBodyMode,omitempty"` + // How to handle the request trailers. Default is "SKIP". // // +optional RequestTrailerMode HeaderSendMode `json:"requestTrailerMode,omitempty"` + // How to handle the response trailers. Default is "SKIP". // // +optional ResponseTrailerMode HeaderSendMode `json:"responseTrailerMode,omitempty"` } +// GRPCService configure the gRPC service that the filter will communicate with. type GRPCService struct { - // ExtensionServiceRef specifies the extension resource that will authorize client requests. + // ExtensionServiceRef specifies the extension resource that will handle the client requests. // // +optional ExtensionServiceRef ExtensionServiceReference `json:"extensionRef,omitempty"` - // ResponseTimeout configures maximum time to wait for a check response from the authorization server. + // ResponseTimeout sets how long the proxy should wait for responses. // Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). // Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". // The string "infinity" is also a valid input and specifies no timeout. @@ -406,64 +424,88 @@ type GRPCService struct { ResponseTimeout string `json:"responseTimeout,omitempty"` // If FailOpen is true, the client request is forwarded to the upstream service - // even if the authorization server fails to respond. This field should not be - // set in most cases. It is intended for use only while migrating applications - // from internal authorization to Contour external authorization. + // even if the server fails to respond. This field should not be + // set in most cases. // // +optional FailOpen bool `json:"failOpen,omitempty"` } +// ProcessingPhase define the phase in the filter chain where the external processing filter will be injected type ProcessingPhase string const ( + // UnspecifiedPhase decides where to insert the external processing service. + // This will generally be at the end of the filter chain, right before the Router UnspecifiedPhase ProcessingPhase = "UnspecifiedPhase" - AuthN ProcessingPhase = "AuthN" - AuthZ ProcessingPhase = "AuthZ" - CORS ProcessingPhase = "CORS" - RateLimit ProcessingPhase = "RateLimit" + + // Insert before contour authentication filter(s). + AuthN ProcessingPhase = "AuthN" + + // Insert before contour authorization filter(s) and after the authentication filter(s). + AuthZ ProcessingPhase = "AuthZ" + + // Insert before contour CORS filter(s). + CORS ProcessingPhase = "CORS" + + // Insert before contour RateLimit. + RateLimit ProcessingPhase = "RateLimit" ) -// The External Processing filter allows an external service to act on HTTP traffic in a flexible way -// The external server must implement the v3 Envoy -// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). +// ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way +// The external server must implement the v3 Envoy external processing GRPC protocol +// (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). type ExtProc struct { - - // TODO: lewgun - // https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase // Phase determines where in the filter chain this extProc is to be injected. // // +optional Phase ProcessingPhase `json:"phase,omitempty"` - // Priority determines ordering of extProc in the same phase. When multiple extProc are applied to the same workload in the same phase, + // Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, // they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, // they will follow the order in which extProc(s) are added, Defaults to 0. // // +optional Priority int32 `json:"priority,omitempty"` + + // GRPCService configure the gRPC service that the filter will communicate with. // // +optional GRPCService *GRPCService `json:"grpcService,omitempty"` + + // ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + // and how they are delivered. // // +optional ProcessingMode *ProcessingMode `json:"processingMode,omitempty"` + + // MutationRules specifies what headers may be manipulated by a processing filter. + // This set of rules makes it possible to control which modifications a filter may make. // // +optional MutationRules *HeaderMutationRules `json:"mutationRules,omitempty"` } +// ExtProcOverride override aspects of the configuration for this route. +// A set of overrides in a more specific configuration will override a “disabled” flag set in a less-specific one. type ExtProcOverride struct { + // GRPCService configure the gRPC service that the filter will communicate with. // // +optional GRPCService *GRPCService `json:"grpcService,omitempty"` + + // ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + // and how they are delivered. // // +optional ProcessingMode *ProcessingMode `json:"processingMode,omitempty"` } type ExternalProcessor struct { - + // Processors defines a processing filter list,and each filter in the list + // will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + // If no phase is specified, it will be added before the Router. + // If no Priority is specified, the filters will be added in the order they appear in the list. // // +optional Processors []ExtProc `json:"processors,omitempty"` @@ -471,8 +513,7 @@ type ExternalProcessor struct { // ExtProcPolicy sets a external processing policy. // This policy will be used unless overridden by individual routes. // - // TODO: split? - // NOTE: for the default global external processor, it's must be nil (fatal or warnning) + // For the Global External Processor, it's must be nil. // // +optional ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` @@ -482,12 +523,14 @@ type ExternalProcessor struct { type ExtProcPolicy struct { // When true, this field disables client request external processing // for the scope of the policy. + // Precisely one of disabled, overrides must be set. // // +optional Disabled bool `json:"disabled,omitempty"` - // TODO: split? - // NOTE: for VirtualHost's external processor, it's must be nil (fatal or warnning) + // Overrides aspects of the configuration for this route. + // + // For VirtualHost, it's must be nil. // // +optional Overrides *ExtProcOverride `json:"overrides,omitempty"` @@ -544,7 +587,7 @@ type VirtualHost struct { // ExternalProcessor are a list of external processors which allow to act on HTTP traffic in a flexible way. // // +optional - ExternalProcessor *ExternalProcessor `json:"externalProcessor,omitempty"` // TODO: rename to: extProc + ExternalProcessor *ExternalProcessor `json:"extProc,omitempty"` } // JWTProvider defines how to verify JWTs on requests. diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index 30e32dac91a..4b1e2a13bae 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -70,7 +70,7 @@ type ContourConfigurationSpec struct { // GlobalExternalProcessor allows envoys external processing filters // to be enabled for all virtual hosts. // +optional - GlobalExternalProcessor *contour_api_v1.ExternalProcessor `json:"globalExternalProcessor,omitempty"` // TODO: rename to: globalExtProc + GlobalExternalProcessor *contour_api_v1.ExternalProcessor `json:"globalExtProc,omitempty"` // RateLimitService optionally holds properties of the Rate Limit Service // to be used for global rate limiting. diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index f253f880220..b535844f257 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -653,7 +653,7 @@ type Parameters struct { Tracing *Tracing `yaml:"tracing,omitempty"` // GlobalExternalProcessor optionally holds properties of the global external processing configurations. - GlobalExternalProcessor *GlobalExternalProcessor `yaml:"globalExternalProcessor,omitempty"` + GlobalExternalProcessor *GlobalExternalProcessor `yaml:"globalExtProc,omitempty"` } // Tracing defines properties for exporting trace data to OpenTelemetry. @@ -787,6 +787,7 @@ type ExternalProcessor struct { FailOpen bool `yaml:"failOpen,omitempty"` } +// TODO: lewgun // The External Processing filter allows an external service to act on HTTP traffic in a flexible way // The external server must implement the v3 Envoy // external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). From 99a3b5246a0b0a4f7b20aca525caa8e6cfe08c94 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Tue, 17 Oct 2023 18:01:05 +0800 Subject: [PATCH 09/31] comments & more Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 11 +- apis/projectcontour/v1alpha1/contourconfig.go | 10 +- .../v1alpha1/zz_generated.deepcopy.go | 10 +- cmd/contour/servecontext.go | 24 +- examples/contour/01-crds.yaml | 304 ++++++++++-------- examples/render/contour-deployment.yaml | 304 ++++++++++-------- .../render/contour-gateway-provisioner.yaml | 304 ++++++++++-------- examples/render/contour-gateway.yaml | 304 ++++++++++-------- examples/render/contour.yaml | 304 ++++++++++-------- pkg/config/parameters.go | 37 +-- .../docs/main/config/api-reference.html | 141 ++++---- 11 files changed, 988 insertions(+), 765 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index e4b716f6f72..86604be64a0 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -25,7 +25,7 @@ type HTTPProxySpec struct { // +optional VirtualHost *VirtualHost `json:"virtualhost,omitempty"` // Routes are the ingress routes. If TCPProxy is present, Routes is ignored. - // +optional + // +optional Routes []Route `json:"routes,omitempty"` // TCPProxy holds TCP proxy information. // +optional @@ -501,6 +501,7 @@ type ExtProcOverride struct { ProcessingMode *ProcessingMode `json:"processingMode,omitempty"` } +// ExternalProcessor defines a processing filter list and the policy for fine-grained at VirutalHost and/or Route level. type ExternalProcessor struct { // Processors defines a processing filter list,and each filter in the list // will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. @@ -513,7 +514,7 @@ type ExternalProcessor struct { // ExtProcPolicy sets a external processing policy. // This policy will be used unless overridden by individual routes. // - // For the Global External Processor, it's must be nil. + // **Note: for the Global External Processor, it's must be nil. // // +optional ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` @@ -530,7 +531,7 @@ type ExtProcPolicy struct { // Overrides aspects of the configuration for this route. // - // For VirtualHost, it's must be nil. + // **Note: For VirtualHost, it's must be nil. // // +optional Overrides *ExtProcOverride `json:"overrides,omitempty"` @@ -584,7 +585,8 @@ type VirtualHost struct { // The rules defined here may be overridden in a Route. IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"` - // ExternalProcessor are a list of external processors which allow to act on HTTP traffic in a flexible way. + // ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way + // and the policy for fine-grained at VirtualHost level. // // +optional ExternalProcessor *ExternalProcessor `json:"extProc,omitempty"` @@ -859,6 +861,7 @@ type Route struct { // ExtProcPolicy updates the external processing policy that was set // on the root HTTPProxy object for client requests/responses that // match this route. + // // +optional ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` } diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index 4b1e2a13bae..02a1771cf7f 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -67,11 +67,6 @@ type ContourConfigurationSpec struct { // +optional GlobalExternalAuthorization *contour_api_v1.AuthorizationServer `json:"globalExtAuth,omitempty"` - // GlobalExternalProcessor allows envoys external processing filters - // to be enabled for all virtual hosts. - // +optional - GlobalExternalProcessor *contour_api_v1.ExternalProcessor `json:"globalExtProc,omitempty"` - // RateLimitService optionally holds properties of the Rate Limit Service // to be used for global rate limiting. // +optional @@ -89,6 +84,11 @@ type ContourConfigurationSpec struct { // Tracing defines properties for exporting trace data to OpenTelemetry. Tracing *TracingConfig `json:"tracing,omitempty"` + + // GlobalExternalProcessor allows envoys external processing filters + // to be enabled for all virtual hosts. + // +optional + GlobalExternalProcessor *contour_api_v1.ExternalProcessor `json:"globalExtProc,omitempty"` } // XDSServerType is the type of xDS server implementation. diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go index f3a7092abd7..b9d9126775c 100644 --- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go @@ -179,11 +179,6 @@ func (in *ContourConfigurationSpec) DeepCopyInto(out *ContourConfigurationSpec) *out = new(v1.AuthorizationServer) (*in).DeepCopyInto(*out) } - if in.GlobalExternalProcessor != nil { - in, out := &in.GlobalExternalProcessor, &out.GlobalExternalProcessor - *out = new(v1.ExternalProcessor) - (*in).DeepCopyInto(*out) - } if in.RateLimitService != nil { in, out := &in.RateLimitService, &out.RateLimitService *out = new(RateLimitServiceConfig) @@ -204,6 +199,11 @@ func (in *ContourConfigurationSpec) DeepCopyInto(out *ContourConfigurationSpec) *out = new(TracingConfig) (*in).DeepCopyInto(*out) } + if in.GlobalExternalProcessor != nil { + in, out := &in.GlobalExternalProcessor, &out.GlobalExternalProcessor + *out = new(v1.ExternalProcessor) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContourConfigurationSpec. diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go index 189ae246757..d9385412f14 100644 --- a/cmd/contour/servecontext.go +++ b/cmd/contour/servecontext.go @@ -460,28 +460,6 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha } } - globalExtProc := &contour_api_v1.ExternalProcessor{} - if ctx.Config.GlobalExternalProcessor != nil { - for _, ep := range ctx.Config.GlobalExternalProcessor.Processors { - nsedName := k8s.NamespacedNameFrom(ep.ExtensionService) - extProc := contour_api_v1.ExtProc{ - GRPCService: &contour_api_v1.GRPCService{ - ExtensionServiceRef: contour_api_v1.ExtensionServiceReference{ - Name: nsedName.Name, - Namespace: nsedName.Namespace, - }, - ResponseTimeout: ctx.Config.GlobalExternalAuthorization.ResponseTimeout, - FailOpen: ctx.Config.GlobalExternalAuthorization.FailOpen, - }, - } - globalExtProc.Processors = append(globalExtProc.Processors, extProc) - } - - // globalExtProc.ProcessingPolicy = &contour_api_v1.ExternalProcessingPolicy{ - // Disabled: ctx.Config.GlobalExternalProcessor.ProcessingPolicy.Disabled, - // } - - } policy := &contour_api_v1alpha1.PolicyConfig{ RequestHeadersPolicy: &contour_api_v1alpha1.HeadersPolicy{ Set: ctx.Config.Policy.RequestHeadersPolicy.Set, @@ -606,7 +584,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha }, EnableExternalNameService: &ctx.Config.EnableExternalNameService, GlobalExternalAuthorization: globalExtAuth, - GlobalExternalProcessor: globalExtProc, + GlobalExternalProcessor: ctx.Config.GlobalExternalProcessor, RateLimitService: rateLimitService, Policy: policy, Metrics: &contourMetrics, diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index f553ab15da6..cf47ab8222c 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -555,27 +555,31 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual routes. - for the default global external processor, it's must be nil + \n **Note: for the Global External Processor, it's must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for this + route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -599,16 +603,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from internal - authorization to Contour external authorization. + server fails to respond. This field should not be + set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -616,6 +617,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -651,17 +655,25 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and each + filter in the list will be added to the corresponding processing + Priority in ascending order of it's Priority within the same + phase. If no phase is specified, it will be added before the + Router. If no Priority is specified, the filters will be added + in the order they appear in the list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing GRPC - protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing filter + which allows an external service to act on HTTP traffic in + a flexible way The external server must implement the v3 Envoy + external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -684,17 +696,14 @@ spec: type: object failOpen: description: If FailOpen is true, the client request - is forwarded to the upstream service even if the authorization - server fails to respond. This field should not be - set in most cases. It is intended for use only while - migrating applications from internal authorization - to Contour external authorization. + is forwarded to the upstream service even if the server + fails to respond. This field should not be set in + most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are expressed + in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -702,6 +711,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may be + manipulated by a processing filter. This set of rules + makes it possible to control which modifications a filter + may make. properties: allowAllRouting: description: By default, certain headers that could @@ -744,20 +757,22 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc in - the same phase. When multiple extProc are applied to the - same workload in the same phase, they will be applied + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, they will follow the order in which extProc(s) are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4243,29 +4258,33 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -4290,17 +4309,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4308,6 +4323,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4343,17 +4361,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -4377,16 +4404,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4394,6 +4418,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -4436,21 +4464,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -5887,16 +5917,20 @@ spec: properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -5920,16 +5954,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -5937,6 +5968,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7499,29 +7533,34 @@ spec: - allowMethods - allowOrigin type: object - externalProcessor: - description: ExternalProcessor are a list of external processors - which allow to act on HTTP traffic in a flexible way. + extProc: + description: ExternalProcessor contains a list of external processors + which allow to act on HTTP traffic in a flexible way and the + policy for fine-grained at VirtualHost level. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -7546,17 +7585,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7564,6 +7599,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7599,17 +7637,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -7633,16 +7680,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7650,6 +7694,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -7692,21 +7740,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index b0280b47287..eece9c3fce8 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -774,27 +774,31 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual routes. - for the default global external processor, it's must be nil + \n **Note: for the Global External Processor, it's must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for this + route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -818,16 +822,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from internal - authorization to Contour external authorization. + server fails to respond. This field should not be + set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -835,6 +836,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -870,17 +874,25 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and each + filter in the list will be added to the corresponding processing + Priority in ascending order of it's Priority within the same + phase. If no phase is specified, it will be added before the + Router. If no Priority is specified, the filters will be added + in the order they appear in the list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing GRPC - protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing filter + which allows an external service to act on HTTP traffic in + a flexible way The external server must implement the v3 Envoy + external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -903,17 +915,14 @@ spec: type: object failOpen: description: If FailOpen is true, the client request - is forwarded to the upstream service even if the authorization - server fails to respond. This field should not be - set in most cases. It is intended for use only while - migrating applications from internal authorization - to Contour external authorization. + is forwarded to the upstream service even if the server + fails to respond. This field should not be set in + most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are expressed + in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -921,6 +930,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may be + manipulated by a processing filter. This set of rules + makes it possible to control which modifications a filter + may make. properties: allowAllRouting: description: By default, certain headers that could @@ -963,20 +976,22 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc in - the same phase. When multiple extProc are applied to the - same workload in the same phase, they will be applied + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, they will follow the order in which extProc(s) are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4462,29 +4477,33 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -4509,17 +4528,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4527,6 +4542,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4562,17 +4580,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -4596,16 +4623,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4613,6 +4637,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -4655,21 +4683,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -6106,16 +6136,20 @@ spec: properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -6139,16 +6173,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -6156,6 +6187,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7718,29 +7752,34 @@ spec: - allowMethods - allowOrigin type: object - externalProcessor: - description: ExternalProcessor are a list of external processors - which allow to act on HTTP traffic in a flexible way. + extProc: + description: ExternalProcessor contains a list of external processors + which allow to act on HTTP traffic in a flexible way and the + policy for fine-grained at VirtualHost level. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -7765,17 +7804,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7783,6 +7818,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7818,17 +7856,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -7852,16 +7899,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7869,6 +7913,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -7911,21 +7959,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 152fb177ca5..a26333f9ee7 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -566,27 +566,31 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual routes. - for the default global external processor, it's must be nil + \n **Note: for the Global External Processor, it's must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for this + route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -610,16 +614,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from internal - authorization to Contour external authorization. + server fails to respond. This field should not be + set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -627,6 +628,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -662,17 +666,25 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and each + filter in the list will be added to the corresponding processing + Priority in ascending order of it's Priority within the same + phase. If no phase is specified, it will be added before the + Router. If no Priority is specified, the filters will be added + in the order they appear in the list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing GRPC - protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing filter + which allows an external service to act on HTTP traffic in + a flexible way The external server must implement the v3 Envoy + external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -695,17 +707,14 @@ spec: type: object failOpen: description: If FailOpen is true, the client request - is forwarded to the upstream service even if the authorization - server fails to respond. This field should not be - set in most cases. It is intended for use only while - migrating applications from internal authorization - to Contour external authorization. + is forwarded to the upstream service even if the server + fails to respond. This field should not be set in + most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are expressed + in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -713,6 +722,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may be + manipulated by a processing filter. This set of rules + makes it possible to control which modifications a filter + may make. properties: allowAllRouting: description: By default, certain headers that could @@ -755,20 +768,22 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc in - the same phase. When multiple extProc are applied to the - same workload in the same phase, they will be applied + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, they will follow the order in which extProc(s) are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4254,29 +4269,33 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -4301,17 +4320,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4319,6 +4334,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4354,17 +4372,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -4388,16 +4415,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4405,6 +4429,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -4447,21 +4475,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -5898,16 +5928,20 @@ spec: properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -5931,16 +5965,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -5948,6 +5979,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7510,29 +7544,34 @@ spec: - allowMethods - allowOrigin type: object - externalProcessor: - description: ExternalProcessor are a list of external processors - which allow to act on HTTP traffic in a flexible way. + extProc: + description: ExternalProcessor contains a list of external processors + which allow to act on HTTP traffic in a flexible way and the + policy for fine-grained at VirtualHost level. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -7557,17 +7596,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7575,6 +7610,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7610,17 +7648,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -7644,16 +7691,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7661,6 +7705,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -7703,21 +7751,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index b911a8802d0..6b631e1253f 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -777,27 +777,31 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual routes. - for the default global external processor, it's must be nil + \n **Note: for the Global External Processor, it's must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for this + route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -821,16 +825,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from internal - authorization to Contour external authorization. + server fails to respond. This field should not be + set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -838,6 +839,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -873,17 +877,25 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and each + filter in the list will be added to the corresponding processing + Priority in ascending order of it's Priority within the same + phase. If no phase is specified, it will be added before the + Router. If no Priority is specified, the filters will be added + in the order they appear in the list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing GRPC - protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing filter + which allows an external service to act on HTTP traffic in + a flexible way The external server must implement the v3 Envoy + external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -906,17 +918,14 @@ spec: type: object failOpen: description: If FailOpen is true, the client request - is forwarded to the upstream service even if the authorization - server fails to respond. This field should not be - set in most cases. It is intended for use only while - migrating applications from internal authorization - to Contour external authorization. + is forwarded to the upstream service even if the server + fails to respond. This field should not be set in + most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are expressed + in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -924,6 +933,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may be + manipulated by a processing filter. This set of rules + makes it possible to control which modifications a filter + may make. properties: allowAllRouting: description: By default, certain headers that could @@ -966,20 +979,22 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc in - the same phase. When multiple extProc are applied to the - same workload in the same phase, they will be applied + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, they will follow the order in which extProc(s) are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4465,29 +4480,33 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -4512,17 +4531,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4530,6 +4545,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4565,17 +4583,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -4599,16 +4626,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4616,6 +4640,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -4658,21 +4686,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -6109,16 +6139,20 @@ spec: properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -6142,16 +6176,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -6159,6 +6190,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7721,29 +7755,34 @@ spec: - allowMethods - allowOrigin type: object - externalProcessor: - description: ExternalProcessor are a list of external processors - which allow to act on HTTP traffic in a flexible way. + extProc: + description: ExternalProcessor contains a list of external processors + which allow to act on HTTP traffic in a flexible way and the + policy for fine-grained at VirtualHost level. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -7768,17 +7807,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7786,6 +7821,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7821,17 +7859,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -7855,16 +7902,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7872,6 +7916,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -7914,21 +7962,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index e6574da2e0d..5f4d14d2fc1 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -774,27 +774,31 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual routes. - for the default global external processor, it's must be nil + \n **Note: for the Global External Processor, it's must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for this + route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -818,16 +822,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from internal - authorization to Contour external authorization. + server fails to respond. This field should not be + set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -835,6 +836,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -870,17 +874,25 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and each + filter in the list will be added to the corresponding processing + Priority in ascending order of it's Priority within the same + phase. If no phase is specified, it will be added before the + Router. If no Priority is specified, the filters will be added + in the order they appear in the list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing GRPC - protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing filter + which allows an external service to act on HTTP traffic in + a flexible way The external server must implement the v3 Envoy + external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If this @@ -903,17 +915,14 @@ spec: type: object failOpen: description: If FailOpen is true, the client request - is forwarded to the upstream service even if the authorization - server fails to respond. This field should not be - set in most cases. It is intended for use only while - migrating applications from internal authorization - to Contour external authorization. + is forwarded to the upstream service even if the server + fails to respond. This field should not be set in + most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time - to wait for a check response from the authorization - server. Timeout durations are expressed in the Go - [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are expressed + in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -921,6 +930,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may be + manipulated by a processing filter. This set of rules + makes it possible to control which modifications a filter + may make. properties: allowAllRouting: description: By default, certain headers that could @@ -963,20 +976,22 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc in - the same phase. When multiple extProc are applied to the - same workload in the same phase, they will be applied + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are applied + to the same workload in the same phase, they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, they will follow the order in which extProc(s) are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of an + HTTP request and response are sent to a remote server + and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4462,29 +4477,33 @@ spec: type: boolean type: object type: object - globalExternalProcessor: + globalExtProc: description: GlobalExternalProcessor allows envoys external processing filters to be enabled for all virtual hosts. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -4509,17 +4528,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4527,6 +4542,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -4562,17 +4580,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -4596,16 +4623,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -4613,6 +4637,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -4655,21 +4683,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -6106,16 +6136,20 @@ spec: properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -6139,16 +6173,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -6156,6 +6187,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7718,29 +7752,34 @@ spec: - allowMethods - allowOrigin type: object - externalProcessor: - description: ExternalProcessor are a list of external processors - which allow to act on HTTP traffic in a flexible way. + extProc: + description: ExternalProcessor contains a list of external processors + which allow to act on HTTP traffic in a flexible way and the + policy for fine-grained at VirtualHost level. properties: extProcPolicy: - description: ExtProcPolicy sets a external processing policy. + description: "ExtProcPolicy sets a external processing policy. This policy will be used unless overridden by individual - routes. for the default global external processor, it's - must be nil + routes. \n **Note: for the Global External Processor, it's + must be nil." properties: disabled: description: When true, this field disables client request - external processing for the scope of the policy. + external processing for the scope of the policy. Precisely + one of disabled, overrides must be set. type: boolean overrides: - description: for global external processing, it's not - exists + description: "Overrides aspects of the configuration for + this route. \n **Note: For VirtualHost, it's must be + nil." properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the - extension resource that will authorize client + extension resource that will handle the client requests. properties: apiVersion: @@ -7765,17 +7804,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if - the authorization server fails to respond. This - field should not be set in most cases. It is - intended for use only while migrating applications - from internal authorization to Contour external - authorization. + the server fails to respond. This field should + not be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the + proxy should wait for responses. Timeout durations + are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7783,6 +7818,9 @@ spec: type: string type: object processingMode: + description: ProcessingMode describes which parts + of an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default @@ -7818,17 +7856,26 @@ spec: type: object type: object processors: + description: Processors defines a processing filter list,and + each filter in the list will be added to the corresponding + processing Priority in ascending order of it's Priority + within the same phase. If no phase is specified, it will + be added before the Router. If no Priority is specified, + the filters will be added in the order they appear in the + list. items: - description: The External Processing filter allows an external - service to act on HTTP traffic in a flexible way The external - server must implement the v3 Envoy external processing - GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). + description: ExtProc defines the envoy External Processing + filter which allows an external service to act on HTTP + traffic in a flexible way The external server must implement + the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. properties: extensionRef: description: ExtensionServiceRef specifies the extension - resource that will authorize client requests. + resource that will handle the client requests. properties: apiVersion: description: API version of the referent. If @@ -7852,16 +7899,13 @@ spec: failOpen: description: If FailOpen is true, the client request is forwarded to the upstream service even if the - authorization server fails to respond. This field - should not be set in most cases. It is intended - for use only while migrating applications from - internal authorization to Contour external authorization. + server fails to respond. This field should not + be set in most cases. type: boolean responseTimeout: - description: ResponseTimeout configures maximum - time to wait for a check response from the authorization - server. Timeout durations are expressed in the - Go [Duration format](https://godoc.org/time#ParseDuration). + description: ResponseTimeout sets how long the proxy + should wait for responses. Timeout durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The string "infinity" is also a valid input and specifies no timeout. @@ -7869,6 +7913,10 @@ spec: type: string type: object mutationRules: + description: MutationRules specifies what headers may + be manipulated by a processing filter. This set of + rules makes it possible to control which modifications + a filter may make. properties: allowAllRouting: description: By default, certain headers that could @@ -7911,21 +7959,23 @@ spec: type: boolean type: object phase: - description: 'TODO: lewgun https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase - Phase determines where in the filter chain this extProc - is to be injected.' + description: Phase determines where in the filter chain + this extProc is to be injected. type: string priority: - description: Priority determines ordering of extProc - in the same phase. When multiple extProc are applied - to the same workload in the same phase, they will - be applied by priority, in descending order, If priority - is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are - added, Defaults to 0. + description: Priority determines ordering of processing + filters in the same phase. When multiple extProc are + applied to the same workload in the same phase, they + will be applied by priority, in descending order, + If priority is not set or two extProc exist with the + same value, they will follow the order in which extProc(s) + are added, Defaults to 0. format: int32 type: integer processingMode: + description: ProcessingMode describes which parts of + an HTTP request and response are sent to a remote + server and how they are delivered. properties: requestBodyMode: description: How to handle the request body. Default diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index b535844f257..c94107dd91e 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -653,7 +653,7 @@ type Parameters struct { Tracing *Tracing `yaml:"tracing,omitempty"` // GlobalExternalProcessor optionally holds properties of the global external processing configurations. - GlobalExternalProcessor *GlobalExternalProcessor `yaml:"globalExtProc,omitempty"` + GlobalExternalProcessor *contour_api_v1.ExternalProcessor `yaml:"globalExtProc,omitempty"` } // Tracing defines properties for exporting trace data to OpenTelemetry. @@ -762,41 +762,6 @@ type GlobalAuthorizationPolicy struct { Context map[string]string `yaml:"context,omitempty"` } -// The External Processing filter allows an external service to act on HTTP traffic in a flexible way -// The external server must implement the v3 Envoy -// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). -type ExternalProcessor struct { - // ExtensionService identifies the extension service defining the RLS, - // formatted as /. - ExtensionService string `yaml:"extensionService,omitempty"` - - // ResponseTimeout configures maximum time to wait for a check response from the expProc server. - // Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - // Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - // The string "infinity" is also a valid input and specifies no timeout. - // - // +optional - ResponseTimeout string `yaml:"responseTimeout,omitempty"` - - // If FailOpen is true, the client request is forwarded to the upstream service - // even if the authorization server fails to respond. This field should not be - // set in most cases. It is intended for use only while migrating applications - // from internal authorization to Contour external authorization. - // - // +optional - FailOpen bool `yaml:"failOpen,omitempty"` -} - -// TODO: lewgun -// The External Processing filter allows an external service to act on HTTP traffic in a flexible way -// The external server must implement the v3 Envoy -// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). -type GlobalExternalProcessor struct { - // - // +optional - Processors []ExternalProcessor -} - // RateLimitService defines properties of a global Rate Limit Service. type RateLimitService struct { // ExtensionService identifies the extension service defining the RLS, diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index 41c0ee11835..d8282a1176a 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -489,7 +489,7 @@

BodySendMode ProcessingMode)

-

Control how the request and response bodies are handled

+

BodySendMode control how the request and response bodies are handled

@@ -1157,9 +1157,9 @@

ExtProc ExternalProcessor)

-

The External Processing filter allows an external service to act on HTTP traffic in a flexible way -The external server must implement the v3 Envoy -external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto).

+

ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way +The external server must implement the v3 Envoy external processing GRPC protocol +(https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto).

@@ -1181,9 +1181,7 @@

ExtProc

@@ -1196,7 +1194,7 @@

ExtProc

@@ -1213,6 +1211,7 @@

ExtProc

@@ -1227,6 +1226,8 @@

ExtProc

@@ -1241,6 +1242,8 @@

ExtProc

@@ -1252,6 +1255,8 @@

ExtProcOverride ExtProcPolicy)

+

ExtProcOverride override aspects of the configuration for this route. +A set of overrides in a more specific configuration will override a “disabled” flag set in a less-specific one.

(Optional) -

TODO: lewgun -https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase -Phase determines where in the filter chain this extProc is to be injected.

+

Phase determines where in the filter chain this extProc is to be injected.
(Optional) -

Priority determines ordering of extProc in the same phase. When multiple extProc are applied to the same workload in the same phase, +

Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, they will follow the order in which extProc(s) are added, Defaults to 0.

 (Optional) +

GRPCService configure the gRPC service that the filter will communicate with.
(Optional) +

ProcessingMode describes which parts of an HTTP request and response are sent to a remote server +and how they are delivered.
(Optional) +

MutationRules specifies what headers may be manipulated by a processing filter. +This set of rules makes it possible to control which modifications a filter may make.
@@ -1273,6 +1278,7 @@

ExtProcOverride

@@ -1287,6 +1293,8 @@

ExtProcOverride

@@ -1320,7 +1328,8 @@

ExtProcPolicy

@@ -1335,7 +1344,8 @@

ExtProcPolicy

@@ -1410,6 +1420,7 @@

ExternalProcessor ContourConfigurationSpec)

+

ExternalProcessor defines a processing filter list and the policy for fine-grained at VirutalHost and/or Route level.

(Optional) +

GRPCService configure the gRPC service that the filter will communicate with.
(Optional) +

ProcessingMode describes which parts of an HTTP request and response are sent to a remote server +and how they are delivered.
(Optional)

When true, this field disables client request external processing -for the scope of the policy.

+for the scope of the policy. +Precisely one of disabled, overrides must be set.
(Optional) -

for global external processing, it’s not exists

+

Overrides aspects of the configuration for this route.

+

**Note: For VirtualHost, it’s must be nil.
@@ -1431,6 +1442,10 @@

ExternalProcessor

@@ -1446,8 +1461,8 @@

ExternalProcessor

@@ -1460,6 +1475,7 @@

GRPCService ExtProcOverride)

+

GRPCService configure the gRPC service that the filter will communicate with.

(Optional) +

Processors defines a processing filter list,and each filter in the list +will be added to the corresponding processing Priority in ascending order of it’s Priority within the same phase. +If no phase is specified, it will be added before the Router. +If no Priority is specified, the filters will be added in the order they appear in the list.
(Optional)

ExtProcPolicy sets a external processing policy. -This policy will be used unless overridden by individual routes. -for the default global external processor, it’s must be nil

+This policy will be used unless overridden by individual routes.

+

**Note: for the Global External Processor, it’s must be nil.
@@ -1481,7 +1497,7 @@

GRPCService

@@ -1494,7 +1510,7 @@

GRPCService

@@ -2393,6 +2408,8 @@

HeaderMutationRules ExtProc)

+

HeaderMutationRules specifies what headers may be manipulated by a processing filter. +This set of rules makes it possible to control which modifications a filter may make.

(Optional) -

ExtensionServiceRef specifies the extension resource that will authorize client requests.

+

ExtensionServiceRef specifies the extension resource that will handle the client requests.
(Optional) -

ResponseTimeout configures maximum time to wait for a check response from the authorization server. +

ResponseTimeout sets how long the proxy should wait for responses. Timeout durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. The string “infinity” is also a valid input and specifies no timeout.

@@ -1511,9 +1527,8 @@

GRPCService

(Optional)

If FailOpen is true, the client request is forwarded to the upstream service -even if the authorization server fails to respond. This field should not be -set in most cases. It is intended for use only while migrating applications -from internal authorization to Contour external authorization.

+even if the server fails to respond. This field should not be +set in most cases.
@@ -2491,7 +2508,7 @@

HeaderSendMode ProcessingMode)

-

Control how headers and trailers are handled

+

HeaderSendMode control how headers and trailers are handled

@@ -3191,6 +3208,8 @@

ProcessingMode ExtProcOverride)

+

ProcessingMode describes which parts of an HTTP request and response are sent to a remote server +and how they are delivered.

@@ -3299,6 +3318,7 @@

ProcessingPhase ExtProc)

+

ProcessingPhase define the phase in the filter chain where the external processing filter will be injected

@@ -3308,15 +3328,21 @@

ProcessingPhase

- + - + - + - + - +

"AuthN"

Insert before contour authentication filter(s).

+

"AuthZ"

Insert before contour authorization filter(s) and after the authentication filter(s).

+

"CORS"

Insert before contour CORS filter(s).

+

"RateLimit"

Insert before contour RateLimit.

+

"UnspecifiedPhase"

UnspecifiedPhase decides where to insert the external processing service. +This will generally be at the end of the filter chain, right before the Router

+

QueryParameterHashOptions @@ -5483,7 +5509,7 @@

VirtualHost -externalProcessor +extProc
@@ -5493,7 +5519,8 @@

VirtualHost (Optional) -

ExternalProcessor are a list of external processors which allow to act on HTTP traffic in a flexible way.

+

ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way +and the policy for fine-grained at VirtualHost level.

@@ -5711,22 +5738,6 @@

ContourConfiguration -globalExternalProcessor -
- - -ExternalProcessor - - - - -(Optional) -

GlobalExternalProcessor allows envoys external processing filters -to be enabled for all virtual hosts.

- - - - rateLimitService
@@ -5786,6 +5797,22 @@

ContourConfiguration

Tracing defines properties for exporting trace data to OpenTelemetry.

+ + +globalExtProc +
+ + +ExternalProcessor + + + + +(Optional) +

GlobalExternalProcessor allows envoys external processing filters +to be enabled for all virtual hosts.

+ + @@ -6469,22 +6496,6 @@

ContourConfiguratio -globalExternalProcessor -
- - -ExternalProcessor - - - - -(Optional) -

GlobalExternalProcessor allows envoys external processing filters -to be enabled for all virtual hosts.

- - - - rateLimitService
@@ -6544,6 +6555,22 @@

ContourConfiguratio

Tracing defines properties for exporting trace data to OpenTelemetry.

+ + +globalExtProc +
+ + +ExternalProcessor + + + + +(Optional) +

GlobalExternalProcessor allows envoys external processing filters +to be enabled for all virtual hosts.

+ +

ContourConfigurationStatus From 2c9de3f7a357fbbc208ae3f224607b216c101fc2 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Wed, 18 Oct 2023 17:42:37 +0800 Subject: [PATCH 10/31] add filters by phase & refactor Signed-off-by: gang.liu --- apis/projectcontour/v1/helpers.go | 2 +- apis/projectcontour/v1/httpproxy.go | 1 + cmd/contour/serve.go | 18 ++-- internal/dag/dag.go | 129 +++++----------------------- internal/dag/httpproxy_processor.go | 61 +++---------- internal/envoy/v3/listener.go | 92 ++++++++++++++++++-- internal/sorter/sorter.go | 10 +++ internal/xdscache/v3/listener.go | 53 ++++++------ 8 files changed, 165 insertions(+), 201 deletions(-) diff --git a/apis/projectcontour/v1/helpers.go b/apis/projectcontour/v1/helpers.go index c24c1b92237..46317e978ad 100644 --- a/apis/projectcontour/v1/helpers.go +++ b/apis/projectcontour/v1/helpers.go @@ -24,7 +24,7 @@ func (v *VirtualHost) AuthorizationConfigured() bool { } // DisableAuthorization returns true if this virtual host disables -// authorization. If an authorization server is (un)present, the default +// authorization. If an authorization server is present, the default // policy is to not disable. func (v *VirtualHost) DisableAuthorization() bool { if v.AuthorizationConfigured() { diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index 86604be64a0..bb546f222a4 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -437,6 +437,7 @@ type ProcessingPhase string const ( // UnspecifiedPhase decides where to insert the external processing service. // This will generally be at the end of the filter chain, right before the Router + // **NOTE: if not specify, default to UnspecifiedPhase UnspecifiedPhase ProcessingPhase = "UnspecifiedPhase" // Insert before contour authentication filter(s). diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 3ef19976244..f1973f16265 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -446,7 +446,7 @@ func (s *Server) doServe() error { return err } - if listenerConfig.GlobalExternalProcessorConfig, err = s.setupGlobalExternalProcessor(contourConfiguration); err != nil { + if listenerConfig.GlobalExternalProcessors, err = s.setupGlobalExternalProcessor(contourConfiguration); err != nil { return err } @@ -821,7 +821,7 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_ return globalExternalAuthConfig, nil } -func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.ContourConfigurationSpec) (*xdscache_v3.GlobalExtProcConfig, error) { +func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.ContourConfigurationSpec) ([]xdscache_v3.GlobalExtProcConfig, error) { if contourCfg.GlobalExternalProcessor == nil { return nil, nil } @@ -830,23 +830,23 @@ func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.Co return nil, fmt.Errorf("GlobalExternalProcessor.ExtProcPolicy cannot be defined.") } - globalExtProcCfg := &xdscache_v3.GlobalExtProcConfig{} + var globalExtProcs []xdscache_v3.GlobalExtProcConfig for _, ep := range contourCfg.GlobalExternalProcessor.Processors { // ensure the specified ExtensionService exists extSvcCfg, err := s.getExtensionSvcConfig(ep.GRPCService.ExtensionServiceRef.Name, ep.GRPCService.ExtensionServiceRef.Namespace) if err != nil { return nil, err } - - globalExtProcCfg.Processors = append(globalExtProcCfg.Processors, xdscache_v3.ExtProcConfig{ + globalExtProcs = append(globalExtProcs, xdscache_v3.GlobalExtProcConfig{ ExtensionServiceConfig: extSvcCfg, FailOpen: ep.GRPCService.FailOpen, - ProcessingMode: dag.ToProcessingMode(ep.ProcessingMode), - MutationRules: dag.ToMutationRules(ep.MutationRules), + Phase: ep.Phase, + Priority: ep.Priority, + ProcessingMode: ep.ProcessingMode, + MutationRules: ep.MutationRules, }) } - - return globalExtProcCfg, nil + return globalExtProcs, nil } func (s *Server) setupDebugService(debugConfig contour_api_v1alpha1.DebugConfig, builder *dag.Builder) error { diff --git a/internal/dag/dag.go b/internal/dag/dag.go index 76bdeb55af0..442e0d20bf1 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -24,10 +24,10 @@ import ( "strings" "time" + contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/projectcontour/contour/internal/status" "github.com/projectcontour/contour/internal/timeout" - envoy_config_filter_http_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) @@ -275,6 +275,16 @@ type InternalRedirectPolicy struct { DenyRepeatedRouteRedirect bool } +// Overrides that may be set on a per-route basis +type ExtProcOverrides struct { + // Set a different processing mode for this route than the default. + ProcessingMode *contour_api_v1.ProcessingMode + + // Set a different gRPC service for this route than the default. + ExtProcService *ExtensionCluster + ResponseTimeout *timeout.Setting +} + // Route defines the properties of a route to a Cluster. type Route struct { // PathMatchCondition specifies a MatchCondition to match on the request path. @@ -366,15 +376,13 @@ type Route struct { // If false, traffic is allowed only if it doesn't match any rule. IPFilterAllow bool - // IPFilterRules is a list of ipv4/6 filter rules for which matching + // IPFilterRules i /6 filter rules for which matching // requests should be filtered. The behavior of the filters is governed // by IPFilterAllow. IPFilterRules []IPFilterRule // ExtProcDisabled disable the filter for this particular vhost or route. // If disabled is specified in multiple per-filter-configs, the most specific one will be used. - // - // TODO: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto#envoy-v3-api-msg-extensions-filters-http-ext-proc-v3-extprocoverrides ExtProcDisabled bool ExtProcOverrides *ExtProcOverrides @@ -802,7 +810,7 @@ type SecureVirtualHost struct { // ExtProcs contains the configurations for enabling // the ExtProc filters. - ExtProcs []ExternalProcessor + ExtProcs []*ExternalProcessor // JWTProviders specify how to verify JWTs. JWTProviders []JWTProvider @@ -889,12 +897,20 @@ type ExternalProcessor struct { // from internal to external authorization. FailOpen bool + // Phase determines where in the filter chain this extProc is to be injected. + Phase contour_api_v1.ProcessingPhase + + // Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, + // they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, + // they will follow the order in which extProc(s) are added, Defaults to 0. + Priority int32 + // Specifies default options for how HTTP headers, trailers, and bodies are sent. - ProcessingMode *ProcessingMode + ProcessingMode *contour_api_v1.ProcessingMode // Rules that determine what modifications an external processing server may // make to message headers. - MutationRules *HeaderMutationRules + MutationRules *contour_api_v1.HeaderMutationRules } // AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client @@ -1298,102 +1314,3 @@ type SlowStartConfig struct { func (s *SlowStartConfig) String() string { return fmt.Sprintf("%s%f%d", s.Window.String(), s.Aggression, s.MinWeightPercent) } - -// Control how headers and trailers are handled -type HeaderSendMode int32 - -const ( - // The default HeaderSendMode depends on which part of the message is being - // processed. By default, request and response headers are sent, - // while trailers are skipped. - ProcessingMode_DEFAULT HeaderSendMode = 0 - // Send the header or trailer. - ProcessingMode_SEND HeaderSendMode = 1 - // Do not send the header or trailer. - ProcessingMode_SKIP HeaderSendMode = 2 -) - -// Control how the request and response bodies are handled -type BodySendMode int32 - -const ( - // Do not send the body at all. This is the default. - ProcessingMode_NONE BodySendMode = 0 - // Stream the body to the server in pieces as they arrive at the - // proxy. - ProcessingMode_STREAMED BodySendMode = 1 - // Buffer the message body in memory and send the entire body at once. - // If the body exceeds the configured buffer limit, then the - // downstream system will receive an error. - ProcessingMode_BUFFERED BodySendMode = 2 - // Buffer the message body in memory and send the entire body in one - // chunk. If the body exceeds the configured buffer limit, then the body contents - // up to the buffer limit will be sent. - ProcessingMode_BUFFERED_PARTIAL BodySendMode = 3 -) - -// Overrides that may be set on a per-route basis -type ExtProcOverrides struct { - // Set a different processing mode for this route than the default. - ProcessingMode *ProcessingMode - - // Set a different gRPC service for this route than the default. - ExtProcService *ExtensionCluster - ResponseTimeout *timeout.Setting -} - -type ProcessingMode struct { - // How to handle the request header. Default is "SEND". - RequestHeaderMode HeaderSendMode - // How to handle the response header. Default is "SEND". - ResponseHeaderMode HeaderSendMode - // How to handle the request body. Default is "NONE". - RequestBodyMode BodySendMode - // How do handle the response body. Default is "NONE". - ResponseBodyMode BodySendMode - // How to handle the request trailers. Default is "SKIP". - RequestTrailerMode HeaderSendMode - // How to handle the response trailers. Default is "SKIP". - ResponseTrailerMode HeaderSendMode -} - -type HeaderMutationRules struct { - // By default, certain headers that could affect processing of subsequent - // filters or request routing cannot be modified. These headers are - // ``host``, ``:authority``, ``:scheme``, and ``:method``. Setting this parameter - // to true allows these headers to be modified as well. - AllowAllRouting bool - // If true, allow modification of envoy internal headers. By default, these - // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` - // configuration. Default is false. - AllowEnvoy bool - // If true, prevent modification of any system header, defined as a header - // that starts with a ``:`` character, regardless of any other settings. - // A processing server may still override the ``:status`` of an HTTP response - // using an ``ImmediateResponse`` message. Default is false. - DisallowSystem bool - // If true, prevent modifications of all header values, regardless of any - // other settings. A processing server may still override the ``:status`` - // of an HTTP response using an ``ImmediateResponse`` message. Default is false. - DisallowAll bool - // If true, and if the rules in this list cause a header mutation to be - // disallowed, then the filter using this configuration will terminate the - // request with a 500 error. In addition, regardless of the setting of this - // parameter, any attempt to set, add, or modify a disallowed header will - // cause the ``rejected_header_mutations`` counter to be incremented. - // Default is false. - DisallowIsError bool -} - -func MakeProcessMode(mode *ProcessingMode) *envoy_config_filter_http_ext_proc_v3.ProcessingMode { - return &envoy_config_filter_http_ext_proc_v3.ProcessingMode{ - RequestHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.RequestHeaderMode), - ResponseHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.ResponseHeaderMode), - - RequestBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(mode.RequestBodyMode), - ResponseBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(mode.ResponseBodyMode), - - RequestTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.RequestTrailerMode), - ResponseTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.ResponseTrailerMode), - } -} diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index 3abc0dcb892..d1d1e6c99a5 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -48,45 +48,6 @@ func defaultExtensionRef(ref contour_api_v1.ExtensionServiceReference) contour_a return ref } -func ToProcessingMode(pm *contour_api_v1.ProcessingMode) *ProcessingMode { - - // TODO: move to somewhere? - if pm == nil { - pm = &contour_api_v1.ProcessingMode{ - RequestHeaderMode: 1, - ResponseHeaderMode: 1, - RequestBodyMode: 0, - ResponseBodyMode: 0, - RequestTrailerMode: 2, - ResponseTrailerMode: 2, - } - } - return &ProcessingMode{ - RequestHeaderMode: HeaderSendMode(pm.RequestHeaderMode), - ResponseHeaderMode: HeaderSendMode(pm.ResponseHeaderMode), - - RequestBodyMode: BodySendMode(pm.RequestBodyMode), - ResponseBodyMode: BodySendMode(pm.ResponseBodyMode), - - RequestTrailerMode: HeaderSendMode(pm.RequestTrailerMode), - ResponseTrailerMode: HeaderSendMode(pm.ResponseTrailerMode), - } -} - -func ToMutationRules(rule *contour_api_v1.HeaderMutationRules) *HeaderMutationRules { - // TODO: move to somewhere? - if rule == nil { - rule = &contour_api_v1.HeaderMutationRules{} - } - return &HeaderMutationRules{ - AllowAllRouting: rule.AllowAllRouting, - AllowEnvoy: rule.AllowEnvoy, - DisallowSystem: rule.DisallowSystem, - DisallowAll: rule.DisallowAll, - DisallowIsError: rule.DisallowIsError, - } -} - // HTTPProxyProcessor translates HTTPProxies into DAG // objects and adds them to the DAG. type HTTPProxyProcessor struct { @@ -1224,7 +1185,7 @@ func toExtProcOverrides( } return &ExtProcOverrides{ - ProcessingMode: ToProcessingMode(override.ProcessingMode), + ProcessingMode: override.ProcessingMode, ExtProcService: extSvc, ResponseTimeout: respTimeout, } @@ -1518,12 +1479,12 @@ func (p *HTTPProxyProcessor) computeVirtualHostAuthorization( func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( extProcessor *contour_api_v1.ExternalProcessor, validCond *contour_api_v1.DetailedCondition, - httpproxy *contour_api_v1.HTTPProxy) []ExternalProcessor { + httpproxy *contour_api_v1.HTTPProxy) []*ExternalProcessor { - var extProcs []ExternalProcessor - for _, proc := range extProcessor.Processors { + var extProcs []*ExternalProcessor + for _, ep := range extProcessor.Processors { ok, extSvc := validateExtensionService( - defaultExtensionRef(proc.GRPCService.ExtensionServiceRef), + defaultExtensionRef(ep.GRPCService.ExtensionServiceRef), validCond, httpproxy.Namespace, contour_api_v1.ConditionTypeExtProcError, @@ -1531,17 +1492,19 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( if !ok { return nil } - ok, respTimeout := determineExtensionServiceTimeout(contour_api_v1.ConditionTypeExtProcError, proc.GRPCService.ResponseTimeout, validCond, extSvc) + ok, respTimeout := determineExtensionServiceTimeout(contour_api_v1.ConditionTypeExtProcError, ep.GRPCService.ResponseTimeout, validCond, extSvc) if !ok { return nil } - extProcs = append(extProcs, ExternalProcessor{ + extProcs = append(extProcs, &ExternalProcessor{ ExtProcService: extSvc, ResponseTimeout: *respTimeout, - FailOpen: proc.GRPCService.FailOpen, - ProcessingMode: ToProcessingMode(proc.ProcessingMode), - MutationRules: ToMutationRules(proc.MutationRules), + FailOpen: ep.GRPCService.FailOpen, + ProcessingMode: ep.ProcessingMode, + MutationRules: ep.MutationRules, + Phase: ep.Phase, + Priority: ep.Priority, }) } diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 3bcf915bf31..54e87bccada 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -46,6 +46,7 @@ import ( "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/wrapperspb" + contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/dag" "github.com/projectcontour/contour/internal/envoy" @@ -384,9 +385,59 @@ func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBu return b } -func (b *httpConnectionManagerBuilder) AddFilters(filters []*http.HttpFilter) *httpConnectionManagerBuilder { - for _, f := range filters { - b.AddFilter(f) +func findFilterIndex(filters []*http.HttpFilter, name string) int { + for i, v := range filters { + if v.Name == name { + return i + } + } + return -1 +} + +func makePhaseFilters(processors []*dag.ExternalProcessor, phase contour_api_v1.ProcessingPhase) []*http.HttpFilter { + var filters []*http.HttpFilter + var extProcs []*dag.ExternalProcessor + + for _, ep := range processors { + // UnspecifiedPhase decides where to insert the external processing service. + // This will generally be at the end of the filter chain, right before the Router + if len(ep.Phase) == 0 { + ep.Phase = contour_api_v1.UnspecifiedPhase + } + if ep.Phase != phase { + continue + } + extProcs = append(extProcs, ep) + } + + sort.Stable(sorter.For(extProcs)) + for _, ep := range extProcs { + filters = append(filters, filterExtProc(ep)) + } + return filters +} + +func (b *httpConnectionManagerBuilder) AddExtProcFilters(processors []*dag.ExternalProcessor) *httpConnectionManagerBuilder { + phases := map[contour_api_v1.ProcessingPhase]string{ + contour_api_v1.AuthN: "envoy.filters.http.jwt_authn", + contour_api_v1.AuthZ: "envoy.filters.http.ext_authz", + contour_api_v1.CORS: "cors", + contour_api_v1.RateLimit: wellknown.HTTPRateLimit, + contour_api_v1.UnspecifiedPhase: "router", + } + for phase, name := range phases { + // only insert when we find the 'anchor' + if i := findFilterIndex(b.filters, name); i != -1 { + second := b.filters[i:] + b.filters = b.filters[:i] + + for _, f := range makePhaseFilters(processors, phase) { + b.AddFilter(f) + } + for _, f := range second { + b.AddFilter(f) + } + } } return b } @@ -422,7 +473,7 @@ func (b *httpConnectionManagerBuilder) AddFilter(f *http.HttpFilter) *httpConnec // If this happens, it has to be programmer error, so we panic to tell them // it needs to be fixed. Note that in hitting this case, it doesn't matter we added // the second one earlier, because we're panicking anyway. - if f.GetTypedConfig().MessageIs(&envoy_router_v3.Router{}) { + if f.GetTypedConfig().MessageIs(&envoy_router_v3.Router{}) && routerIndex != lastIndex { panic("Can't add more than one router to a filter chain") } if routerIndex != lastIndex { @@ -774,13 +825,40 @@ end } } -// FilterExtProc returns an `ext_proc` filter configured with the +func makeProcessMode(mode *contour_api_v1.ProcessingMode) *envoy_config_filter_http_ext_proc_v3.ProcessingMode { + return &envoy_config_filter_http_ext_proc_v3.ProcessingMode{ + RequestHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.RequestHeaderMode), + ResponseHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.ResponseHeaderMode), + + RequestBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(mode.RequestBodyMode), + ResponseBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(mode.ResponseBodyMode), + + RequestTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.RequestTrailerMode), + ResponseTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.ResponseTrailerMode), + } +} + +// filterExtProc returns an `ext_proc` filter configured with the // requested parameters. -func FilterExtProc(extProc *dag.ExternalProcessor) *http.HttpFilter { +func filterExtProc(extProc *dag.ExternalProcessor) *http.HttpFilter { + if extProc.ProcessingMode == nil { + extProc.ProcessingMode = &contour_api_v1.ProcessingMode{ + RequestHeaderMode: 1, + ResponseHeaderMode: 1, + RequestBodyMode: 0, + ResponseBodyMode: 0, + RequestTrailerMode: 2, + ResponseTrailerMode: 2, + } + } + if extProc.MutationRules == nil { + extProc.MutationRules = &contour_api_v1.HeaderMutationRules{} + } + extProcConfig := envoy_config_filter_http_ext_proc_v3.ExternalProcessor{ GrpcService: GrpcService(extProc.ExtProcService.Name, extProc.ExtProcService.SNI, extProc.ResponseTimeout), FailureModeAllow: extProc.FailOpen, - ProcessingMode: dag.MakeProcessMode(extProc.ProcessingMode), + ProcessingMode: makeProcessMode(extProc.ProcessingMode), MessageTimeout: envoy.Timeout(timeout.DefaultSetting()), MaxMessageTimeout: envoy.Timeout(timeout.DefaultSetting()), DisableClearRouteCache: false, diff --git a/internal/sorter/sorter.go b/internal/sorter/sorter.go index 133273c5cd2..fac931949c9 100644 --- a/internal/sorter/sorter.go +++ b/internal/sorter/sorter.go @@ -443,6 +443,12 @@ func (s secretSorter) Len() int { return len(s) } func (s secretSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] } func (s secretSorter) Less(i, j int) bool { return s[i].Name < s[j].Name } +type extProcSorter []*dag.ExternalProcessor + +func (s extProcSorter) Len() int { return len(s) } +func (s extProcSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] } +func (s extProcSorter) Less(i, j int) bool { return s[i].Priority < s[j].Priority } + // For returns a sort.Interface object that can be used to sort the // given value. It returns nil if there is no sorter for the type of // value. @@ -472,6 +478,10 @@ func For(v any) sort.Interface { return listenerSorter(v) case []*envoy_listener_v3.FilterChain: return filterChainSorter(v) + + case []*dag.ExternalProcessor: + return extProcSorter(v) + default: return nil } diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index 2d444aff676..f0b5576c2fb 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -25,6 +25,7 @@ import ( "google.golang.org/protobuf/proto" "k8s.io/apimachinery/pkg/types" + contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/contour" "github.com/projectcontour/contour/internal/contourconfig" @@ -142,9 +143,9 @@ type ListenerConfig struct { // used. GlobalExternalAuthConfig *GlobalExternalAuthConfig - // GlobalExternalProcessorConfig optionally configures the global external processing Services to be + // GlobalExternalProcessors optionally configures the global external processing services to be // used. - GlobalExternalProcessorConfig *GlobalExtProcConfig + GlobalExternalProcessors []GlobalExtProcConfig // TracingConfig optionally configures the tracing collector Service to be // used. @@ -203,16 +204,14 @@ type GlobalExternalAuthConfig struct { WithRequestBody *dag.AuthorizationServerBufferSettings } -type ExtProcConfig struct { +type GlobalExtProcConfig struct { ExtensionServiceConfig FailOpen bool - ProcessingMode *dag.ProcessingMode - MutationRules *dag.HeaderMutationRules -} - -type GlobalExtProcConfig struct { - Processors []ExtProcConfig + Phase contour_api_v1.ProcessingPhase + Priority int32 + ProcessingMode *contour_api_v1.ProcessingMode + MutationRules *contour_api_v1.HeaderMutationRules } // httpAccessLog returns the access log for the HTTP (non TLS) @@ -438,10 +437,10 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { NumTrustedHops(cfg.XffNumTrustedHops). MaxRequestsPerConnection(cfg.MaxRequestsPerConnection). AddFilter(httpGlobalExternalAuthConfig(cfg.GlobalExternalAuthConfig)). - AddFilters(httpGlobalExtProcConfig(cfg.GlobalExternalProcessorConfig)). Tracing(envoy_v3.TracingConfig(envoyTracingConfig(cfg.TracingConfig))). AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))). EnableWebsockets(listener.EnableWebsockets). + AddExtProcFilters(toExternalProcessors(cfg.GlobalExternalProcessors)). Get() listeners[listener.Name] = envoy_v3.Listener( @@ -485,11 +484,6 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { authFilter = envoy_v3.FilterExternalAuthz(vh.ExternalAuthorization) } - var extProcFilters []*http.HttpFilter - for _, ep := range vh.ExtProcs { - extProcFilters = append(extProcFilters, envoy_v3.FilterExtProc(&ep)) - } - // Create a uniquely named HTTP connection manager for // this vhost, so that the SNI name the client requests // only grants access to that host. See RFC 6066 for @@ -502,7 +496,6 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { AddFilter(envoy_v3.FilterMisdirectedRequests(vh.VirtualHost.Name)). DefaultFilters(). AddFilter(authFilter). - AddFilters(extProcFilters). AddFilter(envoy_v3.FilterJWTAuth(vh.JWTProviders)). RouteConfigName(httpsRouteConfigName(listener, vh.VirtualHost.Name)). MetricsPrefix(listener.Name). @@ -522,6 +515,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { ForwardClientCertificate(forwardClientCertificate). MaxRequestsPerConnection(cfg.MaxRequestsPerConnection). EnableWebsockets(listener.EnableWebsockets). + AddExtProcFilters(vh.ExtProcs). Get() filters = envoy_v3.Filters(cm) @@ -648,25 +642,26 @@ func httpGlobalExternalAuthConfig(config *GlobalExternalAuthConfig) *http.HttpFi } -func httpGlobalExtProcConfig(config *GlobalExtProcConfig) []*http.HttpFilter { - if config == nil { +func toExternalProcessors(processors []GlobalExtProcConfig) []*dag.ExternalProcessor { + if processors == nil { return nil } - var filters []*http.HttpFilter - for _, epCfg := range config.Processors { - filters = append(filters, envoy_v3.FilterExtProc(&dag.ExternalProcessor{ + var extProcs []*dag.ExternalProcessor + for _, p := range processors { + ep := &dag.ExternalProcessor{ ExtProcService: &dag.ExtensionCluster{ - Name: dag.ExtensionClusterName(epCfg.ExtensionServiceConfig.ExtensionService), - SNI: epCfg.ExtensionServiceConfig.SNI, + Name: dag.ExtensionClusterName(p.ExtensionServiceConfig.ExtensionService), + SNI: p.ExtensionServiceConfig.SNI, }, - FailOpen: epCfg.FailOpen, - ResponseTimeout: epCfg.ExtensionServiceConfig.Timeout, - ProcessingMode: epCfg.ProcessingMode, - MutationRules: epCfg.MutationRules, - })) + FailOpen: p.FailOpen, + ResponseTimeout: p.ExtensionServiceConfig.Timeout, + ProcessingMode: p.ProcessingMode, + MutationRules: p.MutationRules, + } + extProcs = append(extProcs, ep) } - return filters + return extProcs } func envoyGlobalRateLimitConfig(config *RateLimitConfig) *envoy_v3.GlobalRateLimitConfig { From d1a4011540cdecb617cf1b7d715f250420c3d9b7 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Wed, 18 Oct 2023 18:49:19 +0800 Subject: [PATCH 11/31] bugfix & duplicate processing check Signed-off-by: gang.liu --- cmd/contour/serve.go | 10 ++++++++++ internal/dag/httpproxy_processor.go | 11 +++++++++++ internal/envoy/v3/listener.go | 3 ++- internal/sorter/sorter.go | 2 +- internal/xdscache/v3/listener.go | 2 ++ 5 files changed, 26 insertions(+), 2 deletions(-) diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index f1973f16265..6736ec7cfbb 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -830,13 +830,23 @@ func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.Co return nil, fmt.Errorf("GlobalExternalProcessor.ExtProcPolicy cannot be defined.") } + m := map[client.ObjectKey]struct{}{} + var globalExtProcs []xdscache_v3.GlobalExtProcConfig for _, ep := range contourCfg.GlobalExternalProcessor.Processors { + // ensure the specified ExtensionService exists extSvcCfg, err := s.getExtensionSvcConfig(ep.GRPCService.ExtensionServiceRef.Name, ep.GRPCService.ExtensionServiceRef.Namespace) if err != nil { return nil, err } + + // ensure unique external processing + if _, ok := m[extSvcCfg.ExtensionService]; ok { + return nil, fmt.Errorf("external processing %s/%s is duplicated.", extSvcCfg.ExtensionService.Namespace, extSvcCfg.ExtensionService.Namespace) + } + m[extSvcCfg.ExtensionService] = struct{}{} + globalExtProcs = append(globalExtProcs, xdscache_v3.GlobalExtProcConfig{ ExtensionServiceConfig: extSvcCfg, FailOpen: ep.GRPCService.FailOpen, diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index d1d1e6c99a5..df798ffd043 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -200,6 +200,17 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) { extProc := proxy.Spec.VirtualHost.ExternalProcessor if extProc != nil { + m := map[contour_api_v1.ExtensionServiceReference]struct{}{} + for _, ep := range extProc.Processors { + objKey := ep.GRPCService.ExtensionServiceRef + if _, ok := m[objKey]; ok { + validCond.AddError(contour_api_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", + fmt.Sprintf("Spec.VirtualHost.ExternalProcessor.Processors is invalid: duplicate name %s/%s", objKey.Namespace, objKey.Name)) + return + } + m[ep.GRPCService.ExtensionServiceRef] = struct{}{} + } + if proxy.Spec.VirtualHost.TLS == nil { for _, ep := range extProc.Processors { if len(ep.GRPCService.ExtensionServiceRef.Name) > 0 { diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 54e87bccada..e6d590d2e17 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -428,7 +428,8 @@ func (b *httpConnectionManagerBuilder) AddExtProcFilters(processors []*dag.Exter for phase, name := range phases { // only insert when we find the 'anchor' if i := findFilterIndex(b.filters, name); i != -1 { - second := b.filters[i:] + second := make([]*http.HttpFilter, len(b.filters[i:])) + copy(second, b.filters[i:]) b.filters = b.filters[:i] for _, f := range makePhaseFilters(processors, phase) { diff --git a/internal/sorter/sorter.go b/internal/sorter/sorter.go index fac931949c9..0ef0a209146 100644 --- a/internal/sorter/sorter.go +++ b/internal/sorter/sorter.go @@ -447,7 +447,7 @@ type extProcSorter []*dag.ExternalProcessor func (s extProcSorter) Len() int { return len(s) } func (s extProcSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] } -func (s extProcSorter) Less(i, j int) bool { return s[i].Priority < s[j].Priority } +func (s extProcSorter) Less(i, j int) bool { return s[i].Priority > s[j].Priority } // For returns a sort.Interface object that can be used to sort the // given value. It returns nil if there is no sorter for the type of diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index f0b5576c2fb..a792c33912b 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -658,6 +658,8 @@ func toExternalProcessors(processors []GlobalExtProcConfig) []*dag.ExternalProce ResponseTimeout: p.ExtensionServiceConfig.Timeout, ProcessingMode: p.ProcessingMode, MutationRules: p.MutationRules, + Phase: p.Phase, + Priority: p.Priority, } extProcs = append(extProcs, ep) } From 024a515bc90ef169e45125ff705042af15991a3a Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 19 Oct 2023 11:29:13 +0800 Subject: [PATCH 12/31] fix ut Signed-off-by: gang.liu --- Makefile | 3 +-- internal/dag/httpproxy_processor.go | 2 +- internal/dag/httpproxy_processor_test.go | 2 +- internal/xdscache/v3/listener.go | 1 + site/content/docs/main/config/api-reference.html | 3 ++- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 658c4382af4..c9e2fb8a9c6 100644 --- a/Makefile +++ b/Makefile @@ -225,8 +225,7 @@ lint-flags: .PHONY: generate generate: ## Re-generate generated code and documentation -# generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go -generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go +generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go .PHONY: generate-rbac generate-rbac: diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index df798ffd043..bf383f3d946 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -1563,7 +1563,7 @@ func validateExtensionService( return true, ext } -const extSvcRespTimeoutFormat = "%s is invalid: %q" +const extSvcRespTimeoutFormat = "%s is invalid: %s" func determineExtensionServiceTimeout( errorType string, diff --git a/internal/dag/httpproxy_processor_test.go b/internal/dag/httpproxy_processor_test.go index 8eb86063860..078ce89eed1 100644 --- a/internal/dag/httpproxy_processor_test.go +++ b/internal/dag/httpproxy_processor_test.go @@ -866,7 +866,7 @@ func TestDetermineExternalAuthTimeout(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { validCond := &contour_api_v1.DetailedCondition{} - gotBool, got := determineExtensionServiceTimeout(tc.responseTimeout, validCond, tc.ext) + gotBool, got := determineExtensionServiceTimeout(contour_api_v1.ConditionTypeAuthError, tc.responseTimeout, validCond, tc.ext) require.Equal(t, tc.want, got) require.Equal(t, tc.wantBool, gotBool) require.Equal(t, tc.wantValidCond, validCond) diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index 0af82be247e..6ad9bf27b54 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -595,6 +595,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { MaxRequestsPerConnection(cfg.MaxRequestsPerConnection). HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams). EnableWebsockets(listener.EnableWebsockets). + AddExtProcFilters(toExternalProcessors(cfg.GlobalExternalProcessors)). Get() // Default filter chain diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index f632c4478bc..a5a562f9523 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -3341,7 +3341,8 @@

ProcessingPhase

"UnspecifiedPhase"

UnspecifiedPhase decides where to insert the external processing service. -This will generally be at the end of the filter chain, right before the Router

+This will generally be at the end of the filter chain, right before the Router +**NOTE: if not specify, default to UnspecifiedPhase

From 04d9840dfc25513dfd28ae67f4408b4f8320553f Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 19 Oct 2023 14:06:31 +0800 Subject: [PATCH 13/31] make lint happy Signed-off-by: gang.liu --- Makefile | 2 +- apis/projectcontour/v1/httpproxy.go | 14 +++++++------- cmd/contour/serve.go | 4 ++-- internal/dag/dag.go | 2 +- internal/featuretests/v3/envoy.go | 23 ----------------------- 5 files changed, 11 insertions(+), 34 deletions(-) diff --git a/Makefile b/Makefile index c9e2fb8a9c6..27f41d2ef5b 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ IMAGE := $(REGISTRY)/$(PROJECT) SRCDIRS := ./cmd ./internal ./apis LOCAL_BOOTSTRAP_CONFIG = localenvoyconfig.yaml SECURE_LOCAL_BOOTSTRAP_CONFIG = securelocalenvoyconfig.yaml -ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.2 +ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.1 GATEWAY_API_VERSION ?= $(shell grep "sigs.k8s.io/gateway-api" go.mod | awk '{print $$2}') # Used to supply a local Envoy docker container an IP to connect to that is running diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index bb546f222a4..2a35a1691b9 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -298,13 +298,13 @@ const ( // The default HeaderSendMode depends on which part of the message is being // processed. By default, request and response headers are sent, // while trailers are skipped. - ProcessingMode_DEFAULT HeaderSendMode = 0 + ProcessingModeDefault HeaderSendMode = 0 // Send the header or trailer. - ProcessingMode_SEND HeaderSendMode = 1 + ProcessingModeSend HeaderSendMode = 1 // Do not send the header or trailer. - ProcessingMode_SKIP HeaderSendMode = 2 + ProcessingModeSkip HeaderSendMode = 2 ) // BodySendMode control how the request and response bodies are handled @@ -312,21 +312,21 @@ type BodySendMode int32 const ( // Do not send the body at all. This is the default. - ProcessingMode_NONE BodySendMode = 0 + ProcessingModeNone BodySendMode = 0 // Stream the body to the server in pieces as they arrive at the // proxy. - ProcessingMode_STREAMED BodySendMode = 1 + ProcessingModeStreamed BodySendMode = 1 // Buffer the message body in memory and send the entire body at once. // If the body exceeds the configured buffer limit, then the // downstream system will receive an error. - ProcessingMode_BUFFERED BodySendMode = 2 + ProcessingModeBuffered BodySendMode = 2 // Buffer the message body in memory and send the entire body in one // chunk. If the body exceeds the configured buffer limit, then the body contents // up to the buffer limit will be sent. - ProcessingMode_BUFFERED_PARTIAL BodySendMode = 3 + ProcessingModeBufferedPartial BodySendMode = 3 ) // HeaderMutationRules specifies what headers may be manipulated by a processing filter. diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 375d79263c5..0c8a32eb41a 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -847,7 +847,7 @@ func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.Co } if contourCfg.GlobalExternalProcessor.ExtProcPolicy != nil { - return nil, fmt.Errorf("GlobalExternalProcessor.ExtProcPolicy cannot be defined.") + return nil, fmt.Errorf("GlobalExternalProcessor.ExtProcPolicy cannot be defined") } m := map[client.ObjectKey]struct{}{} @@ -863,7 +863,7 @@ func (s *Server) setupGlobalExternalProcessor(contourCfg contour_api_v1alpha1.Co // ensure unique external processing if _, ok := m[extSvcCfg.ExtensionService]; ok { - return nil, fmt.Errorf("external processing %s/%s is duplicated.", extSvcCfg.ExtensionService.Namespace, extSvcCfg.ExtensionService.Namespace) + return nil, fmt.Errorf("external processing %s/%s is duplicated", extSvcCfg.ExtensionService.Namespace, extSvcCfg.ExtensionService.Namespace) } m[extSvcCfg.ExtensionService] = struct{}{} diff --git a/internal/dag/dag.go b/internal/dag/dag.go index 442e0d20bf1..46919d5ccbf 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -887,7 +887,7 @@ type ExternalProcessor struct { ExtProcService *ExtensionCluster // ResponseTimeout sets how long the proxy should wait - // for extenal processor responses. + // for external processor responses. // This is the timeout for a specific request. ResponseTimeout timeout.Setting diff --git a/internal/featuretests/v3/envoy.go b/internal/featuretests/v3/envoy.go index 55b737a2c69..97252185bd2 100644 --- a/internal/featuretests/v3/envoy.go +++ b/internal/featuretests/v3/envoy.go @@ -523,29 +523,6 @@ func authzFilterFor( Get() } -// TODO: lewgun -// extProcFilterFor does the same as httpsFilterFor but inserts a -// `ext_authz` filter with the specified configuration into the -// filter chain. -func extProcFilterFor( - vhost string, - authz *envoy_config_filter_http_ext_authz_v3.ExtAuthz, -) *envoy_listener_v3.Filter { - return envoy_v3.HTTPConnectionManagerBuilder(). - AddFilter(envoy_v3.FilterMisdirectedRequests(vhost)). - DefaultFilters(). - AddFilter(&http.HttpFilter{ - Name: "envoy.filters.http.ext_authz", - ConfigType: &http.HttpFilter_TypedConfig{ - TypedConfig: protobuf.MustMarshalAny(authz), - }, - }). - RouteConfigName(path.Join("https", vhost)). - MetricsPrefix(xdscache_v3.ENVOY_HTTPS_LISTENER). - AccessLoggers(envoy_v3.FileAccessLogEnvoy("/dev/stdout", "", nil, contour_api_v1alpha1.LogLevelInfo)). - Get() -} - func jwtAuthnFilterFor( vhost string, jwt *envoy_jwt_v3.JwtAuthentication, From 11396dc21358f9d9c647baf94a222ebc08ea269b Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Wed, 10 Jan 2024 17:06:46 +0800 Subject: [PATCH 14/31] change field's definition & comments Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 72 ++-- examples/contour/01-crds.yaml | 350 +++++++++++++----- examples/render/contour-deployment.yaml | 350 +++++++++++++----- .../render/contour-gateway-provisioner.yaml | 350 +++++++++++++----- examples/render/contour-gateway.yaml | 350 +++++++++++++----- examples/render/contour.yaml | 350 +++++++++++++----- internal/envoy/v3/listener.go | 54 +-- internal/envoy/v3/route.go | 58 ++- .../docs/main/config/api-reference.html | 52 +-- 9 files changed, 1481 insertions(+), 505 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index b557fa58620..3fc979c3cec 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -291,42 +291,42 @@ type AuthorizationPolicy struct { Context map[string]string `json:"context,omitempty"` } -// HeaderSendMode control how headers and trailers are handled -type HeaderSendMode int32 +// HeaderSendMode control how headers and trailers are handled. +type HeaderSendMode string const ( // The default HeaderSendMode depends on which part of the message is being // processed. By default, request and response headers are sent, // while trailers are skipped. - ProcessingModeDefault HeaderSendMode = 0 + ProcessingModeDefault HeaderSendMode = "DEFAULT" // Send the header or trailer. - ProcessingModeSend HeaderSendMode = 1 + ProcessingModeSend HeaderSendMode = "SEND" // Do not send the header or trailer. - ProcessingModeSkip HeaderSendMode = 2 + ProcessingModeSkip HeaderSendMode = "SKIP" ) // BodySendMode control how the request and response bodies are handled -type BodySendMode int32 +type BodySendMode string const ( // Do not send the body at all. This is the default. - ProcessingModeNone BodySendMode = 0 + ProcessingModeNone BodySendMode = "NONE" // Stream the body to the server in pieces as they arrive at the // proxy. - ProcessingModeStreamed BodySendMode = 1 + ProcessingModeStreamed BodySendMode = "STREAMED" // Buffer the message body in memory and send the entire body at once. // If the body exceeds the configured buffer limit, then the // downstream system will receive an error. - ProcessingModeBuffered BodySendMode = 2 + ProcessingModeBuffered BodySendMode = "BUFFERED" // Buffer the message body in memory and send the entire body in one // chunk. If the body exceeds the configured buffer limit, then the body contents // up to the buffer limit will be sent. - ProcessingModeBufferedPartial BodySendMode = 3 + ProcessingModeBufferedPartial BodySendMode = "BUFFERED_PARTIAL" ) // HeaderMutationRules specifies what headers may be manipulated by a processing filter. @@ -334,15 +334,15 @@ const ( type HeaderMutationRules struct { // By default, certain headers that could affect processing of subsequent // filters or request routing cannot be modified. These headers are - // ``host``, ``:authority``, ``:scheme``, and ``:method``. Setting this parameter - // to true allows these headers to be modified as well. + // ``host``, ``:authority``, ``:scheme``, and ``:method``. + // Setting this parameter to true allows these headers to be modified as well. // // +optional AllowAllRouting bool `json:"allowAllRouting,omitempty"` // If true, allow modification of envoy internal headers. By default, these - // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` - // configuration. Default is false. + // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + // Default is false. // // +optional AllowEnvoy bool `json:"allowEnvoy,omitempty"` @@ -350,14 +350,16 @@ type HeaderMutationRules struct { // If true, prevent modification of any system header, defined as a header // that starts with a ``:`` character, regardless of any other settings. // A processing server may still override the ``:status`` of an HTTP response - // using an ``ImmediateResponse`` message. Default is false. + // using an ``ImmediateResponse`` message. + // Default is false. // // +optional DisallowSystem bool `json:"disallowSystem,omitempty"` // If true, prevent modifications of all header values, regardless of any // other settings. A processing server may still override the ``:status`` - // of an HTTP response using an ``ImmediateResponse`` message. Default is false. + // of an HTTP response using an ``ImmediateResponse`` message. + // Default is false. // // +optional DisallowAll bool `json:"disallowAll,omitempty"` @@ -376,33 +378,51 @@ type HeaderMutationRules struct { // ProcessingMode describes which parts of an HTTP request and response are sent to a remote server // and how they are delivered. type ProcessingMode struct { - // How to handle the request header. Default is "SEND". + // How to handle the request header. + // Default is "SEND". // + // +kubebuilder:validation:Enum=DEFAULT;SEND;SKIP + // +kubebuilder:default=SEND // +optional RequestHeaderMode HeaderSendMode `json:"requestHeaderMode,omitempty"` - // How to handle the response header. Default is "SEND". + // How to handle the response header. + // Default is "SEND". // + // +kubebuilder:validation:Enum=DEFAULT;SEND;SKIP + // +kubebuilder:default=SEND // +optional ResponseHeaderMode HeaderSendMode `json:"responseHeaderMode,omitempty"` - // How to handle the request body. Default is "NONE". + // How to handle the request body. + // Default is "NONE". // + // +kubebuilder:validation:Enum=NONE;STREAMED;BUFFERED;BUFFERED_PARTIAL + // +kubebuilder:default=NONE // +optional RequestBodyMode BodySendMode `json:"requestBodyMode,omitempty"` - // How do handle the response body. Default is "NONE". + // How do handle the response body. + // Default is "NONE". // + // +kubebuilder:validation:Enum=NONE;STREAMED;BUFFERED;BUFFERED_PARTIAL + // +kubebuilder:default=NONE // +optional ResponseBodyMode BodySendMode `json:"responseBodyMode,omitempty"` - // How to handle the request trailers. Default is "SKIP". + // How to handle the request trailers. + // Default is "SKIP". // + // +kubebuilder:validation:Enum=DEFAULT;SEND;SKIP + // +kubebuilder:default=SKIP // +optional RequestTrailerMode HeaderSendMode `json:"requestTrailerMode,omitempty"` - // How to handle the response trailers. Default is "SKIP". + // How to handle the response trailers. + // Default is "SKIP". // + // +kubebuilder:validation:Enum=DEFAULT;SEND;SKIP + // +kubebuilder:default=SKIP // +optional ResponseTrailerMode HeaderSendMode `json:"responseTrailerMode,omitempty"` } @@ -435,10 +455,10 @@ type GRPCService struct { type ProcessingPhase string const ( - // UnspecifiedPhase decides where to insert the external processing service. - // This will generally be at the end of the filter chain, right before the Router - // **NOTE: if not specify, default to UnspecifiedPhase - UnspecifiedPhase ProcessingPhase = "UnspecifiedPhase" + // DefaultPhase decides insert the external processing service at the end of the filter chain, right before the Router. + // + // **NOTE: if not specify, default to DefaultPhase + DefaultPhase ProcessingPhase = "DefaultPhase" // Insert before contour authentication filter(s). AuthN ProcessingPhase = "AuthN" diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index c08df9e0f07..60b2853669a 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -725,35 +725,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -878,35 +904,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -4638,35 +4690,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -4793,35 +4871,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -6302,35 +6406,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -7972,35 +8102,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -8127,35 +8283,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index f620374962d..235a374499c 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -944,35 +944,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -1097,35 +1123,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -4857,35 +4909,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -5012,35 +5090,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -6521,35 +6625,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -8191,35 +8321,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -8346,35 +8502,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 298c79e83ca..577daf6ae47 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -736,35 +736,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -889,35 +915,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -4649,35 +4701,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -4804,35 +4882,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -6313,35 +6417,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -7983,35 +8113,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -8138,35 +8294,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index f653042ac16..7fbff616aea 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -947,35 +947,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -1100,35 +1126,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -4860,35 +4912,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -5015,35 +5093,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -6524,35 +6628,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -8194,35 +8324,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -8349,35 +8505,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index d45fedf6610..e5c3fd8212e 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -944,35 +944,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -1097,35 +1123,61 @@ spec: and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -4857,35 +4909,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -5012,35 +5090,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array @@ -6521,35 +6625,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -8191,35 +8321,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: object @@ -8346,35 +8502,61 @@ spec: server and how they are delivered. properties: requestBodyMode: + default: NONE description: How to handle the request body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string requestHeaderMode: + default: SEND description: How to handle the request header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string requestTrailerMode: + default: SKIP description: How to handle the request trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseBodyMode: + default: NONE description: How do handle the response body. Default is "NONE". - format: int32 - type: integer + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string responseHeaderMode: + default: SEND description: How to handle the response header. Default is "SEND". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string responseTrailerMode: + default: SKIP description: How to handle the response trailers. Default is "SKIP". - format: int32 - type: integer + enum: + - DEFAULT + - SEND + - SKIP + type: string type: object type: object type: array diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 18ebea81001..b1b4a1d5f99 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -28,7 +28,7 @@ import ( envoy_compressor_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/compressor/v3" envoy_cors_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cors/v3" envoy_config_filter_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3" - envoy_config_filter_http_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" + envoy_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" envoy_config_filter_http_grpc_stats_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3" envoy_grpc_web_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3" envoy_jwt_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3" @@ -405,10 +405,8 @@ func makePhaseFilters(processors []*dag.ExternalProcessor, phase contour_api_v1. var extProcs []*dag.ExternalProcessor for _, ep := range processors { - // UnspecifiedPhase decides where to insert the external processing service. - // This will generally be at the end of the filter chain, right before the Router if len(ep.Phase) == 0 { - ep.Phase = contour_api_v1.UnspecifiedPhase + ep.Phase = contour_api_v1.DefaultPhase } if ep.Phase != phase { continue @@ -425,11 +423,11 @@ func makePhaseFilters(processors []*dag.ExternalProcessor, phase contour_api_v1. func (b *httpConnectionManagerBuilder) AddExtProcFilters(processors []*dag.ExternalProcessor) *httpConnectionManagerBuilder { phases := map[contour_api_v1.ProcessingPhase]string{ - contour_api_v1.AuthN: "envoy.filters.http.jwt_authn", - contour_api_v1.AuthZ: "envoy.filters.http.ext_authz", - contour_api_v1.CORS: "cors", - contour_api_v1.RateLimit: wellknown.HTTPRateLimit, - contour_api_v1.UnspecifiedPhase: "router", + contour_api_v1.AuthN: "envoy.filters.http.jwt_authn", + contour_api_v1.AuthZ: "envoy.filters.http.ext_authz", + contour_api_v1.CORS: "cors", + contour_api_v1.RateLimit: wellknown.HTTPRateLimit, + contour_api_v1.DefaultPhase: "router", } for phase, name := range phases { // only insert when we find the 'anchor' @@ -838,16 +836,24 @@ end } } -func makeProcessMode(mode *contour_api_v1.ProcessingMode) *envoy_config_filter_http_ext_proc_v3.ProcessingMode { - return &envoy_config_filter_http_ext_proc_v3.ProcessingMode{ - RequestHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.RequestHeaderMode), - ResponseHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.ResponseHeaderMode), +func makeProcessMode(mode *contour_api_v1.ProcessingMode) *envoy_ext_proc_v3.ProcessingMode { - RequestBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(mode.RequestBodyMode), - ResponseBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(mode.ResponseBodyMode), + reqHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] + respHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] - RequestTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.RequestTrailerMode), - ResponseTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(mode.ResponseTrailerMode), + reqBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.RequestBodyMode)] + respBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.ResponseBodyMode)] + + reqTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] + respTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] + + return &envoy_ext_proc_v3.ProcessingMode{ + RequestHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqHeaderMode), + ResponseHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respHeaderMode), + RequestBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(reqBodyMode), + ResponseBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(respBodyMode), + RequestTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqTrailerMode), + ResponseTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respTrailerMode), } } @@ -856,19 +862,19 @@ func makeProcessMode(mode *contour_api_v1.ProcessingMode) *envoy_config_filter_h func filterExtProc(extProc *dag.ExternalProcessor) *http.HttpFilter { if extProc.ProcessingMode == nil { extProc.ProcessingMode = &contour_api_v1.ProcessingMode{ - RequestHeaderMode: 1, - ResponseHeaderMode: 1, - RequestBodyMode: 0, - ResponseBodyMode: 0, - RequestTrailerMode: 2, - ResponseTrailerMode: 2, + RequestHeaderMode: contour_api_v1.ProcessingModeSend, + ResponseHeaderMode: contour_api_v1.ProcessingModeSend, + RequestBodyMode: contour_api_v1.ProcessingModeNone, + ResponseBodyMode: contour_api_v1.ProcessingModeNone, + RequestTrailerMode: contour_api_v1.ProcessingModeSkip, + ResponseTrailerMode: contour_api_v1.ProcessingModeSkip, } } if extProc.MutationRules == nil { extProc.MutationRules = &contour_api_v1.HeaderMutationRules{} } - extProcConfig := envoy_config_filter_http_ext_proc_v3.ExternalProcessor{ + extProcConfig := envoy_ext_proc_v3.ExternalProcessor{ GrpcService: GrpcService(extProc.ExtProcService.Name, extProc.ExtProcService.SNI, extProc.ResponseTimeout), FailureModeAllow: extProc.FailOpen, ProcessingMode: makeProcessMode(extProc.ProcessingMode), diff --git a/internal/envoy/v3/route.go b/internal/envoy/v3/route.go index ccd4f3b38e2..4e5efdb5913 100644 --- a/internal/envoy/v3/route.go +++ b/internal/envoy/v3/route.go @@ -26,7 +26,7 @@ import ( envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" envoy_cors_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cors/v3" envoy_config_filter_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3" - envoy_config_filter_http_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" + envoy_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" envoy_jwt_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3" lua "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3" envoy_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3" @@ -193,28 +193,60 @@ func buildRoute(dagRoute *dag.Route, vhostName string, secure bool) *envoy_route // routeExtProcDisabled returns a per-route config to disable extProc for this particular vhost or route. func routeExtProcDisabled() *anypb.Any { return protobuf.MustMarshalAny( - &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute{ - Override: &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute_Disabled{ + &envoy_ext_proc_v3.ExtProcPerRoute{ + Override: &envoy_ext_proc_v3.ExtProcPerRoute_Disabled{ Disabled: true, }, }, ) } +/* + + reqHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] + respHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] + + reqBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.RequestBodyMode)] + respBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.ResponseBodyMode)] + + reqTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] + respTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] + + return &envoy_ext_proc_v3.ProcessingMode{ + RequestHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqHeaderMode), + ResponseHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respHeaderMode), + RequestBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(reqBodyMode), + ResponseBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(respBodyMode), + RequestTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqTrailerMode), + ResponseTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respTrailerMode), + } + +*/ + func routeExtProcOverrides(overrides *dag.ExtProcOverrides) *anypb.Any { - pm := &envoy_config_filter_http_ext_proc_v3.ProcessingMode{ - RequestHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(overrides.ProcessingMode.RequestHeaderMode), - ResponseHeaderMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(overrides.ProcessingMode.ResponseHeaderMode), - RequestBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(overrides.ProcessingMode.RequestBodyMode), - ResponseBodyMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(overrides.ProcessingMode.ResponseBodyMode), - RequestTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(overrides.ProcessingMode.RequestTrailerMode), - ResponseTrailerMode: envoy_config_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(overrides.ProcessingMode.ResponseTrailerMode), + + reqHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(overrides.ProcessingMode.RequestHeaderMode)] + respHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(overrides.ProcessingMode.ResponseHeaderMode)] + + reqBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(overrides.ProcessingMode.RequestBodyMode)] + respBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(overrides.ProcessingMode.ResponseBodyMode)] + + reqTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(overrides.ProcessingMode.RequestHeaderMode)] + respTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(overrides.ProcessingMode.ResponseHeaderMode)] + + pm := &envoy_ext_proc_v3.ProcessingMode{ + RequestHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqHeaderMode), + ResponseHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respHeaderMode), + RequestBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(reqBodyMode), + ResponseBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(respBodyMode), + RequestTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqTrailerMode), + ResponseTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respTrailerMode), } return protobuf.MustMarshalAny( - &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute{ - Override: &envoy_config_filter_http_ext_proc_v3.ExtProcPerRoute_Overrides{ - Overrides: &envoy_config_filter_http_ext_proc_v3.ExtProcOverrides{ + &envoy_ext_proc_v3.ExtProcPerRoute{ + Override: &envoy_ext_proc_v3.ExtProcPerRoute_Overrides{ + Overrides: &envoy_ext_proc_v3.ExtProcOverrides{ ProcessingMode: pm, GrpcService: GrpcService(overrides.ExtProcService.Name, overrides.ExtProcService.SNI, *overrides.ResponseTimeout), }, diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index 97aa82132d9..423ce80859e 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -483,7 +483,7 @@

AuthorizationSer

BodySendMode -(int32 alias)

+(string alias)

(Appears on: ProcessingMode) @@ -498,20 +498,20 @@

BodySendMode Description -

2

+

"BUFFERED"

Buffer the message body in memory and send the entire body at once. If the body exceeds the configured buffer limit, then the downstream system will receive an error.

-

3

+

"BUFFERED_PARTIAL"

Buffer the message body in memory and send the entire body in one chunk. If the body exceeds the configured buffer limit, then the body contents up to the buffer limit will be sent.

-

0

+

"NONE"

Do not send the body at all. This is the default.

-

1

+

"STREAMED"

Stream the body to the server in pieces as they arrive at the proxy.

@@ -2431,8 +2431,8 @@

HeaderMutationRules (Optional)

By default, certain headers that could affect processing of subsequent filters or request routing cannot be modified. These headers are -host, :authority, :scheme, and :method. Setting this parameter -to true allows these headers to be modified as well.

+host, :authority, :scheme, and :method. +Setting this parameter to true allows these headers to be modified as well.

@@ -2446,8 +2446,8 @@

HeaderMutationRules (Optional)

If true, allow modification of envoy internal headers. By default, these -start with x-envoy but this may be overridden in the Bootstrap -configuration. Default is false.

+start with x-envoy but this may be overridden in the Bootstrap configuration. +Default is false.

@@ -2463,7 +2463,8 @@

HeaderMutationRules

If true, prevent modification of any system header, defined as a header that starts with a : character, regardless of any other settings. A processing server may still override the :status of an HTTP response -using an ImmediateResponse message. Default is false.

+using an ImmediateResponse message. +Default is false.

@@ -2478,7 +2479,8 @@

HeaderMutationRules (Optional)

If true, prevent modifications of all header values, regardless of any other settings. A processing server may still override the :status -of an HTTP response using an ImmediateResponse message. Default is false.

+of an HTTP response using an ImmediateResponse message. +Default is false.

@@ -2502,13 +2504,13 @@

HeaderMutationRules

HeaderSendMode -(int32 alias)

+(string alias)

(Appears on: ProcessingMode)

-

HeaderSendMode control how headers and trailers are handled

+

HeaderSendMode control how headers and trailers are handled.

@@ -2517,15 +2519,15 @@

HeaderSendMode

- + - + - + @@ -3231,7 +3233,8 @@

ProcessingMode

@@ -3246,7 +3249,8 @@

ProcessingMode

@@ -3261,7 +3265,8 @@

ProcessingMode

@@ -3276,7 +3281,8 @@

ProcessingMode

@@ -3291,7 +3297,8 @@

ProcessingMode

@@ -3306,7 +3313,8 @@

ProcessingMode

From 3c388985cda7ac4e3af36a0afd1ad5122920fd5d Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 11 Jan 2024 16:13:17 +0800 Subject: [PATCH 15/31] make generate Signed-off-by: gang.liu --- site/content/docs/main/config/api-reference.html | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index 423ce80859e..f5fc8e4442e 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -3344,14 +3344,13 @@

ProcessingPhase

+ + - -
Description

0

"DEFAULT"

The default HeaderSendMode depends on which part of the message is being processed. By default, request and response headers are sent, while trailers are skipped.

1

"SEND"

Send the header or trailer.

2

"SKIP"

Do not send the header or trailer.
(Optional) -

How to handle the request header. Default is “SEND”.

+

How to handle the request header. +Default is “SEND”.
(Optional) -

How to handle the response header. Default is “SEND”.

+

How to handle the response header. +Default is “SEND”.
(Optional) -

How to handle the request body. Default is “NONE”.

+

How to handle the request body. +Default is “NONE”.
(Optional) -

How do handle the response body. Default is “NONE”.

+

How do handle the response body. +Default is “NONE”.
(Optional) -

How to handle the request trailers. Default is “SKIP”.

+

How to handle the request trailers. +Default is “SKIP”.
(Optional) -

How to handle the response trailers. Default is “SKIP”.

+

How to handle the response trailers. +Default is “SKIP”.

"CORS"

Insert before contour CORS filter(s).

"DefaultPhase"

DefaultPhase decides insert the external processing service at the end of the filter chain, right before the Router.

+

**NOTE: if not specify, default to DefaultPhase

+

"RateLimit"

Insert before contour RateLimit.

"UnspecifiedPhase"

UnspecifiedPhase decides where to insert the external processing service. -This will generally be at the end of the filter chain, right before the Router -**NOTE: if not specify, default to UnspecifiedPhase

-

QueryParameterHashOptions From 3104a7708902ec679c2b92f924a0e31ab9dab106 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Wed, 21 Feb 2024 18:00:35 +0800 Subject: [PATCH 16/31] make lint happy Signed-off-by: gang.liu --- internal/dag/dag.go | 10 +++---- internal/dag/httpproxy_processor.go | 21 ++++++++------- internal/dag/httpproxy_processor_test.go | 1 - internal/envoy/v3/listener.go | 33 ++++++++++++------------ internal/envoy/v3/route.go | 2 -- internal/xdscache/v3/listener.go | 8 +++--- test/e2e/deployment.go | 2 +- 7 files changed, 38 insertions(+), 39 deletions(-) diff --git a/internal/dag/dag.go b/internal/dag/dag.go index f6603e905f0..b9ec0a9cde6 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -27,7 +27,7 @@ import ( core_v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" - contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" + contour_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/projectcontour/contour/internal/status" "github.com/projectcontour/contour/internal/timeout" ) @@ -278,7 +278,7 @@ type InternalRedirectPolicy struct { // Overrides that may be set on a per-route basis type ExtProcOverrides struct { // Set a different processing mode for this route than the default. - ProcessingMode *contour_api_v1.ProcessingMode + ProcessingMode *contour_v1.ProcessingMode // Set a different gRPC service for this route than the default. ExtProcService *ExtensionCluster @@ -907,7 +907,7 @@ type ExternalProcessor struct { FailOpen bool // Phase determines where in the filter chain this extProc is to be injected. - Phase contour_api_v1.ProcessingPhase + Phase contour_v1.ProcessingPhase // Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, // they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, @@ -915,11 +915,11 @@ type ExternalProcessor struct { Priority int32 // Specifies default options for how HTTP headers, trailers, and bodies are sent. - ProcessingMode *contour_api_v1.ProcessingMode + ProcessingMode *contour_v1.ProcessingMode // Rules that determine what modifications an external processing server may // make to message headers. - MutationRules *contour_api_v1.HeaderMutationRules + MutationRules *contour_v1.HeaderMutationRules } // AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index 10ee6978931..3683183f5b2 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -1479,7 +1479,8 @@ func (p *HTTPProxyProcessor) rootAllowed(namespace string) bool { func (p *HTTPProxyProcessor) computeVirtualHostAuthorization( auth *contour_v1.AuthorizationServer, validCond *contour_v1.DetailedCondition, - httpproxy *contour_v1.HTTPProxy) *ExternalAuthorization { + httpproxy *contour_v1.HTTPProxy, +) *ExternalAuthorization { ok, extSvc := validateExtensionService( defaultExtensionRef(auth.ExtensionServiceRef), validCond, @@ -1518,8 +1519,8 @@ func (p *HTTPProxyProcessor) computeVirtualHostAuthorization( func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( extProcessor *contour_v1.ExternalProcessor, validCond *contour_v1.DetailedCondition, - httpproxy *contour_v1.HTTPProxy) []*ExternalProcessor { - + httpproxy *contour_v1.HTTPProxy, +) []*ExternalProcessor { var extProcs []*ExternalProcessor for _, ep := range extProcessor.Processors { ok, extSvc := validateExtensionService( @@ -1551,8 +1552,10 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( return extProcs } -const versionErorrFormat = "%s specifies an unsupported resource version %q" -const extSvcNotFound = "%s extension service %q not found" +const ( + versionErorrFormat = "%s specifies an unsupported resource version %q" + extSvcNotFound = "%s extension service %q not found" +) func validateExtensionService( ref contour_v1.ExtensionServiceReference, @@ -1597,8 +1600,8 @@ func determineExtensionServiceTimeout( errorType string, respTimeout string, validCond *contour_v1.DetailedCondition, - ext *ExtensionCluster) (bool, *timeout.Setting) { - + ext *ExtensionCluster, +) (bool, *timeout.Setting) { tout, err := timeout.Parse(respTimeout) if err != nil { reason := "AuthResponseTimeoutInvalid" @@ -1622,8 +1625,8 @@ func determineExtensionServiceTimeout( func (p *HTTPProxyProcessor) computeSecureVirtualHostExtProc( validCond *contour_v1.DetailedCondition, httpproxy *contour_v1.HTTPProxy, - svhost *SecureVirtualHost) bool { - + svhost *SecureVirtualHost, +) bool { if httpproxy.Spec.VirtualHost.ExtProcConfigured() && !httpproxy.Spec.VirtualHost.DisableExtProc() { eps := p.computeVirtualHostExtProcs(httpproxy.Spec.VirtualHost.ExternalProcessor, validCond, httpproxy) if eps == nil { diff --git a/internal/dag/httpproxy_processor_test.go b/internal/dag/httpproxy_processor_test.go index 0eef075390d..1feb4189933 100644 --- a/internal/dag/httpproxy_processor_test.go +++ b/internal/dag/httpproxy_processor_test.go @@ -702,7 +702,6 @@ func TestIncludeMatchConditionsIdentical(t *testing.T) { } func TestValidateExternalAuthExtensionService(t *testing.T) { - tests := map[string]struct { ref contour_v1.ExtensionServiceReference wantValidCond *contour_v1.DetailedCondition diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 421a62c4c7c..3b8dd3423d7 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -28,7 +28,7 @@ import ( envoy_filter_http_compressor_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/compressor/v3" envoy_filter_http_cors_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cors/v3" envoy_filter_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3" - envoy_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" + envoy_filter_http_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3" envoy_filter_http_grpc_stats_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3" envoy_filter_http_grpc_web_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3" envoy_filter_http_jwt_authn_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3" @@ -848,24 +848,23 @@ end } } -func makeProcessMode(mode *contour_v1.ProcessingMode) *envoy_ext_proc_v3.ProcessingMode { +func makeProcessMode(mode *contour_v1.ProcessingMode) *envoy_filter_http_ext_proc_v3.ProcessingMode { + reqHeaderMode := envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] + respHeaderMode := envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] - reqHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] - respHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] + reqBodyMode := envoy_filter_http_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.RequestBodyMode)] + respBodyMode := envoy_filter_http_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.ResponseBodyMode)] - reqBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.RequestBodyMode)] - respBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.ResponseBodyMode)] + reqTrailerMode := envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] + respTrailerMode := envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] - reqTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] - respTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] - - return &envoy_ext_proc_v3.ProcessingMode{ - RequestHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqHeaderMode), - ResponseHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respHeaderMode), - RequestBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(reqBodyMode), - ResponseBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(respBodyMode), - RequestTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqTrailerMode), - ResponseTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respTrailerMode), + return &envoy_filter_http_ext_proc_v3.ProcessingMode{ + RequestHeaderMode: envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(reqHeaderMode), + ResponseHeaderMode: envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(respHeaderMode), + RequestBodyMode: envoy_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(reqBodyMode), + ResponseBodyMode: envoy_filter_http_ext_proc_v3.ProcessingMode_BodySendMode(respBodyMode), + RequestTrailerMode: envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(reqTrailerMode), + ResponseTrailerMode: envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode(respTrailerMode), } } @@ -886,7 +885,7 @@ func filterExtProc(extProc *dag.ExternalProcessor) *envoy_filter_network_http_co extProc.MutationRules = &contour_v1.HeaderMutationRules{} } - extProcConfig := envoy_ext_proc_v3.ExternalProcessor{ + extProcConfig := envoy_filter_http_ext_proc_v3.ExternalProcessor{ GrpcService: GrpcService(extProc.ExtProcService.Name, extProc.ExtProcService.SNI, extProc.ResponseTimeout), FailureModeAllow: extProc.FailOpen, ProcessingMode: makeProcessMode(extProc.ProcessingMode), diff --git a/internal/envoy/v3/route.go b/internal/envoy/v3/route.go index ebd987593aa..8e4bf99f10d 100644 --- a/internal/envoy/v3/route.go +++ b/internal/envoy/v3/route.go @@ -160,7 +160,6 @@ func buildRoute(dagRoute *dag.Route, vhostName string, secure bool) *envoy_confi // Apply per-route external processing policy modifications. if dagRoute.ExtProcDisabled { route.TypedPerFilterConfig["envoy.filters.http.ext_proc"] = routeExtProcDisabled() - } else if dagRoute.ExtProcOverrides != nil { route.TypedPerFilterConfig["envoy.filters.http.ext_proc"] = routeExtProcOverrides(dagRoute.ExtProcOverrides) } @@ -224,7 +223,6 @@ func routeExtProcDisabled() *anypb.Any { */ func routeExtProcOverrides(overrides *dag.ExtProcOverrides) *anypb.Any { - reqHeaderMode := envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(overrides.ProcessingMode.RequestHeaderMode)] respHeaderMode := envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(overrides.ProcessingMode.ResponseHeaderMode)] diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index 8c20fadc3b1..0888bf37821 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -25,7 +25,7 @@ import ( "google.golang.org/protobuf/proto" "k8s.io/apimachinery/pkg/types" - contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" + contour_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" contour_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/contour" "github.com/projectcontour/contour/internal/contourconfig" @@ -210,10 +210,10 @@ type GlobalExtProcConfig struct { ExtensionServiceConfig FailOpen bool - Phase contour_api_v1.ProcessingPhase + Phase contour_v1.ProcessingPhase Priority int32 - ProcessingMode *contour_api_v1.ProcessingMode - MutationRules *contour_api_v1.HeaderMutationRules + ProcessingMode *contour_v1.ProcessingMode + MutationRules *contour_v1.HeaderMutationRules } // httpAccessLog returns the access log for the HTTP (non TLS) diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index 89b0d2e8665..ba4bf5d6e0f 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -114,7 +114,7 @@ type Deployment struct { GlobalExtAuthService *core_v1.Service GlobalExtAuthExtensionService *contour_v1alpha1.ExtensionService - //TODO: lewgun + // TODO: lewgun GlobalExtProcExtensionService *contour_v1alpha1.ExtensionService } From f10908f216e1a12da21c222a9e8d6d318af3e9a4 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Wed, 21 Feb 2024 18:20:42 +0800 Subject: [PATCH 17/31] revert generate Signed-off-by: gang.liu --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 1ab043ce840..28ffb4cadef 100644 --- a/Makefile +++ b/Makefile @@ -232,8 +232,8 @@ format: ## Run gofumpt to format the codebase. .PHONY: generate generate: ## Re-generate generated code and documentation -# generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go -generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-deployment generate-metrics-docs generate-uml generate-go +generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go +#generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-deployment generate-metrics-docs generate-uml generate-go .PHONY: generate-rbac generate-rbac: From fc182efc779c2610f48d584d1f1842b5e2008b6f Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Tue, 12 Mar 2024 16:48:51 +0800 Subject: [PATCH 18/31] remove global ext_proc & add name for ext_proc Signed-off-by: gang.liu --- Makefile | 4 +- apis/projectcontour/v1/helpers.go | 17 +- apis/projectcontour/v1/httpproxy.go | 36 +- .../v1/zz_generated.deepcopy.go | 15 +- apis/projectcontour/v1alpha1/contourconfig.go | 4 - .../v1alpha1/zz_generated.deepcopy.go | 12 +- cmd/contour/serve.go | 45 - cmd/contour/servecontext.go | 1 - examples/contour/01-crds.yaml | 1292 ++++------------- examples/render/contour-deployment.yaml | 1292 ++++------------- .../render/contour-gateway-provisioner.yaml | 1292 ++++------------- examples/render/contour-gateway.yaml | 1292 ++++------------- examples/render/contour.yaml | 1292 ++++------------- go.mod | 2 +- go.sum | 35 + hack/generate-crd-deepcopy.sh | 6 +- internal/dag/builder_test.go | 6 +- internal/dag/dag.go | 19 +- internal/dag/httpproxy_processor.go | 149 +- internal/envoy/v3/listener.go | 11 +- internal/envoy/v3/route.go | 33 +- internal/xdscache/v3/listener.go | 31 +- pkg/config/parameters.go | 2 - 23 files changed, 1540 insertions(+), 5348 deletions(-) diff --git a/Makefile b/Makefile index 28ffb4cadef..f1dde4bc0be 100644 --- a/Makefile +++ b/Makefile @@ -232,8 +232,8 @@ format: ## Run gofumpt to format the codebase. .PHONY: generate generate: ## Re-generate generated code and documentation -generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go -#generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-deployment generate-metrics-docs generate-uml generate-go +#generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go +generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-deployment generate-metrics-docs generate-uml generate-go .PHONY: generate-rbac generate-rbac: diff --git a/apis/projectcontour/v1/helpers.go b/apis/projectcontour/v1/helpers.go index 5cf34d45fe5..fb7e38e0004 100644 --- a/apis/projectcontour/v1/helpers.go +++ b/apis/projectcontour/v1/helpers.go @@ -53,19 +53,14 @@ func (v *VirtualHost) AuthorizationContext() map[string]string { // ExtProcConfigured returns whether external processing are // configured on this virtual host. func (v *VirtualHost) ExtProcConfigured() bool { - return v.ExternalProcessor != nil -} + if v.ExternalProcessor == nil { + return false + } -// DisableExtProc returns true if this virtual host disables -// external processing. If an external processor is present, the default -// policy is to not disable. -func (v *VirtualHost) DisableExtProc() bool { - // No external processor(s), so it is disabled. - if v.ExtProcConfigured() { - if v.ExternalProcessor.ExtProcPolicy == nil { - return false + for _, proc := range v.ExternalProcessor.Processors { + if !proc.Disabled { + return true } - return v.ExternalProcessor.ExtProcPolicy.Disabled } return false } diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index 31d64066573..b30958da1f7 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -498,6 +498,16 @@ const ( // The external server must implement the v3 Envoy external processing GRPC protocol // (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). type ExtProc struct { + // Unique name for the external processor. + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // When true, this external processor will not be added to the listener's filter chain + // + // +optional + Disabled bool `json:"disabled,omitempty"` + // Phase determines where in the filter chain this extProc is to be injected. // // +optional @@ -552,29 +562,24 @@ type ExternalProcessor struct { // // +optional Processors []ExtProc `json:"processors,omitempty"` - - // ExtProcPolicy sets a external processing policy. - // This policy will be used unless overridden by individual routes. - // - // **Note: for the Global External Processor, it's must be nil. - // - // +optional - ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` } // ExtProcPolicy modifies how requests/responses are operated. type ExtProcPolicy struct { - // When true, this field disables client request external processing + // The name of the external processor being overrided. + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // When true, this field disables the specific client request external processor // for the scope of the policy. - // Precisely one of disabled, overrides must be set. + // if both disabled and overrides are set. use disabled. // // +optional Disabled bool `json:"disabled,omitempty"` // Overrides aspects of the configuration for this route. // - // **Note: For VirtualHost, it's must be nil. - // // +optional Overrides *ExtProcOverride `json:"overrides,omitempty"` } @@ -900,12 +905,11 @@ type Route struct { // The rules defined here override any rules set on the root HTTPProxy. IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"` - // ExtProcPolicy updates the external processing policy that was set - // on the root HTTPProxy object for client requests/responses that - // match this route. + // ExtProcPolicies updates the external processing policy/policies that were set + // on the root HTTPProxy object for client requests/responses // // +optional - ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` + ExtProcPolicies []ExtProcPolicy `json:"extProcPolicies,omitempty"` } type JWTVerificationPolicy struct { diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go index e78e881a65b..2e5e315d75c 100644 --- a/apis/projectcontour/v1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1/zz_generated.deepcopy.go @@ -368,11 +368,6 @@ func (in *ExternalProcessor) DeepCopyInto(out *ExternalProcessor) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.ExtProcPolicy != nil { - in, out := &in.ExtProcPolicy, &out.ExtProcPolicy - *out = new(ExtProcPolicy) - (*in).DeepCopyInto(*out) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalProcessor. @@ -1280,10 +1275,12 @@ func (in *Route) DeepCopyInto(out *Route) { *out = make([]IPFilterPolicy, len(*in)) copy(*out, *in) } - if in.ExtProcPolicy != nil { - in, out := &in.ExtProcPolicy, &out.ExtProcPolicy - *out = new(ExtProcPolicy) - (*in).DeepCopyInto(*out) + if in.ExtProcPolicies != nil { + in, out := &in.ExtProcPolicies, &out.ExtProcPolicies + *out = make([]ExtProcPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } } diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index 3639ba67a34..f7b896bc693 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -85,10 +85,6 @@ type ContourConfigurationSpec struct { // Tracing defines properties for exporting trace data to OpenTelemetry. Tracing *TracingConfig `json:"tracing,omitempty"` - // GlobalExternalProcessor allows envoys external processing filters - // to be enabled for all virtual hosts. - // +optional - GlobalExternalProcessor *contour_v1.ExternalProcessor `json:"globalExtProc,omitempty"` // FeatureFlags defines toggle to enable new contour features. // Available toggles are: // useEndpointSlices - configures contour to fetch endpoint data diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go index 941942edc1f..d764cd6cb48 100644 --- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go @@ -172,7 +172,7 @@ func (in *ContourConfigurationSpec) DeepCopyInto(out *ContourConfigurationSpec) if in.Gateway != nil { in, out := &in.Gateway, &out.Gateway *out = new(GatewayConfig) - (*in).DeepCopyInto(*out) + **out = **in } if in.HTTPProxy != nil { in, out := &in.HTTPProxy, &out.HTTPProxy @@ -209,11 +209,6 @@ func (in *ContourConfigurationSpec) DeepCopyInto(out *ContourConfigurationSpec) *out = new(TracingConfig) (*in).DeepCopyInto(*out) } - if in.GlobalExternalProcessor != nil { - in, out := &in.GlobalExternalProcessor, &out.GlobalExternalProcessor - *out = new(v1.ExternalProcessor) - (*in).DeepCopyInto(*out) - } if in.FeatureFlags != nil { in, out := &in.FeatureFlags, &out.FeatureFlags *out = make(FeatureFlags, len(*in)) @@ -397,6 +392,11 @@ func (in *ContourSettings) DeepCopyInto(out *ContourSettings) { *out = make([]v1.Namespace, len(*in)) copy(*out, *in) } + if in.DisabledFeatures != nil { + in, out := &in.DisabledFeatures, &out.DisabledFeatures + *out = make([]v1.Feature, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContourSettings. diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index db21c2481c9..06101fd3b15 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -483,10 +483,6 @@ func (s *Server) doServe() error { return err } - if listenerConfig.GlobalExternalProcessors, err = s.setupGlobalExternalProcessor(contourConfiguration); err != nil { - return err - } - contourMetrics := metrics.NewMetrics(s.registry) // Endpoints updates are handled directly by the EndpointsTranslator/EndpointSliceTranslator due to the high update volume. @@ -581,7 +577,6 @@ func (s *Server) doServe() error { globalRateLimitService: contourConfiguration.RateLimitService, maxRequestsPerConnection: contourConfiguration.Envoy.Cluster.MaxRequestsPerConnection, perConnectionBufferLimitBytes: contourConfiguration.Envoy.Cluster.PerConnectionBufferLimitBytes, - globalExternalProcessor: contourConfiguration.GlobalExternalProcessor, globalCircuitBreakerDefaults: contourConfiguration.Envoy.Cluster.GlobalCircuitBreakerDefaults, upstreamTLS: &dag.UpstreamTLS{ MinimumProtocolVersion: annotation.TLSVersion(contourConfiguration.Envoy.Cluster.UpstreamTLS.MinimumProtocolVersion, "1.2"), @@ -894,44 +889,6 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_ return globalExternalAuthConfig, nil } -func (s *Server) setupGlobalExternalProcessor(contourCfg contour_v1alpha1.ContourConfigurationSpec) ([]xdscache_v3.GlobalExtProcConfig, error) { - if contourCfg.GlobalExternalProcessor == nil { - return nil, nil - } - - if contourCfg.GlobalExternalProcessor.ExtProcPolicy != nil { - return nil, fmt.Errorf("GlobalExternalProcessor.ExtProcPolicy cannot be defined") - } - - m := map[client.ObjectKey]struct{}{} - - var globalExtProcs []xdscache_v3.GlobalExtProcConfig - for _, ep := range contourCfg.GlobalExternalProcessor.Processors { - - // ensure the specified ExtensionService exists - extSvcCfg, err := s.getExtensionSvcConfig(ep.GRPCService.ExtensionServiceRef.Name, ep.GRPCService.ExtensionServiceRef.Namespace) - if err != nil { - return nil, err - } - - // ensure unique external processing - if _, ok := m[extSvcCfg.ExtensionService]; ok { - return nil, fmt.Errorf("external processing %s/%s is duplicated", extSvcCfg.ExtensionService.Namespace, extSvcCfg.ExtensionService.Namespace) - } - m[extSvcCfg.ExtensionService] = struct{}{} - - globalExtProcs = append(globalExtProcs, xdscache_v3.GlobalExtProcConfig{ - ExtensionServiceConfig: extSvcCfg, - FailOpen: ep.GRPCService.FailOpen, - Phase: ep.Phase, - Priority: ep.Priority, - ProcessingMode: ep.ProcessingMode, - MutationRules: ep.MutationRules, - }) - } - return globalExtProcs, nil -} - func (s *Server) setupDebugService(debugConfig contour_v1alpha1.DebugConfig, builder *dag.Builder) error { debugsvc := &debug.Service{ Service: httpsvc.Service{ @@ -1111,7 +1068,6 @@ type dagBuilderConfig struct { maxRequestsPerConnection *uint32 perConnectionBufferLimitBytes *uint32 globalRateLimitService *contour_v1alpha1.RateLimitServiceConfig - globalExternalProcessor *contour_v1.ExternalProcessor globalCircuitBreakerDefaults *contour_v1alpha1.GlobalCircuitBreakerDefaults upstreamTLS *dag.UpstreamTLS } @@ -1208,7 +1164,6 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { GlobalRateLimitService: dbc.globalRateLimitService, PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes, SetSourceMetadataOnRoutes: true, - GlobalExternalProcessor: dbc.globalExternalProcessor, GlobalCircuitBreakerDefaults: dbc.globalCircuitBreakerDefaults, UpstreamTLS: dbc.upstreamTLS, }, diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go index 4b080b4c96e..3a1057b6479 100644 --- a/cmd/contour/servecontext.go +++ b/cmd/contour/servecontext.go @@ -590,7 +590,6 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co }, EnableExternalNameService: &ctx.Config.EnableExternalNameService, GlobalExternalAuthorization: globalExtAuth, - GlobalExternalProcessor: ctx.Config.GlobalExternalProcessor, RateLimitService: rateLimitService, Policy: policy, Metrics: &contourMetrics, diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 1161700e283..930e003fd1c 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -713,321 +713,6 @@ spec: type: boolean type: object type: object - globalExtProc: - description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. - properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4713,452 +4398,136 @@ spec: type: boolean type: object type: object - globalExtProc: + health: description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. properties: - extProcPolicy: + disablePermitInsecure: description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object - health: - description: |- - Health defines the endpoints Contour uses to serve health checks. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - httpproxy: - description: HTTPProxy defines parameters on HTTPProxy. - properties: - disablePermitInsecure: - description: |- - DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. - Contour's default is false. - type: boolean - fallbackCertificate: - description: |- - FallbackCertificate defines the namespace/name of the Kubernetes secret to - use as fallback when a non-SNI request is received. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - rootNamespaces: - description: Restrict Contour to searching these namespaces - for root ingress routes. - items: - type: string - type: array - type: object - ingress: - description: Ingress contains parameters for ingress options. - properties: - classNames: - description: Ingress Class Names Contour should use. - items: - type: string - type: array - statusAddress: - description: Address to set in Ingress object status. - type: string - type: object - metrics: - description: |- - Metrics defines the endpoint Contour uses to serve metrics. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: |- - TLS holds TLS file config details. - Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - policy: - description: Policy specifies default policy applied if not overridden - by the user - properties: - applyToIngress: - description: |- - ApplyToIngress determines if the Policies will apply to ingress objects - Contour's default is false. - type: boolean - requestHeaders: - description: RequestHeadersPolicy defines the request headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - responseHeaders: - description: ResponseHeadersPolicy defines the response headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - rateLimitService: - description: |- - RateLimitService optionally holds properties of the Rate Limit Service - to be used for global rate limiting. - properties: - defaultGlobalRateLimitPolicy: - description: |- - DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. - HTTPProxy can overwrite this configuration. - properties: - descriptors: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: description: |- Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each @@ -6471,136 +5840,146 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: + extProcPolicies: description: |- - ExtProcPolicy updates the external processing policy that was set - on the root HTTPProxy object for client requests/responses that - match this route. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object + ExtProcPolicies updates the external processing policy/policies that were set + on the root HTTPProxy object for client requests/responses + items: + description: ExtProcPolicy modifies how requests/responses + are operated. + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + name: + description: The name of the external processor being + overrided. + minLength: 1 + type: string + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will handle the client + requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + required: + - name + type: object + type: array healthCheckPolicy: description: The health check policy for this route. properties: @@ -8159,137 +7538,6 @@ spec: ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object processors: description: |- Processors defines a processing filter list,and each filter in the list @@ -8302,6 +7550,10 @@ spec: The external server must implement the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: + disabled: + description: When true, this external processor will + not be added to the listener's filter chain + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -8388,6 +7640,10 @@ spec: Default is false. type: boolean type: object + name: + description: Unique name for the external processor. + minLength: 1 + type: string phase: description: Phase determines where in the filter chain this extProc is to be injected. @@ -8467,6 +7723,8 @@ spec: - SKIP type: string type: object + required: + - name type: object type: array type: object diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 7f98935bb76..8595e8cad95 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -933,321 +933,6 @@ spec: type: boolean type: object type: object - globalExtProc: - description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. - properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4933,452 +4618,136 @@ spec: type: boolean type: object type: object - globalExtProc: + health: description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. properties: - extProcPolicy: + disablePermitInsecure: description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object - health: - description: |- - Health defines the endpoints Contour uses to serve health checks. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - httpproxy: - description: HTTPProxy defines parameters on HTTPProxy. - properties: - disablePermitInsecure: - description: |- - DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. - Contour's default is false. - type: boolean - fallbackCertificate: - description: |- - FallbackCertificate defines the namespace/name of the Kubernetes secret to - use as fallback when a non-SNI request is received. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - rootNamespaces: - description: Restrict Contour to searching these namespaces - for root ingress routes. - items: - type: string - type: array - type: object - ingress: - description: Ingress contains parameters for ingress options. - properties: - classNames: - description: Ingress Class Names Contour should use. - items: - type: string - type: array - statusAddress: - description: Address to set in Ingress object status. - type: string - type: object - metrics: - description: |- - Metrics defines the endpoint Contour uses to serve metrics. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: |- - TLS holds TLS file config details. - Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - policy: - description: Policy specifies default policy applied if not overridden - by the user - properties: - applyToIngress: - description: |- - ApplyToIngress determines if the Policies will apply to ingress objects - Contour's default is false. - type: boolean - requestHeaders: - description: RequestHeadersPolicy defines the request headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - responseHeaders: - description: ResponseHeadersPolicy defines the response headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - rateLimitService: - description: |- - RateLimitService optionally holds properties of the Rate Limit Service - to be used for global rate limiting. - properties: - defaultGlobalRateLimitPolicy: - description: |- - DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. - HTTPProxy can overwrite this configuration. - properties: - descriptors: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: description: |- Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each @@ -6691,136 +6060,146 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: + extProcPolicies: description: |- - ExtProcPolicy updates the external processing policy that was set - on the root HTTPProxy object for client requests/responses that - match this route. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object + ExtProcPolicies updates the external processing policy/policies that were set + on the root HTTPProxy object for client requests/responses + items: + description: ExtProcPolicy modifies how requests/responses + are operated. + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + name: + description: The name of the external processor being + overrided. + minLength: 1 + type: string + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will handle the client + requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + required: + - name + type: object + type: array healthCheckPolicy: description: The health check policy for this route. properties: @@ -8379,137 +7758,6 @@ spec: ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object processors: description: |- Processors defines a processing filter list,and each filter in the list @@ -8522,6 +7770,10 @@ spec: The external server must implement the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: + disabled: + description: When true, this external processor will + not be added to the listener's filter chain + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -8608,6 +7860,10 @@ spec: Default is false. type: boolean type: object + name: + description: Unique name for the external processor. + minLength: 1 + type: string phase: description: Phase determines where in the filter chain this extProc is to be injected. @@ -8687,6 +7943,8 @@ spec: - SKIP type: string type: object + required: + - name type: object type: array type: object diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index b3168fdea22..5f31d83e3d1 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -724,321 +724,6 @@ spec: type: boolean type: object type: object - globalExtProc: - description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. - properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4724,452 +4409,136 @@ spec: type: boolean type: object type: object - globalExtProc: + health: description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. properties: - extProcPolicy: + disablePermitInsecure: description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object - health: - description: |- - Health defines the endpoints Contour uses to serve health checks. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - httpproxy: - description: HTTPProxy defines parameters on HTTPProxy. - properties: - disablePermitInsecure: - description: |- - DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. - Contour's default is false. - type: boolean - fallbackCertificate: - description: |- - FallbackCertificate defines the namespace/name of the Kubernetes secret to - use as fallback when a non-SNI request is received. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - rootNamespaces: - description: Restrict Contour to searching these namespaces - for root ingress routes. - items: - type: string - type: array - type: object - ingress: - description: Ingress contains parameters for ingress options. - properties: - classNames: - description: Ingress Class Names Contour should use. - items: - type: string - type: array - statusAddress: - description: Address to set in Ingress object status. - type: string - type: object - metrics: - description: |- - Metrics defines the endpoint Contour uses to serve metrics. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: |- - TLS holds TLS file config details. - Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - policy: - description: Policy specifies default policy applied if not overridden - by the user - properties: - applyToIngress: - description: |- - ApplyToIngress determines if the Policies will apply to ingress objects - Contour's default is false. - type: boolean - requestHeaders: - description: RequestHeadersPolicy defines the request headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - responseHeaders: - description: ResponseHeadersPolicy defines the response headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - rateLimitService: - description: |- - RateLimitService optionally holds properties of the Rate Limit Service - to be used for global rate limiting. - properties: - defaultGlobalRateLimitPolicy: - description: |- - DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. - HTTPProxy can overwrite this configuration. - properties: - descriptors: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: description: |- Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each @@ -6482,136 +5851,146 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: + extProcPolicies: description: |- - ExtProcPolicy updates the external processing policy that was set - on the root HTTPProxy object for client requests/responses that - match this route. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object + ExtProcPolicies updates the external processing policy/policies that were set + on the root HTTPProxy object for client requests/responses + items: + description: ExtProcPolicy modifies how requests/responses + are operated. + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + name: + description: The name of the external processor being + overrided. + minLength: 1 + type: string + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will handle the client + requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + required: + - name + type: object + type: array healthCheckPolicy: description: The health check policy for this route. properties: @@ -8170,137 +7549,6 @@ spec: ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object processors: description: |- Processors defines a processing filter list,and each filter in the list @@ -8313,6 +7561,10 @@ spec: The external server must implement the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: + disabled: + description: When true, this external processor will + not be added to the listener's filter chain + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -8399,6 +7651,10 @@ spec: Default is false. type: boolean type: object + name: + description: Unique name for the external processor. + minLength: 1 + type: string phase: description: Phase determines where in the filter chain this extProc is to be injected. @@ -8478,6 +7734,8 @@ spec: - SKIP type: string type: object + required: + - name type: object type: array type: object diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index 6050fb78689..86650380bd4 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -749,321 +749,6 @@ spec: type: boolean type: object type: object - globalExtProc: - description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. - properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4749,452 +4434,136 @@ spec: type: boolean type: object type: object - globalExtProc: + health: description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. properties: - extProcPolicy: + disablePermitInsecure: description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object - health: - description: |- - Health defines the endpoints Contour uses to serve health checks. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - httpproxy: - description: HTTPProxy defines parameters on HTTPProxy. - properties: - disablePermitInsecure: - description: |- - DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. - Contour's default is false. - type: boolean - fallbackCertificate: - description: |- - FallbackCertificate defines the namespace/name of the Kubernetes secret to - use as fallback when a non-SNI request is received. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - rootNamespaces: - description: Restrict Contour to searching these namespaces - for root ingress routes. - items: - type: string - type: array - type: object - ingress: - description: Ingress contains parameters for ingress options. - properties: - classNames: - description: Ingress Class Names Contour should use. - items: - type: string - type: array - statusAddress: - description: Address to set in Ingress object status. - type: string - type: object - metrics: - description: |- - Metrics defines the endpoint Contour uses to serve metrics. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: |- - TLS holds TLS file config details. - Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - policy: - description: Policy specifies default policy applied if not overridden - by the user - properties: - applyToIngress: - description: |- - ApplyToIngress determines if the Policies will apply to ingress objects - Contour's default is false. - type: boolean - requestHeaders: - description: RequestHeadersPolicy defines the request headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - responseHeaders: - description: ResponseHeadersPolicy defines the response headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - rateLimitService: - description: |- - RateLimitService optionally holds properties of the Rate Limit Service - to be used for global rate limiting. - properties: - defaultGlobalRateLimitPolicy: - description: |- - DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. - HTTPProxy can overwrite this configuration. - properties: - descriptors: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: description: |- Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each @@ -6507,136 +5876,146 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: + extProcPolicies: description: |- - ExtProcPolicy updates the external processing policy that was set - on the root HTTPProxy object for client requests/responses that - match this route. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object + ExtProcPolicies updates the external processing policy/policies that were set + on the root HTTPProxy object for client requests/responses + items: + description: ExtProcPolicy modifies how requests/responses + are operated. + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + name: + description: The name of the external processor being + overrided. + minLength: 1 + type: string + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will handle the client + requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + required: + - name + type: object + type: array healthCheckPolicy: description: The health check policy for this route. properties: @@ -8195,137 +7574,6 @@ spec: ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object processors: description: |- Processors defines a processing filter list,and each filter in the list @@ -8338,6 +7586,10 @@ spec: The external server must implement the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: + disabled: + description: When true, this external processor will + not be added to the listener's filter chain + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -8424,6 +7676,10 @@ spec: Default is false. type: boolean type: object + name: + description: Unique name for the external processor. + minLength: 1 + type: string phase: description: Phase determines where in the filter chain this extProc is to be injected. @@ -8503,6 +7759,8 @@ spec: - SKIP type: string type: object + required: + - name type: object type: array type: object diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 6f6217f7316..28c5152fc68 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -933,321 +933,6 @@ spec: type: boolean type: object type: object - globalExtProc: - description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. - properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4933,452 +4618,136 @@ spec: type: boolean type: object type: object - globalExtProc: + health: description: |- - GlobalExternalProcessor allows envoys external processing filters - to be enabled for all virtual hosts. + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object + httpproxy: + description: HTTPProxy defines parameters on HTTPProxy. properties: - extProcPolicy: + disablePermitInsecure: description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. + type: boolean + fallbackCertificate: + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object - processors: - description: |- - Processors defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: array - type: object - health: - description: |- - Health defines the endpoints Contour uses to serve health checks. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the health address interface. - minLength: 1 - type: string - port: - description: Defines the health port. - type: integer - type: object - httpproxy: - description: HTTPProxy defines parameters on HTTPProxy. - properties: - disablePermitInsecure: - description: |- - DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. - Contour's default is false. - type: boolean - fallbackCertificate: - description: |- - FallbackCertificate defines the namespace/name of the Kubernetes secret to - use as fallback when a non-SNI request is received. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - rootNamespaces: - description: Restrict Contour to searching these namespaces - for root ingress routes. - items: - type: string - type: array - type: object - ingress: - description: Ingress contains parameters for ingress options. - properties: - classNames: - description: Ingress Class Names Contour should use. - items: - type: string - type: array - statusAddress: - description: Address to set in Ingress object status. - type: string - type: object - metrics: - description: |- - Metrics defines the endpoint Contour uses to serve metrics. - Contour's default is { address: "0.0.0.0", port: 8000 }. - properties: - address: - description: Defines the metrics address interface. - maxLength: 253 - minLength: 1 - type: string - port: - description: Defines the metrics port. - type: integer - tls: - description: |- - TLS holds TLS file config details. - Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. - properties: - caFile: - description: CA filename. - type: string - certFile: - description: Client certificate filename. - type: string - keyFile: - description: Client key filename. - type: string - type: object - type: object - policy: - description: Policy specifies default policy applied if not overridden - by the user - properties: - applyToIngress: - description: |- - ApplyToIngress determines if the Policies will apply to ingress objects - Contour's default is false. - type: boolean - requestHeaders: - description: RequestHeadersPolicy defines the request headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - responseHeaders: - description: ResponseHeadersPolicy defines the response headers - set/removed on all routes - properties: - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - rateLimitService: - description: |- - RateLimitService optionally holds properties of the Rate Limit Service - to be used for global rate limiting. - properties: - defaultGlobalRateLimitPolicy: - description: |- - DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. - HTTPProxy can overwrite this configuration. - properties: - descriptors: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + classNames: + description: Ingress Class Names Contour should use. + items: + type: string + type: array + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + metrics: + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + tls: + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. + properties: + defaultGlobalRateLimitPolicy: + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. + properties: + descriptors: description: |- Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each @@ -6691,136 +6060,146 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: + extProcPolicies: description: |- - ExtProcPolicy updates the external processing policy that was set - on the root HTTPProxy object for client requests/responses that - match this route. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object + ExtProcPolicies updates the external processing policy/policies that were set + on the root HTTPProxy object for client requests/responses + items: + description: ExtProcPolicy modifies how requests/responses + are operated. + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + name: + description: The name of the external processor being + overrided. + minLength: 1 + type: string + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the + extension resource that will handle the client + requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + required: + - name + type: object + type: array healthCheckPolicy: description: The health check policy for this route. properties: @@ -8379,137 +7758,6 @@ spec: ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - extProcPolicy: - description: |- - ExtProcPolicy sets a external processing policy. - This policy will be used unless overridden by individual routes. - **Note: for the Global External Processor, it's must be nil. - properties: - disabled: - description: |- - When true, this field disables client request external processing - for the scope of the policy. - Precisely one of disabled, overrides must be set. - type: boolean - overrides: - description: |- - Overrides aspects of the configuration for this route. - **Note: For VirtualHost, it's must be nil. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - type: object processors: description: |- Processors defines a processing filter list,and each filter in the list @@ -8522,6 +7770,10 @@ spec: The external server must implement the v3 Envoy external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). properties: + disabled: + description: When true, this external processor will + not be added to the listener's filter chain + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -8608,6 +7860,10 @@ spec: Default is false. type: boolean type: object + name: + description: Unique name for the external processor. + minLength: 1 + type: string phase: description: Phase determines where in the filter chain this extProc is to be injected. @@ -8687,6 +7943,8 @@ spec: - SKIP type: string type: object + required: + - name type: object type: array type: object diff --git a/go.mod b/go.mod index 33a5dcf0c4c..4adfb0a5384 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,6 @@ require ( github.com/cert-manager/cert-manager v1.14.2 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/distribution/reference v0.5.0 - github.com/envoyproxy/go-control-plane v0.12.1-0.20240111020705-5401a878d8bb github.com/go-logr/logr v1.4.1 github.com/google/go-cmp v0.6.0 github.com/google/go-github/v48 v48.2.0 @@ -59,6 +58,7 @@ require ( github.com/chigopher/pathlib v0.19.1 // indirect github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/envoyproxy/go-control-plane v0.12.1-0.20240221204751-2259f2656a1f // indirect github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.8.0 // indirect diff --git a/go.sum b/go.sum index ffaf47b129a..14fce521b5a 100644 --- a/go.sum +++ b/go.sum @@ -68,6 +68,7 @@ github.com/campoy/embedmd v1.0.0/go.mod h1:oxyr9RCiSXg0M3VJ3ks0UGfp98BpSSGr0kpiX github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/cert-manager/cert-manager v1.13.3/go.mod h1:BM2+Pt/NmSv1Zr25/MHv6BgIEF9IUxA1xAjp80qkxgc= github.com/cert-manager/cert-manager v1.14.2 h1:C/uci6yxiCRO04PWomBbSX+T4JT58FIIpDj5SZ6Ks6I= github.com/cert-manager/cert-manager v1.14.2/go.mod h1:pik7K6jXfgh++lfVJ/i1HzEnDluSUtTVLXSHikj8Lho= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= @@ -85,6 +86,7 @@ github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101 h1:7To3pQ+pZo0i3dsWEbi github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -98,8 +100,12 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= +github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= github.com/envoyproxy/go-control-plane v0.12.1-0.20240111020705-5401a878d8bb h1:1BlzJS6JUqCF+HY7RLLafmZdZPmpHLvUWZSw8Jz+GcM= github.com/envoyproxy/go-control-plane v0.12.1-0.20240111020705-5401a878d8bb/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240221204751-2259f2656a1f h1:gNzN3eFZ++vuUfC63sx/cyG8Ucs5ElRIBIo477HzpTM= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240221204751-2259f2656a1f/go.mod h1:lFu6itz1hckLR2A3aJ+ZKf3lu8HpjTsJSsqvVF6GL6g= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= @@ -136,10 +142,15 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA= github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/swag v0.22.7 h1:JWrc1uc/P9cSomxfnsFSVWoE1FW6bNbrVPmpQYpCcR8= github.com/go-openapi/swag v0.22.7/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= github.com/go-pdf/fpdf v0.8.0 h1:IJKpdaagnWUeSkUFUjTcSzTppFxmv8ucGQyNPQWxYOQ= @@ -267,6 +278,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -326,8 +338,10 @@ github.com/projectcontour/yages v0.1.0/go.mod h1:pcJrPa3dP17HwGj2YOfBZ4w5WmC1rSp github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= +github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= github.com/prometheus/common v0.47.0 h1:p5Cz0FNHo7SnWOmWmoRozVcjEp0bIVU8cV7OShpjL1k= github.com/prometheus/common v0.47.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= @@ -381,6 +395,7 @@ github.com/tsaarni/certyaml v0.9.3 h1:m8HHbuUzWVUOmv8IQU9HgVZZ8r5ICExKm++54DJKCs github.com/tsaarni/certyaml v0.9.3/go.mod h1:hhuU1qYr5re488geArUP4gZWqMUMqGlj4HA2qUyGYLk= github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= github.com/tsaarni/x500dn v1.0.0/go.mod h1:QaHa3EcUKC4dfCAZmj8+ZRGLKukWgpGv9H3oOCsAbcE= +github.com/vektra/mockery/v2 v2.40.1/go.mod h1:dPzGtjT0/Uu4hqpF6QNHwz+GLago7lq1bxdj9wHbGKo= github.com/vektra/mockery/v2 v2.40.3 h1:IZ2lydSDFsY0khnEsbSu13VLcqSsa6UYSS/8F+uOJmo= github.com/vektra/mockery/v2 v2.40.3/go.mod h1:KYBZF/7sqOa86BaOZPYsoCZWEWLS90a5oBLg2pVudxY= github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc= @@ -416,6 +431,7 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -428,6 +444,7 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= golang.org/x/exp v0.0.0-20231226003508-02704c960a9b h1:kLiC65FbiHWFAOu+lxwNPujcsl8VYyTYYEZnsOO1WK4= golang.org/x/exp v0.0.0-20231226003508-02704c960a9b/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= @@ -492,6 +509,7 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -503,6 +521,7 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ= golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -563,11 +582,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -585,6 +606,7 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -640,6 +662,7 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -717,10 +740,13 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY= google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 h1:nz5NESFLZbJGPFxDT/HCn+V1mZ8JGNoY4nUpmW/Y2eg= google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917/go.mod h1:pZqR+glSb11aJ+JQcczCvgf47+duRuzNSKqE8YAQnV0= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4= google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM= google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:oQ5rr10WTTMvP4A36n8JpR1OrO1BEiV4f78CneXZxkA= google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1:6G8oQ016D88m1xAKljMlBOOGWDZkes4kMhgGFlf8WcQ= google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -739,6 +765,7 @@ google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY= google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -783,14 +810,19 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= +k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= +k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU= k8s.io/apiextensions-apiserver v0.29.2 h1:UK3xB5lOWSnhaCk0RFZ0LUacPZz9RY4wi/yt2Iu+btg= k8s.io/apiextensions-apiserver v0.29.2/go.mod h1:aLfYjpA5p3OwtqNXQFkhJ56TB+spV8Gc4wfMhUA3/b8= +k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= +k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc= k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8= k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM= k8s.io/gengo v0.0.0-20201203183100-97869a43a9d9/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= @@ -802,8 +834,10 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/kube-openapi v0.0.0-20240103051144-eec4567ac022 h1:avRdiaB03v88Mfvum2S3BBwkNuTlmuar4LlfO9Hajko= k8s.io/kube-openapi v0.0.0-20240103051144-eec4567ac022/go.mod h1:sIV51WBTkZrlGOJMCDZDA1IaPBUDTulPpD4y7oe038k= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= @@ -811,6 +845,7 @@ rsc.io/pdf v0.1.1 h1:k1MczvYDUvJBe93bYd7wrZLLUEcLZAuF824/I4e5Xr4= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0= sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF73A= diff --git a/hack/generate-crd-deepcopy.sh b/hack/generate-crd-deepcopy.sh index 6778189c4cd..c8e81478119 100755 --- a/hack/generate-crd-deepcopy.sh +++ b/hack/generate-crd-deepcopy.sh @@ -38,9 +38,9 @@ readonly HEADER=$(mktemp) boilerplate > "${HEADER}" -exec echo "controller-gen version: " -exec go run sigs.k8s.io/controller-tools/cmd/controller-gen --version +echo "controller-gen version: " +go run sigs.k8s.io/controller-tools/cmd/controller-gen --version -exec go run sigs.k8s.io/controller-tools/cmd/controller-gen \ +go run sigs.k8s.io/controller-tools/cmd/controller-gen \ "object:headerFile=${HEADER}" \ "paths=${PATHS}" diff --git a/internal/dag/builder_test.go b/internal/dag/builder_test.go index ffeced315ff..fb7a8996dce 100644 --- a/internal/dag/builder_test.go +++ b/internal/dag/builder_test.go @@ -15496,7 +15496,8 @@ func TestDefaultHeadersPolicies(t *testing.T) { }{ { name: "empty is fine", - }, { + }, + { name: "ingressv1: insert ingress w/ single unnamed backend", objs: []any{ i2V1, @@ -15535,7 +15536,8 @@ func TestDefaultHeadersPolicies(t *testing.T) { }, Remove: []string{"K-Nada"}, }, - }, { + }, + { name: "insert httpproxy referencing two backends", objs: []any{ proxyMultipleBackends, s1, s2, diff --git a/internal/dag/dag.go b/internal/dag/dag.go index b9ec0a9cde6..65d0d1c4859 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -285,6 +285,14 @@ type ExtProcOverrides struct { ResponseTimeout *timeout.Setting } +type ExtProcPolicy struct { + Overrides *ExtProcOverrides + + // Disabled disable the filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + Disabled bool +} + // Route defines the properties of a route to a Cluster. type Route struct { // PathMatchCondition specifies a MatchCondition to match on the request path. @@ -381,10 +389,7 @@ type Route struct { // by IPFilterAllow. IPFilterRules []IPFilterRule - // ExtProcDisabled disable the filter for this particular vhost or route. - // If disabled is specified in multiple per-filter-configs, the most specific one will be used. - ExtProcDisabled bool - ExtProcOverrides *ExtProcOverrides + ExtProcPolicies map[string]*ExtProcPolicy // Metadata fields that can be used for access logging. Kind string @@ -765,6 +770,10 @@ type VirtualHost struct { IPFilterRules []IPFilterRule Routes map[string]*Route + + // ExtProcs contains the configurations for enabling + // the ExtProc filters. + ExtProcs []*ExternalProcessor } func (v *VirtualHost) AddRoute(route *Route) { @@ -890,6 +899,8 @@ type ExternalAuthorization struct { } type ExternalProcessor struct { + Name string + // ExtProcService points to the extension that client // requests are forwarded to for external processing. If nil, no // external processing is enabled for this host. diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index 3683183f5b2..56e0000d170 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -113,8 +113,6 @@ type HTTPProxyProcessor struct { // without requiring all existing test cases to change. SetSourceMetadataOnRoutes bool - // GlobalExternalProcessor defines how requests/responses will be operatred - GlobalExternalProcessor *contour_v1.ExternalProcessor // GlobalCircuitBreakerDefaults defines global circuit breaker defaults. GlobalCircuitBreakerDefaults *contour_v1alpha1.GlobalCircuitBreakerDefaults @@ -206,34 +204,34 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { extProc := proxy.Spec.VirtualHost.ExternalProcessor if extProc != nil { - m := map[contour_v1.ExtensionServiceReference]struct{}{} + extSvcRefs := map[contour_v1.ExtensionServiceReference]struct{}{} + names := map[string]struct{}{} + for _, ep := range extProc.Processors { - objKey := ep.GRPCService.ExtensionServiceRef - if _, ok := m[objKey]; ok { + extSvcName := ep.GRPCService.ExtensionServiceRef + if _, ok := extSvcRefs[extSvcName]; ok { validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", - fmt.Sprintf("Spec.VirtualHost.ExternalProcessor.Processors is invalid: duplicate name %s/%s", objKey.Namespace, objKey.Name)) + fmt.Sprintf("Spec.VirtualHost.ExternalProcessor.Processors is invalid: duplicate extension service name %s/%s", extSvcName.Namespace, extSvcName.Name)) return } - m[ep.GRPCService.ExtensionServiceRef] = struct{}{} - } + extSvcRefs[ep.GRPCService.ExtensionServiceRef] = struct{}{} - if proxy.Spec.VirtualHost.TLS == nil { - for _, ep := range extProc.Processors { - if len(ep.GRPCService.ExtensionServiceRef.Name) > 0 { - validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", - "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef can only be defined for root HTTPProxies that terminate TLS") - return - } + // TODO: autogen ext_proc's name? + if _, ok := names[ep.Name]; ok { + validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", + fmt.Sprintf("Spec.VirtualHost.ExternalProcessor.Processors is invalid: duplicate name %s", ep.Name)) + return } - } - if extProc.ExtProcPolicy != nil && extProc.ExtProcPolicy.Overrides != nil { - validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", - "Spec.VirtualHost.ExternalProcessor.ExtProcPolicy.Overrides cannot be defined.") - return + names[ep.Name] = struct{}{} } } + extProcs, ok := p.computeVirtualHostExtProcs(proxy, validCond) + if !ok { + return + } + if len(proxy.Spec.VirtualHost.IPAllowFilterPolicy) > 0 && len(proxy.Spec.VirtualHost.IPDenyFilterPolicy) > 0 { validCond.AddError(contour_v1.ConditionTypeIPFilterError, "IncompatibleIPAddressFilters", "Spec.VirtualHost.IPAllowFilterPolicy and Spec.VirtualHost.IPDepnyFilterPolicy cannot both be defined.") @@ -321,13 +319,6 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { return } - // same as above - if tls.EnableFallbackCertificate && proxy.Spec.VirtualHost.ExtProcConfigured() { - validCond.AddError(contour_v1.ConditionTypeTLSError, "TLSIncompatibleFeatures", - "Spec.Virtualhost.TLS fallback & external processing are incompatible") - return - } - // If FallbackCertificate is enabled, but no cert passed, set error if tls.EnableFallbackCertificate { if p.FallbackCertificate == nil { @@ -411,9 +402,7 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { return } - if !p.computeSecureVirtualHostExtProc(validCond, proxy, svhost) { - return - } + svhost.ExtProcs = extProcs providerNames := sets.NewString() for _, jwtProvider := range proxy.Spec.VirtualHost.JWTProviders { @@ -590,9 +579,7 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { _ = p.computeVirtualHostAuthorization(p.GlobalExternalAuthorization, validCond, proxy) } - if p.GlobalExternalProcessor != nil && !proxy.Spec.VirtualHost.DisableExtProc() { - _ = p.computeVirtualHostExtProcs(p.GlobalExternalProcessor, validCond, proxy) - } + insecure.ExtProcs = extProcs insecure.IPFilterAllow, insecure.IPFilterRules, err = toIPFilterRules(proxy.Spec.VirtualHost.IPAllowFilterPolicy, proxy.Spec.VirtualHost.IPDenyFilterPolicy, validCond) if err != nil { @@ -797,11 +784,6 @@ func (p *HTTPProxyProcessor) computeRoutes( return nil } - if err := routeExtProcValid(route.ExtProcPolicy); err != nil { - validCond.AddError(contour_v1.ConditionTypeRouteError, "RouteExtProcNotValid", err.Error()) - return nil - } - if err := pathMatchConditionsValid(route.Conditions); err != nil { validCond.AddErrorf(contour_v1.ConditionTypeRouteError, "PathMatchConditionsNotValid", "route: %s", err) @@ -930,28 +912,28 @@ func (p *HTTPProxyProcessor) computeRoutes( // If the enclosing root proxy enabled external processing, // enable it on the route and propagate defaults // downwards. - if rootProxy.Spec.VirtualHost.ExtProcConfigured() || p.GlobalExternalProcessor != nil { - // When the ext_proc filter(s) is added to a - // vhost, it is in enabled state, but we can - // disable it per route. We emulate disabling - // it at the vhost layer by defaulting the state - // from the root proxy. - disabled := rootProxy.Spec.VirtualHost.DisableExtProc() - - // Take the default for enabling authorization + if rootProxy.Spec.VirtualHost.ExtProcConfigured() { + // Take the default for enabling external processing // from the virtual host. If this route has a // policy, let that override. - if route.ExtProcPolicy != nil { - disabled = route.ExtProcPolicy.Disabled - if route.ExtProcPolicy.Overrides != nil { - overrides := toExtProcOverrides(route.ExtProcPolicy.Overrides, validCond, proxy.Namespace, p.dag.GetExtensionCluster) - if overrides == nil { - return nil + if route.ExtProcPolicies != nil { + if r.ExtProcPolicies == nil { + r.ExtProcPolicies = map[string]*ExtProcPolicy{} + } + for _, policy := range route.ExtProcPolicies { + var overrides *ExtProcOverrides + if policy.Overrides != nil { + overrides = toExtProcOverrides(policy.Overrides, validCond, proxy.Namespace, p.dag.GetExtensionCluster) + if overrides == nil { + return nil + } + } + r.ExtProcPolicies[policy.Name] = &ExtProcPolicy{ + Overrides: overrides, + Disabled: policy.Disabled, } - r.ExtProcOverrides = overrides } } - r.ExtProcDisabled = disabled } if len(route.GetPrefixReplacements()) > 0 { @@ -1516,13 +1498,22 @@ func (p *HTTPProxyProcessor) computeVirtualHostAuthorization( return extAuth } +// computeVirtualHostExtProcs compute the ext_proc for listener, if it's disabled +// skip it func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( - extProcessor *contour_v1.ExternalProcessor, - validCond *contour_v1.DetailedCondition, httpproxy *contour_v1.HTTPProxy, -) []*ExternalProcessor { + validCond *contour_v1.DetailedCondition, +) ([]*ExternalProcessor, bool) { + if !httpproxy.Spec.VirtualHost.ExtProcConfigured() { + return nil, true + } + extProcessor := httpproxy.Spec.VirtualHost.ExternalProcessor + var extProcs []*ExternalProcessor for _, ep := range extProcessor.Processors { + if ep.Disabled { + continue + } ok, extSvc := validateExtensionService( defaultExtensionRef(ep.GRPCService.ExtensionServiceRef), validCond, @@ -1530,11 +1521,11 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( contour_v1.ConditionTypeExtProcError, p.dag.GetExtensionCluster) if !ok { - return nil + return nil, false } ok, respTimeout := determineExtensionServiceTimeout(contour_v1.ConditionTypeExtProcError, ep.GRPCService.ResponseTimeout, validCond, extSvc) if !ok { - return nil + return nil, false } extProcs = append(extProcs, &ExternalProcessor{ @@ -1545,11 +1536,12 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( MutationRules: ep.MutationRules, Phase: ep.Phase, Priority: ep.Priority, + Name: ep.Name, }) } - return extProcs + return extProcs, true } const ( @@ -1622,29 +1614,6 @@ func determineExtensionServiceTimeout( return true, &tout } -func (p *HTTPProxyProcessor) computeSecureVirtualHostExtProc( - validCond *contour_v1.DetailedCondition, - httpproxy *contour_v1.HTTPProxy, - svhost *SecureVirtualHost, -) bool { - if httpproxy.Spec.VirtualHost.ExtProcConfigured() && !httpproxy.Spec.VirtualHost.DisableExtProc() { - eps := p.computeVirtualHostExtProcs(httpproxy.Spec.VirtualHost.ExternalProcessor, validCond, httpproxy) - if eps == nil { - return false - } - svhost.ExtProcs = eps - - } else if p.GlobalExternalProcessor != nil && !httpproxy.Spec.VirtualHost.DisableExtProc() { - eps := p.computeVirtualHostExtProcs(p.GlobalExternalProcessor, validCond, httpproxy) - if eps == nil { - return false - } - svhost.ExtProcs = eps - } - - return true -} - func (p *HTTPProxyProcessor) computeSecureVirtualHostAuthorization(validCond *contour_v1.DetailedCondition, httpproxy *contour_v1.HTTPProxy, svhost *SecureVirtualHost) bool { if httpproxy.Spec.VirtualHost.AuthorizationConfigured() && !httpproxy.Spec.VirtualHost.DisableAuthorization() { authorization := p.computeVirtualHostAuthorization(httpproxy.Spec.VirtualHost.Authorization, validCond, httpproxy) @@ -2117,18 +2086,6 @@ func routeActionCountValid(route contour_v1.Route) error { return nil } -func routeExtProcValid(policy *contour_v1.ExtProcPolicy) error { - if policy == nil { - return nil - } - - if policy.Overrides != nil && policy.Disabled { - return fmt.Errorf("cannot specify both ExtProcPolicy.Overrides and ExtProcPolicy.Disabled ") - } - - return nil -} - // redirectRoutePolicy builds a *dag.Redirect for the supplied redirect policy. func redirectRoutePolicy(redirect *contour_v1.HTTPRequestRedirectPolicy) (*Redirect, error) { if redirect == nil { diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 3b8dd3423d7..7940432ec67 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -169,6 +169,7 @@ const ( CompressorFilterName string = "envoy.filters.http.compressor" GRPCWebFilterName string = "envoy.filters.http.grpc_web" GRPCStatsFilterName string = "envoy.filters.http.grpc_stats" + RouterFilterName string = "router" ) type httpConnectionManagerBuilder struct { @@ -438,9 +439,9 @@ func (b *httpConnectionManagerBuilder) AddExtProcFilters(processors []*dag.Exter phases := map[contour_v1.ProcessingPhase]string{ contour_v1.AuthN: JWTAuthnFilterName, contour_v1.AuthZ: ExtAuthzFilterName, - contour_v1.CORS: CORSFilterName, // "cors", + contour_v1.CORS: CORSFilterName, contour_v1.RateLimit: GlobalRateLimitFilterName, - contour_v1.DefaultPhase: "router", + contour_v1.DefaultPhase: RouterFilterName, } for phase, name := range phases { // only insert when we find the 'anchor' @@ -889,8 +890,8 @@ func filterExtProc(extProc *dag.ExternalProcessor) *envoy_filter_network_http_co GrpcService: GrpcService(extProc.ExtProcService.Name, extProc.ExtProcService.SNI, extProc.ResponseTimeout), FailureModeAllow: extProc.FailOpen, ProcessingMode: makeProcessMode(extProc.ProcessingMode), - MessageTimeout: envoy.Timeout(timeout.DefaultSetting()), - MaxMessageTimeout: envoy.Timeout(timeout.DefaultSetting()), + MessageTimeout: envoy.Timeout(extProc.ResponseTimeout), + MaxMessageTimeout: envoy.Timeout(extProc.ResponseTimeout), DisableClearRouteCache: false, AllowModeOverride: true, MutationRules: &envoy_mutation_rules_v3.HeaderMutationRules{ @@ -903,7 +904,7 @@ func filterExtProc(extProc *dag.ExternalProcessor) *envoy_filter_network_http_co } return &envoy_filter_network_http_connection_manager_v3.HttpFilter{ - Name: ExtProcFilterName, + Name: extProc.Name, ConfigType: &envoy_filter_network_http_connection_manager_v3.HttpFilter_TypedConfig{ TypedConfig: protobuf.MustMarshalAny(&extProcConfig), }, diff --git a/internal/envoy/v3/route.go b/internal/envoy/v3/route.go index 8e4bf99f10d..00d62d018c5 100644 --- a/internal/envoy/v3/route.go +++ b/internal/envoy/v3/route.go @@ -158,10 +158,13 @@ func buildRoute(dagRoute *dag.Route, vhostName string, secure bool) *envoy_confi } // Apply per-route external processing policy modifications. - if dagRoute.ExtProcDisabled { - route.TypedPerFilterConfig["envoy.filters.http.ext_proc"] = routeExtProcDisabled() - } else if dagRoute.ExtProcOverrides != nil { - route.TypedPerFilterConfig["envoy.filters.http.ext_proc"] = routeExtProcOverrides(dagRoute.ExtProcOverrides) + for name, policy := range dagRoute.ExtProcPolicies { + // if disabled, do nothing + if policy.Disabled { + route.TypedPerFilterConfig[name] = routeExtProcDisabled() + } else if policy.Overrides != nil { + route.TypedPerFilterConfig[name] = routeExtProcOverrides(policy.Overrides) + } } // If JWT verification is enabled, add per-route filter @@ -200,28 +203,6 @@ func routeExtProcDisabled() *anypb.Any { ) } -/* - - reqHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] - respHeaderMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] - - reqBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.RequestBodyMode)] - respBodyMode := envoy_ext_proc_v3.ProcessingMode_BodySendMode_value[string(mode.ResponseBodyMode)] - - reqTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.RequestHeaderMode)] - respTrailerMode := envoy_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(mode.ResponseHeaderMode)] - - return &envoy_ext_proc_v3.ProcessingMode{ - RequestHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqHeaderMode), - ResponseHeaderMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respHeaderMode), - RequestBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(reqBodyMode), - ResponseBodyMode: envoy_ext_proc_v3.ProcessingMode_BodySendMode(respBodyMode), - RequestTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(reqTrailerMode), - ResponseTrailerMode: envoy_ext_proc_v3.ProcessingMode_HeaderSendMode(respTrailerMode), - } - -*/ - func routeExtProcOverrides(overrides *dag.ExtProcOverrides) *anypb.Any { reqHeaderMode := envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(overrides.ProcessingMode.RequestHeaderMode)] respHeaderMode := envoy_filter_http_ext_proc_v3.ProcessingMode_HeaderSendMode_value[string(overrides.ProcessingMode.ResponseHeaderMode)] diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index 0888bf37821..dfac9aa53f4 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -145,10 +145,6 @@ type ListenerConfig struct { // used. GlobalExternalAuthConfig *GlobalExternalAuthConfig - // GlobalExternalProcessors optionally configures the global external processing services to be - // used. - GlobalExternalProcessors []GlobalExtProcConfig - // TracingConfig optionally configures the tracing collector Service to be // used. TracingConfig *TracingConfig @@ -429,7 +425,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { Tracing(envoy_v3.TracingConfig(envoyTracingConfig(cfg.TracingConfig))). AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))). EnableWebsockets(listener.EnableWebsockets). - AddExtProcFilters(toExternalProcessors(cfg.GlobalExternalProcessors)). + AddExtProcFilters(listener.VirtualHosts[0].ExtProcs). Get() listeners[listener.Name] = envoy_v3.Listener( @@ -581,7 +577,6 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { MaxRequestsPerConnection(cfg.MaxRequestsPerConnection). HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams). EnableWebsockets(listener.EnableWebsockets). - AddExtProcFilters(toExternalProcessors(cfg.GlobalExternalProcessors)). Get() // Default filter chain @@ -633,30 +628,6 @@ func httpGlobalExternalAuthConfig(config *GlobalExternalAuthConfig) *envoy_filte }) } -func toExternalProcessors(processors []GlobalExtProcConfig) []*dag.ExternalProcessor { - if processors == nil { - return nil - } - - var extProcs []*dag.ExternalProcessor - for _, p := range processors { - ep := &dag.ExternalProcessor{ - ExtProcService: &dag.ExtensionCluster{ - Name: dag.ExtensionClusterName(p.ExtensionServiceConfig.ExtensionService), - SNI: p.ExtensionServiceConfig.SNI, - }, - FailOpen: p.FailOpen, - ResponseTimeout: p.ExtensionServiceConfig.Timeout, - ProcessingMode: p.ProcessingMode, - MutationRules: p.MutationRules, - Phase: p.Phase, - Priority: p.Priority, - } - extProcs = append(extProcs, ep) - } - return extProcs -} - func envoyGlobalRateLimitConfig(config *RateLimitConfig) *envoy_v3.GlobalRateLimitConfig { if config == nil { return nil diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index d27fdce7f75..a79158549eb 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -706,8 +706,6 @@ type Parameters struct { // Tracing holds the relevant configuration for exporting trace data to OpenTelemetry. Tracing *Tracing `yaml:"tracing,omitempty"` - // GlobalExternalProcessor optionally holds properties of the global external processing configurations. - GlobalExternalProcessor *contour_v1.ExternalProcessor `yaml:"globalExtProc,omitempty"` // FeatureFlags defines toggle to enable new contour features. // available toggles are // useEndpointSlices - configures contour to fetch endpoint data From d4102464efbe949a82b0a6ef86a5c0169cbb26a1 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 14 Mar 2024 17:51:37 +0800 Subject: [PATCH 19/31] global & vh & route only have one ext_proc Signed-off-by: gang.liu --- apis/projectcontour/v1/helpers.go | 17 +- apis/projectcontour/v1/httpproxy.go | 71 +- .../v1/zz_generated.deepcopy.go | 24 +- apis/projectcontour/v1alpha1/contourconfig.go | 5 + .../v1alpha1/zz_generated.deepcopy.go | 5 + cmd/contour/serve.go | 27 + examples/contour/01-crds.yaml | 966 ++++++++++++------ examples/render/contour-deployment.yaml | 966 ++++++++++++------ .../render/contour-gateway-provisioner.yaml | 966 ++++++++++++------ examples/render/contour-gateway.yaml | 966 ++++++++++++------ examples/render/contour.yaml | 966 ++++++++++++------ internal/dag/dag.go | 27 +- internal/dag/httpproxy_processor.go | 172 ++-- internal/envoy/v3/listener.go | 56 +- internal/envoy/v3/route.go | 12 +- internal/fixture/httpproxy.go | 2 +- internal/sorter/sorter.go | 9 - internal/xdscache/v3/listener.go | 28 +- 18 files changed, 3414 insertions(+), 1871 deletions(-) diff --git a/apis/projectcontour/v1/helpers.go b/apis/projectcontour/v1/helpers.go index fb7e38e0004..3b9fd80bc30 100644 --- a/apis/projectcontour/v1/helpers.go +++ b/apis/projectcontour/v1/helpers.go @@ -53,16 +53,17 @@ func (v *VirtualHost) AuthorizationContext() map[string]string { // ExtProcConfigured returns whether external processing are // configured on this virtual host. func (v *VirtualHost) ExtProcConfigured() bool { - if v.ExternalProcessor == nil { - return false - } + return v.ExtProc.Processor != nil +} - for _, proc := range v.ExternalProcessor.Processors { - if !proc.Disabled { - return true - } +// ExtProcDisabled returns true if this virtual host disables +// external processing explicit. If an external processor is present, the default +// policy is to not disable. +func (v *VirtualHost) ExtProcDisabled() bool { + if v.ExtProc == nil { + return false } - return false + return v.ExtProc.Disabled } // GetPrefixReplacements returns replacement prefixes from the path diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index b30958da1f7..ae40e7ce982 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -472,54 +472,10 @@ type GRPCService struct { FailOpen bool `json:"failOpen,omitempty"` } -// ProcessingPhase define the phase in the filter chain where the external processing filter will be injected -type ProcessingPhase string - -const ( - // DefaultPhase decides insert the external processing service at the end of the filter chain, right before the Router. - // - // **NOTE: if not specify, default to DefaultPhase - DefaultPhase ProcessingPhase = "DefaultPhase" - - // Insert before contour authentication filter(s). - AuthN ProcessingPhase = "AuthN" - - // Insert before contour authorization filter(s) and after the authentication filter(s). - AuthZ ProcessingPhase = "AuthZ" - - // Insert before contour CORS filter(s). - CORS ProcessingPhase = "CORS" - - // Insert before contour RateLimit. - RateLimit ProcessingPhase = "RateLimit" -) - // ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way // The external server must implement the v3 Envoy external processing GRPC protocol // (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). type ExtProc struct { - // Unique name for the external processor. - // +kubebuilder:validation:Required - // +kubebuilder:validation:MinLength=1 - Name string `json:"name"` - - // When true, this external processor will not be added to the listener's filter chain - // - // +optional - Disabled bool `json:"disabled,omitempty"` - - // Phase determines where in the filter chain this extProc is to be injected. - // - // +optional - Phase ProcessingPhase `json:"phase,omitempty"` - - // Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - // they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - // they will follow the order in which extProc(s) are added, Defaults to 0. - // - // +optional - Priority int32 `json:"priority,omitempty"` - // GRPCService configure the gRPC service that the filter will communicate with. // // +optional @@ -555,24 +511,29 @@ type ExtProcOverride struct { // ExternalProcessor defines a processing filter list and the policy for fine-grained at VirutalHost and/or Route level. type ExternalProcessor struct { - // Processors defines a processing filter list,and each filter in the list + // Processor defines a processing filter list,and each filter in the list // will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. // If no phase is specified, it will be added before the Router. // If no Priority is specified, the filters will be added in the order they appear in the list. // // +optional - Processors []ExtProc `json:"processors,omitempty"` + Processor *ExtProc `json:"processor,omitempty"` + + // When true, this field disables the external processor: (neither global nor virtualHost) + // for the scope of the policy. + // + // if both Disabled and Processor are set. use disabled. + // + // it just work for virtualhost + // +optional + Disabled bool `json:"disabled,omitempty"` } // ExtProcPolicy modifies how requests/responses are operated. type ExtProcPolicy struct { - // The name of the external processor being overrided. - // +kubebuilder:validation:Required - // +kubebuilder:validation:MinLength=1 - Name string `json:"name"` - // When true, this field disables the specific client request external processor // for the scope of the policy. + // // if both disabled and overrides are set. use disabled. // // +optional @@ -632,11 +593,11 @@ type VirtualHost struct { // The rules defined here may be overridden in a Route. IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"` - // ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way + // ExtProc which allow to act on HTTP traffic in a flexible way // and the policy for fine-grained at VirtualHost level. // // +optional - ExternalProcessor *ExternalProcessor `json:"extProc,omitempty"` + ExtProc *ExternalProcessor `json:"extProc,omitempty"` } // JWTProvider defines how to verify JWTs on requests. @@ -905,11 +866,11 @@ type Route struct { // The rules defined here override any rules set on the root HTTPProxy. IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"` - // ExtProcPolicies updates the external processing policy/policies that were set + // ExtProcPolicy updates the external processing policy that were set // on the root HTTPProxy object for client requests/responses // // +optional - ExtProcPolicies []ExtProcPolicy `json:"extProcPolicies,omitempty"` + ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` } type JWTVerificationPolicy struct { diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go index 2e5e315d75c..fcd3b8fd613 100644 --- a/apis/projectcontour/v1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1/zz_generated.deepcopy.go @@ -361,12 +361,10 @@ func (in *ExtensionServiceReference) DeepCopy() *ExtensionServiceReference { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalProcessor) DeepCopyInto(out *ExternalProcessor) { *out = *in - if in.Processors != nil { - in, out := &in.Processors, &out.Processors - *out = make([]ExtProc, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } + if in.Processor != nil { + in, out := &in.Processor, &out.Processor + *out = new(ExtProc) + (*in).DeepCopyInto(*out) } } @@ -1275,12 +1273,10 @@ func (in *Route) DeepCopyInto(out *Route) { *out = make([]IPFilterPolicy, len(*in)) copy(*out, *in) } - if in.ExtProcPolicies != nil { - in, out := &in.ExtProcPolicies, &out.ExtProcPolicies - *out = make([]ExtProcPolicy, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } + if in.ExtProcPolicy != nil { + in, out := &in.ExtProcPolicy, &out.ExtProcPolicy + *out = new(ExtProcPolicy) + (*in).DeepCopyInto(*out) } } @@ -1641,8 +1637,8 @@ func (in *VirtualHost) DeepCopyInto(out *VirtualHost) { *out = make([]IPFilterPolicy, len(*in)) copy(*out, *in) } - if in.ExternalProcessor != nil { - in, out := &in.ExternalProcessor, &out.ExternalProcessor + if in.ExtProc != nil { + in, out := &in.ExtProc, &out.ExtProc *out = new(ExternalProcessor) (*in).DeepCopyInto(*out) } diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index e967051d7dc..9a23eea7998 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -91,6 +91,11 @@ type ContourConfigurationSpec struct { // from k8s endpoint slices. defaults to false and reading endpoint // data from the k8s endpoints. FeatureFlags FeatureFlags `json:"featureFlags,omitempty"` + + // GlobalExtProc allows envoys external processing filter + // to be enabled for all virtual hosts. + // +optional + GlobalExtProc *contour_v1.ExternalProcessor `json:"globalExtProc,omitempty"` } // FeatureFlags defines the set of feature flags diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go index d764cd6cb48..2e58e59b583 100644 --- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go @@ -214,6 +214,11 @@ func (in *ContourConfigurationSpec) DeepCopyInto(out *ContourConfigurationSpec) *out = make(FeatureFlags, len(*in)) copy(*out, *in) } + if in.GlobalExtProc != nil { + in, out := &in.GlobalExtProc, &out.GlobalExtProc + *out = new(v1.ExternalProcessor) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContourConfigurationSpec. diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 0697b45a2f8..f8b9476eac0 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -482,6 +482,10 @@ func (s *Server) doServe() error { return err } + if listenerConfig.GlobalExtProcConfig, err = s.setupGlobalExtProc(contourConfiguration); err != nil { + return err + } + contourMetrics := metrics.NewMetrics(s.registry) // Endpoints updates are handled directly by the EndpointsTranslator/EndpointSliceTranslator due to the high update volume. @@ -572,6 +576,7 @@ func (s *Server) doServe() error { globalRateLimitService: contourConfiguration.RateLimitService, maxRequestsPerConnection: contourConfiguration.Envoy.Cluster.MaxRequestsPerConnection, perConnectionBufferLimitBytes: contourConfiguration.Envoy.Cluster.PerConnectionBufferLimitBytes, + globalExtProc: contourConfiguration.GlobalExtProc, globalCircuitBreakerDefaults: contourConfiguration.Envoy.Cluster.GlobalCircuitBreakerDefaults, upstreamTLS: &dag.UpstreamTLS{ MinimumProtocolVersion: annotation.TLSVersion(contourConfiguration.Envoy.Cluster.UpstreamTLS.MinimumProtocolVersion, "1.2"), @@ -884,6 +889,26 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_ return globalExternalAuthConfig, nil } +func (s *Server) setupGlobalExtProc(contourCfg contour_v1alpha1.ContourConfigurationSpec) (*xdscache_v3.GlobalExtProcConfig, error) { + if contourCfg.GlobalExtProc == nil || contourCfg.GlobalExtProc.Processor == nil || contourCfg.GlobalExtProc.Processor.GRPCService == nil { + return nil, nil + } + + grpcSvc := contourCfg.GlobalExtProc.Processor.GRPCService + + // ensure the specified ExtensionService exists + extSvcCfg, err := s.getExtensionSvcConfig(grpcSvc.ExtensionServiceRef.Name, grpcSvc.ExtensionServiceRef.Namespace) + if err != nil { + return nil, err + } + return &xdscache_v3.GlobalExtProcConfig{ + ExtensionServiceConfig: extSvcCfg, + FailOpen: grpcSvc.FailOpen, + ProcessingMode: contourCfg.GlobalExtProc.Processor.ProcessingMode, + MutationRules: contourCfg.GlobalExtProc.Processor.MutationRules, + }, nil +} + func (s *Server) setupDebugService(debugConfig contour_v1alpha1.DebugConfig, builder *dag.Builder) error { debugsvc := &debug.Service{ Service: httpsvc.Service{ @@ -1063,6 +1088,7 @@ type dagBuilderConfig struct { maxRequestsPerConnection *uint32 perConnectionBufferLimitBytes *uint32 globalRateLimitService *contour_v1alpha1.RateLimitServiceConfig + globalExtProc *contour_v1.ExternalProcessor globalCircuitBreakerDefaults *contour_v1alpha1.GlobalCircuitBreakerDefaults upstreamTLS *dag.UpstreamTLS } @@ -1159,6 +1185,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { GlobalRateLimitService: dbc.globalRateLimitService, PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes, SetSourceMetadataOnRoutes: true, + GlobalExtProc: dbc.globalExtProc, GlobalCircuitBreakerDefaults: dbc.globalCircuitBreakerDefaults, UpstreamTLS: dbc.upstreamTLS, }, diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 06a8cb3e957..2b8efd3253e 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -713,6 +713,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that the + filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4398,6 +4573,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -5840,146 +6190,134 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicies: + extProcPolicy: description: |- - ExtProcPolicies updates the external processing policy/policies that were set + ExtProcPolicy updates the external processing policy that were set on the root HTTPProxy object for client requests/responses - items: - description: ExtProcPolicy modifies how requests/responses - are operated. - properties: - disabled: - description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. - type: boolean - name: - description: The name of the external processor being - overrided. - minLength: 1 - type: string - overrides: - description: Overrides aspects of the configuration for - this route. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - required: - - name - type: object - type: array + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -7535,198 +7873,178 @@ spec: type: object extProc: description: |- - ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way + ExtProc which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - processors: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: description: |- - Processors defines a processing filter list,and each filter in the list + Processor defines a processing filter list,and each filter in the list will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - disabled: - description: When true, this external processor will - not be added to the listener's filter chain - type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - name: - description: Unique name for the external processor. - minLength: 1 - type: string - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - required: - - name - type: object - type: array + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object type: object fqdn: description: |- diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 7dd97dc2931..e5b3b32fac3 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -933,6 +933,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that the + filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4618,6 +4793,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -6060,146 +6410,134 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicies: + extProcPolicy: description: |- - ExtProcPolicies updates the external processing policy/policies that were set + ExtProcPolicy updates the external processing policy that were set on the root HTTPProxy object for client requests/responses - items: - description: ExtProcPolicy modifies how requests/responses - are operated. - properties: - disabled: - description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. - type: boolean - name: - description: The name of the external processor being - overrided. - minLength: 1 - type: string - overrides: - description: Overrides aspects of the configuration for - this route. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - required: - - name - type: object - type: array + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -7755,198 +8093,178 @@ spec: type: object extProc: description: |- - ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way + ExtProc which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - processors: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: description: |- - Processors defines a processing filter list,and each filter in the list + Processor defines a processing filter list,and each filter in the list will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - disabled: - description: When true, this external processor will - not be added to the listener's filter chain - type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - name: - description: Unique name for the external processor. - minLength: 1 - type: string - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - required: - - name - type: object - type: array + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object type: object fqdn: description: |- diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index ee4946482d5..f9bf2b2e8cb 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -724,6 +724,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that the + filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4409,6 +4584,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -5851,146 +6201,134 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicies: + extProcPolicy: description: |- - ExtProcPolicies updates the external processing policy/policies that were set + ExtProcPolicy updates the external processing policy that were set on the root HTTPProxy object for client requests/responses - items: - description: ExtProcPolicy modifies how requests/responses - are operated. - properties: - disabled: - description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. - type: boolean - name: - description: The name of the external processor being - overrided. - minLength: 1 - type: string - overrides: - description: Overrides aspects of the configuration for - this route. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - required: - - name - type: object - type: array + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -7546,198 +7884,178 @@ spec: type: object extProc: description: |- - ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way + ExtProc which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - processors: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: description: |- - Processors defines a processing filter list,and each filter in the list + Processor defines a processing filter list,and each filter in the list will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - disabled: - description: When true, this external processor will - not be added to the listener's filter chain - type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - name: - description: Unique name for the external processor. - minLength: 1 - type: string - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - required: - - name - type: object - type: array + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object type: object fqdn: description: |- diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index ac7d1583d12..f63c1427cbd 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -749,6 +749,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that the + filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4434,6 +4609,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -5876,146 +6226,134 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicies: + extProcPolicy: description: |- - ExtProcPolicies updates the external processing policy/policies that were set + ExtProcPolicy updates the external processing policy that were set on the root HTTPProxy object for client requests/responses - items: - description: ExtProcPolicy modifies how requests/responses - are operated. - properties: - disabled: - description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. - type: boolean - name: - description: The name of the external processor being - overrided. - minLength: 1 - type: string - overrides: - description: Overrides aspects of the configuration for - this route. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - required: - - name - type: object - type: array + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -7571,198 +7909,178 @@ spec: type: object extProc: description: |- - ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way + ExtProc which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - processors: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: description: |- - Processors defines a processing filter list,and each filter in the list + Processor defines a processing filter list,and each filter in the list will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - disabled: - description: When true, this external processor will - not be added to the listener's filter chain - type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - name: - description: Unique name for the external processor. - minLength: 1 - type: string - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - required: - - name - type: object - type: array + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object type: object fqdn: description: |- diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 8cfca1cbb42..a647ae2609c 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -933,6 +933,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that the + filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -4618,6 +4793,181 @@ spec: type: boolean type: object type: object + globalExtProc: + description: |- + GlobalExtProc allows envoys external processing filter + to be enabled for all virtual hosts. + properties: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: + description: |- + Processor defines a processing filter list,and each filter in the list + will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. + If no phase is specified, it will be added before the Router. + If no Priority is specified, the filters will be added in the order they appear in the list. + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object health: description: |- Health defines the endpoints Contour uses to serve health checks. @@ -6060,146 +6410,134 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicies: + extProcPolicy: description: |- - ExtProcPolicies updates the external processing policy/policies that were set + ExtProcPolicy updates the external processing policy that were set on the root HTTPProxy object for client requests/responses - items: - description: ExtProcPolicy modifies how requests/responses - are operated. - properties: - disabled: - description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. - type: boolean - name: - description: The name of the external processor being - overrided. - minLength: 1 - type: string - overrides: - description: Overrides aspects of the configuration for - this route. - properties: - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the - extension resource that will handle the client - requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - type: object - required: - - name - type: object - type: array + properties: + disabled: + description: |- + When true, this field disables the specific client request external processor + for the scope of the policy. + if both disabled and overrides are set. use disabled. + type: boolean + overrides: + description: Overrides aspects of the configuration for + this route. + properties: + grpcService: + description: GRPCService configure the gRPC service + that the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object + type: object healthCheckPolicy: description: The health check policy for this route. properties: @@ -7755,198 +8093,178 @@ spec: type: object extProc: description: |- - ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way + ExtProc which allow to act on HTTP traffic in a flexible way and the policy for fine-grained at VirtualHost level. properties: - processors: + disabled: + description: |- + When true, this field disables the external processor: (neither global nor virtualHost) + for the scope of the policy. + if both Disabled and Processor are set. use disabled. + it just work for virtualhost + type: boolean + processor: description: |- - Processors defines a processing filter list,and each filter in the list + Processor defines a processing filter list,and each filter in the list will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. - items: - description: |- - ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way - The external server must implement the v3 Envoy external processing GRPC protocol - (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). - properties: - disabled: - description: When true, this external processor will - not be added to the listener's filter chain - type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. - properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: - description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: - description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ - type: string - type: object - mutationRules: - description: |- - MutationRules specifies what headers may be manipulated by a processing filter. - This set of rules makes it possible to control which modifications a filter may make. - properties: - allowAllRouting: - description: |- - By default, certain headers that could affect processing of subsequent - filters or request routing cannot be modified. These headers are - ``host``, ``:authority``, ``:scheme``, and ``:method``. - Setting this parameter to true allows these headers to be modified as well. - type: boolean - allowEnvoy: - description: |- - If true, allow modification of envoy internal headers. By default, these - start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. - Default is false. - type: boolean - disallowAll: - description: |- - If true, prevent modifications of all header values, regardless of any - other settings. A processing server may still override the ``:status`` - of an HTTP response using an ``ImmediateResponse`` message. - Default is false. - type: boolean - disallowIsError: - description: |- - If true, and if the rules in this list cause a header mutation to be - disallowed, then the filter using this configuration will terminate the - request with a 500 error. In addition, regardless of the setting of this - parameter, any attempt to set, add, or modify a disallowed header will - cause the ``rejected_header_mutations`` counter to be incremented. - Default is false. - type: boolean - disallowSystem: - description: |- - If true, prevent modification of any system header, defined as a header - that starts with a ``:`` character, regardless of any other settings. - A processing server may still override the ``:status`` of an HTTP response - using an ``ImmediateResponse`` message. - Default is false. - type: boolean - type: object - name: - description: Unique name for the external processor. - minLength: 1 - type: string - phase: - description: Phase determines where in the filter chain - this extProc is to be injected. - type: string - priority: - description: |- - Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - they will follow the order in which extProc(s) are added, Defaults to 0. - format: int32 - type: integer - processingMode: - description: |- - ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - and how they are delivered. - properties: - requestBodyMode: - default: NONE - description: |- - How to handle the request body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - requestHeaderMode: - default: SEND - description: |- - How to handle the request header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - requestTrailerMode: - default: SKIP - description: |- - How to handle the request trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseBodyMode: - default: NONE - description: |- - How do handle the response body. - Default is "NONE". - enum: - - NONE - - STREAMED - - BUFFERED - - BUFFERED_PARTIAL - type: string - responseHeaderMode: - default: SEND - description: |- - How to handle the response header. - Default is "SEND". - enum: - - DEFAULT - - SEND - - SKIP - type: string - responseTrailerMode: - default: SKIP - description: |- - How to handle the response trailers. - Default is "SKIP". - enum: - - DEFAULT - - SEND - - SKIP - type: string - type: object - required: - - name - type: object - type: array + properties: + grpcService: + description: GRPCService configure the gRPC service that + the filter will communicate with. + properties: + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. + properties: + apiVersion: + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 + type: string + type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object + processingMode: + description: |- + ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + and how they are delivered. + properties: + requestBodyMode: + default: NONE + description: |- + How to handle the request body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + requestHeaderMode: + default: SEND + description: |- + How to handle the request header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + requestTrailerMode: + default: SKIP + description: |- + How to handle the request trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseBodyMode: + default: NONE + description: |- + How do handle the response body. + Default is "NONE". + enum: + - NONE + - STREAMED + - BUFFERED + - BUFFERED_PARTIAL + type: string + responseHeaderMode: + default: SEND + description: |- + How to handle the response header. + Default is "SEND". + enum: + - DEFAULT + - SEND + - SKIP + type: string + responseTrailerMode: + default: SKIP + description: |- + How to handle the response trailers. + Default is "SKIP". + enum: + - DEFAULT + - SEND + - SKIP + type: string + type: object + type: object type: object fqdn: description: |- diff --git a/internal/dag/dag.go b/internal/dag/dag.go index 65d0d1c4859..5ec670e4d82 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -286,11 +286,11 @@ type ExtProcOverrides struct { } type ExtProcPolicy struct { - Overrides *ExtProcOverrides - // Disabled disable the filter for this particular vhost or route. // If disabled is specified in multiple per-filter-configs, the most specific one will be used. Disabled bool + + Overrides *ExtProcOverrides } // Route defines the properties of a route to a Cluster. @@ -389,7 +389,8 @@ type Route struct { // by IPFilterAllow. IPFilterRules []IPFilterRule - ExtProcPolicies map[string]*ExtProcPolicy + // + ExtProcPolicy *ExtProcPolicy // Metadata fields that can be used for access logging. Kind string @@ -773,7 +774,7 @@ type VirtualHost struct { // ExtProcs contains the configurations for enabling // the ExtProc filters. - ExtProcs []*ExternalProcessor + ExtProcs []*ExtProc } func (v *VirtualHost) AddRoute(route *Route) { @@ -825,9 +826,9 @@ type SecureVirtualHost struct { // the ExtAuthz filter. ExternalAuthorization *ExternalAuthorization - // ExtProcs contains the configurations for enabling + // ExtProc contains the configurations for enabling // the ExtProc filters. - ExtProcs []*ExternalProcessor + ExtProc *ExtProc // JWTProviders specify how to verify JWTs. JWTProviders []JWTProvider @@ -898,9 +899,7 @@ type ExternalAuthorization struct { AuthorizationServerWithRequestBody *AuthorizationServerBufferSettings } -type ExternalProcessor struct { - Name string - +type ExtProc struct { // ExtProcService points to the extension that client // requests are forwarded to for external processing. If nil, no // external processing is enabled for this host. @@ -911,20 +910,12 @@ type ExternalProcessor struct { // This is the timeout for a specific request. ResponseTimeout timeout.Setting - // FailOpen sets whether authorization server + // FailOpen sets whether external processing server // failures should cause the client request to also fail. The // only reason to set this to `true` is when you are migrating // from internal to external authorization. FailOpen bool - // Phase determines where in the filter chain this extProc is to be injected. - Phase contour_v1.ProcessingPhase - - // Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, - // they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, - // they will follow the order in which extProc(s) are added, Defaults to 0. - Priority int32 - // Specifies default options for how HTTP headers, trailers, and bodies are sent. ProcessingMode *contour_v1.ProcessingMode diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index 56e0000d170..bde37349b28 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -119,6 +119,9 @@ type HTTPProxyProcessor struct { // UpstreamTLS defines the TLS settings like min/max version // and cipher suites for upstream connections. UpstreamTLS *UpstreamTLS + + // GlobalExtProc defines how requests/responses will be operatred + GlobalExtProc *contour_v1.ExternalProcessor } // Run translates HTTPProxies into DAG objects and @@ -202,33 +205,10 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { return } - extProc := proxy.Spec.VirtualHost.ExternalProcessor - if extProc != nil { - extSvcRefs := map[contour_v1.ExtensionServiceReference]struct{}{} - names := map[string]struct{}{} - - for _, ep := range extProc.Processors { - extSvcName := ep.GRPCService.ExtensionServiceRef - if _, ok := extSvcRefs[extSvcName]; ok { - validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", - fmt.Sprintf("Spec.VirtualHost.ExternalProcessor.Processors is invalid: duplicate extension service name %s/%s", extSvcName.Namespace, extSvcName.Name)) - return - } - extSvcRefs[ep.GRPCService.ExtensionServiceRef] = struct{}{} - - // TODO: autogen ext_proc's name? - if _, ok := names[ep.Name]; ok { - validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", - fmt.Sprintf("Spec.VirtualHost.ExternalProcessor.Processors is invalid: duplicate name %s", ep.Name)) - return - } - names[ep.Name] = struct{}{} - } - - } - - extProcs, ok := p.computeVirtualHostExtProcs(proxy, validCond) - if !ok { + if proxy.Spec.VirtualHost.ExtProc != nil && proxy.Spec.VirtualHost.TLS == nil && + len(proxy.Spec.VirtualHost.ExtProc.Processor.GRPCService.ExtensionServiceRef.Name) > 0 { + validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", + "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef can only be defined for root HTTPProxies that terminate TLS") return } @@ -319,6 +299,13 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { return } + // same as above + if tls.EnableFallbackCertificate && proxy.Spec.VirtualHost.ExtProcConfigured() { + validCond.AddError(contour_v1.ConditionTypeTLSError, "TLSIncompatibleFeatures", + "Spec.Virtualhost.TLS fallback & external processing are incompatible") + return + } + // If FallbackCertificate is enabled, but no cert passed, set error if tls.EnableFallbackCertificate { if p.FallbackCertificate == nil { @@ -402,7 +389,9 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { return } - svhost.ExtProcs = extProcs + if !p.computeSecureVirtualHostExtProc(validCond, proxy, svhost) { + return + } providerNames := sets.NewString() for _, jwtProvider := range proxy.Spec.VirtualHost.JWTProviders { @@ -579,7 +568,13 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { _ = p.computeVirtualHostAuthorization(p.GlobalExternalAuthorization, validCond, proxy) } - insecure.ExtProcs = extProcs + if p.GlobalExternalAuthorization != nil && !proxy.Spec.VirtualHost.DisableAuthorization() { + _ = p.computeVirtualHostAuthorization(p.GlobalExternalAuthorization, validCond, proxy) + } + + if p.GlobalExtProc != nil && !proxy.Spec.VirtualHost.ExtProcDisabled() { + _ = p.computeVirtualHostExtProc(p.GlobalExtProc, validCond, proxy) + } insecure.IPFilterAllow, insecure.IPFilterRules, err = toIPFilterRules(proxy.Spec.VirtualHost.IPAllowFilterPolicy, proxy.Spec.VirtualHost.IPDenyFilterPolicy, validCond) if err != nil { @@ -912,28 +907,25 @@ func (p *HTTPProxyProcessor) computeRoutes( // If the enclosing root proxy enabled external processing, // enable it on the route and propagate defaults // downwards. - if rootProxy.Spec.VirtualHost.ExtProcConfigured() { + if !rootProxy.Spec.VirtualHost.ExtProcDisabled() && route.ExtProcPolicy != nil { + // Take the default for enabling external processing // from the virtual host. If this route has a // policy, let that override. - if route.ExtProcPolicies != nil { - if r.ExtProcPolicies == nil { - r.ExtProcPolicies = map[string]*ExtProcPolicy{} - } - for _, policy := range route.ExtProcPolicies { - var overrides *ExtProcOverrides - if policy.Overrides != nil { - overrides = toExtProcOverrides(policy.Overrides, validCond, proxy.Namespace, p.dag.GetExtensionCluster) - if overrides == nil { - return nil - } - } - r.ExtProcPolicies[policy.Name] = &ExtProcPolicy{ - Overrides: overrides, - Disabled: policy.Disabled, - } + var overrides *ExtProcOverrides + + disabled := route.ExtProcPolicy.Disabled + if !disabled && route.ExtProcPolicy.Overrides != nil { + overrides = toExtProcOverrides(route.ExtProcPolicy.Overrides, validCond, proxy.Namespace, p.dag.GetExtensionCluster) + if overrides == nil { + return nil } } + + r.ExtProcPolicy = &ExtProcPolicy{ + Overrides: overrides, + Disabled: disabled, + } } if len(route.GetPrefixReplacements()) > 0 { @@ -1498,50 +1490,33 @@ func (p *HTTPProxyProcessor) computeVirtualHostAuthorization( return extAuth } -// computeVirtualHostExtProcs compute the ext_proc for listener, if it's disabled -// skip it -func (p *HTTPProxyProcessor) computeVirtualHostExtProcs( - httpproxy *contour_v1.HTTPProxy, +func (p *HTTPProxyProcessor) computeVirtualHostExtProc( + extProc *contour_v1.ExternalProcessor, validCond *contour_v1.DetailedCondition, -) ([]*ExternalProcessor, bool) { - if !httpproxy.Spec.VirtualHost.ExtProcConfigured() { - return nil, true + httpproxy *contour_v1.HTTPProxy, +) *ExtProc { + grpcSvc := extProc.Processor.GRPCService + ok, extSvc := validateExtensionService( + defaultExtensionRef(grpcSvc.ExtensionServiceRef), + validCond, + httpproxy.Namespace, + contour_v1.ConditionTypeExtProcError, + p.dag.GetExtensionCluster) + if !ok { + return nil } - extProcessor := httpproxy.Spec.VirtualHost.ExternalProcessor - - var extProcs []*ExternalProcessor - for _, ep := range extProcessor.Processors { - if ep.Disabled { - continue - } - ok, extSvc := validateExtensionService( - defaultExtensionRef(ep.GRPCService.ExtensionServiceRef), - validCond, - httpproxy.Namespace, - contour_v1.ConditionTypeExtProcError, - p.dag.GetExtensionCluster) - if !ok { - return nil, false - } - ok, respTimeout := determineExtensionServiceTimeout(contour_v1.ConditionTypeExtProcError, ep.GRPCService.ResponseTimeout, validCond, extSvc) - if !ok { - return nil, false - } - - extProcs = append(extProcs, &ExternalProcessor{ - ExtProcService: extSvc, - ResponseTimeout: *respTimeout, - FailOpen: ep.GRPCService.FailOpen, - ProcessingMode: ep.ProcessingMode, - MutationRules: ep.MutationRules, - Phase: ep.Phase, - Priority: ep.Priority, - Name: ep.Name, - }) - + ok, respTimeout := determineExtensionServiceTimeout(contour_v1.ConditionTypeExtProcError, grpcSvc.ResponseTimeout, validCond, extSvc) + if !ok { + return nil } - return extProcs, true + return &ExtProc{ + ExtProcService: extSvc, + ResponseTimeout: *respTimeout, + FailOpen: grpcSvc.FailOpen, + ProcessingMode: extProc.Processor.ProcessingMode, + MutationRules: extProc.Processor.MutationRules, + } } const ( @@ -1614,6 +1589,31 @@ func determineExtensionServiceTimeout( return true, &tout } +func (p *HTTPProxyProcessor) computeSecureVirtualHostExtProc( + validCond *contour_v1.DetailedCondition, + httpproxy *contour_v1.HTTPProxy, + svhost *SecureVirtualHost, +) bool { + if !httpproxy.Spec.VirtualHost.ExtProcDisabled() { + var ( + ep *ExtProc + computed bool + ) + if httpproxy.Spec.VirtualHost.ExtProcConfigured() { + computed = true + ep = p.computeVirtualHostExtProc(httpproxy.Spec.VirtualHost.ExtProc, validCond, httpproxy) + } else if p.GlobalExtProc != nil { + computed = true + ep = p.computeVirtualHostExtProc(p.GlobalExtProc, validCond, httpproxy) + } + if computed && ep == nil { + return false + } + svhost.ExtProc = ep + } + return true +} + func (p *HTTPProxyProcessor) computeSecureVirtualHostAuthorization(validCond *contour_v1.DetailedCondition, httpproxy *contour_v1.HTTPProxy, svhost *SecureVirtualHost) bool { if httpproxy.Spec.VirtualHost.AuthorizationConfigured() && !httpproxy.Spec.VirtualHost.DisableAuthorization() { authorization := p.computeVirtualHostAuthorization(httpproxy.Spec.VirtualHost.Authorization, validCond, httpproxy) diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 7940432ec67..72fba8c2a28 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -414,53 +414,6 @@ func findFilterIndex(filters []*envoy_filter_network_http_connection_manager_v3. return -1 } -func makePhaseFilters(processors []*dag.ExternalProcessor, phase contour_v1.ProcessingPhase) []*envoy_filter_network_http_connection_manager_v3.HttpFilter { - var filters []*envoy_filter_network_http_connection_manager_v3.HttpFilter - var extProcs []*dag.ExternalProcessor - - for _, ep := range processors { - if len(ep.Phase) == 0 { - ep.Phase = contour_v1.DefaultPhase - } - if ep.Phase != phase { - continue - } - extProcs = append(extProcs, ep) - } - - sort.Stable(sorter.For(extProcs)) - for _, ep := range extProcs { - filters = append(filters, filterExtProc(ep)) - } - return filters -} - -func (b *httpConnectionManagerBuilder) AddExtProcFilters(processors []*dag.ExternalProcessor) *httpConnectionManagerBuilder { - phases := map[contour_v1.ProcessingPhase]string{ - contour_v1.AuthN: JWTAuthnFilterName, - contour_v1.AuthZ: ExtAuthzFilterName, - contour_v1.CORS: CORSFilterName, - contour_v1.RateLimit: GlobalRateLimitFilterName, - contour_v1.DefaultPhase: RouterFilterName, - } - for phase, name := range phases { - // only insert when we find the 'anchor' - if i := findFilterIndex(b.filters, name); i != -1 { - second := make([]*envoy_filter_network_http_connection_manager_v3.HttpFilter, len(b.filters[i:])) - copy(second, b.filters[i:]) - b.filters = b.filters[:i] - - for _, f := range makePhaseFilters(processors, phase) { - b.AddFilter(f) - } - for _, f := range second { - b.AddFilter(f) - } - } - } - return b -} - // AddFilter appends f to the list of filters for this HTTPConnectionManager. f // may be nil, in which case it is ignored. Note that Router filters // (filters with TypeUrl `type.googleapis.com/envoy.extensions.filters.envoy_filter_network_http_connection_manager_v3.router.v3.Router`) @@ -869,9 +822,12 @@ func makeProcessMode(mode *contour_v1.ProcessingMode) *envoy_filter_http_ext_pro } } -// filterExtProc returns an `ext_proc` filter configured with the +// FilterExtProc returns an `ext_proc` filter configured with the // requested parameters. -func filterExtProc(extProc *dag.ExternalProcessor) *envoy_filter_network_http_connection_manager_v3.HttpFilter { +func FilterExtProc(extProc *dag.ExtProc) *envoy_filter_network_http_connection_manager_v3.HttpFilter { + if extProc == nil { + return nil + } if extProc.ProcessingMode == nil { extProc.ProcessingMode = &contour_v1.ProcessingMode{ RequestHeaderMode: contour_v1.ProcessingModeSend, @@ -904,7 +860,7 @@ func filterExtProc(extProc *dag.ExternalProcessor) *envoy_filter_network_http_co } return &envoy_filter_network_http_connection_manager_v3.HttpFilter{ - Name: extProc.Name, + Name: ExtProcFilterName, ConfigType: &envoy_filter_network_http_connection_manager_v3.HttpFilter_TypedConfig{ TypedConfig: protobuf.MustMarshalAny(&extProcConfig), }, diff --git a/internal/envoy/v3/route.go b/internal/envoy/v3/route.go index 00d62d018c5..da88b2bb565 100644 --- a/internal/envoy/v3/route.go +++ b/internal/envoy/v3/route.go @@ -158,12 +158,12 @@ func buildRoute(dagRoute *dag.Route, vhostName string, secure bool) *envoy_confi } // Apply per-route external processing policy modifications. - for name, policy := range dagRoute.ExtProcPolicies { - // if disabled, do nothing - if policy.Disabled { - route.TypedPerFilterConfig[name] = routeExtProcDisabled() - } else if policy.Overrides != nil { - route.TypedPerFilterConfig[name] = routeExtProcOverrides(policy.Overrides) + // if both disabled & overrides has been set, use disabled do + if dagRoute.ExtProcPolicy != nil { + if dagRoute.ExtProcPolicy.Disabled { + route.TypedPerFilterConfig[ExtProcFilterName] = routeExtProcDisabled() + } else if dagRoute.ExtProcPolicy.Overrides != nil { + route.TypedPerFilterConfig[ExtProcFilterName] = routeExtProcOverrides(dagRoute.ExtProcPolicy.Overrides) } } diff --git a/internal/fixture/httpproxy.go b/internal/fixture/httpproxy.go index 4f4d16cf991..b68168f7fae 100644 --- a/internal/fixture/httpproxy.go +++ b/internal/fixture/httpproxy.go @@ -92,6 +92,6 @@ func (b *ProxyBuilder) WithAuthServer(auth contour_v1.AuthorizationServer) *Prox func (b *ProxyBuilder) WithExternalProcessor(extProc *contour_v1.ExternalProcessor) *ProxyBuilder { b.ensureTLS() - b.Spec.VirtualHost.ExternalProcessor = extProc + b.Spec.VirtualHost.ExtProc = extProc return b } diff --git a/internal/sorter/sorter.go b/internal/sorter/sorter.go index 82fe99ea463..482581f797e 100644 --- a/internal/sorter/sorter.go +++ b/internal/sorter/sorter.go @@ -443,12 +443,6 @@ func (s secretSorter) Len() int { return len(s) } func (s secretSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] } func (s secretSorter) Less(i, j int) bool { return s[i].Name < s[j].Name } -type extProcSorter []*dag.ExternalProcessor - -func (s extProcSorter) Len() int { return len(s) } -func (s extProcSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] } -func (s extProcSorter) Less(i, j int) bool { return s[i].Priority > s[j].Priority } - // For returns a sort.Interface object that can be used to sort the // given value. It returns nil if there is no sorter for the type of // value. @@ -479,9 +473,6 @@ func For(v any) sort.Interface { case []*envoy_config_listener_v3.FilterChain: return filterChainSorter(v) - case []*dag.ExternalProcessor: - return extProcSorter(v) - default: return nil } diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index dfac9aa53f4..78fc74ef04a 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -145,6 +145,10 @@ type ListenerConfig struct { // used. GlobalExternalAuthConfig *GlobalExternalAuthConfig + // GlobalExtProcConfig optionally configures the global external processing service to be + // used. + GlobalExtProcConfig *GlobalExtProcConfig + // TracingConfig optionally configures the tracing collector Service to be // used. TracingConfig *TracingConfig @@ -206,8 +210,6 @@ type GlobalExtProcConfig struct { ExtensionServiceConfig FailOpen bool - Phase contour_v1.ProcessingPhase - Priority int32 ProcessingMode *contour_v1.ProcessingMode MutationRules *contour_v1.HeaderMutationRules } @@ -425,7 +427,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { Tracing(envoy_v3.TracingConfig(envoyTracingConfig(cfg.TracingConfig))). AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))). EnableWebsockets(listener.EnableWebsockets). - AddExtProcFilters(listener.VirtualHosts[0].ExtProcs). + AddFilter(envoy_v3.FilterExtProc(toExtProc(cfg.GlobalExtProcConfig))). Get() listeners[listener.Name] = envoy_v3.Listener( @@ -501,7 +503,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { MaxRequestsPerConnection(cfg.MaxRequestsPerConnection). HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams). EnableWebsockets(listener.EnableWebsockets). - AddExtProcFilters(vh.ExtProcs). + AddFilter(envoy_v3.FilterExtProc(vh.ExtProc)). Get() filters = envoy_v3.Filters(cm) @@ -577,6 +579,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) { MaxRequestsPerConnection(cfg.MaxRequestsPerConnection). HTTP2MaxConcurrentStreams(cfg.HTTP2MaxConcurrentStreams). EnableWebsockets(listener.EnableWebsockets). + AddFilter(envoy_v3.FilterExtProc(toExtProc(cfg.GlobalExtProcConfig))). Get() // Default filter chain @@ -628,6 +631,23 @@ func httpGlobalExternalAuthConfig(config *GlobalExternalAuthConfig) *envoy_filte }) } +func toExtProc(p *GlobalExtProcConfig) *dag.ExtProc { + if p == nil { + return nil + } + + return &dag.ExtProc{ + ExtProcService: &dag.ExtensionCluster{ + Name: dag.ExtensionClusterName(p.ExtensionServiceConfig.ExtensionService), + SNI: p.ExtensionServiceConfig.SNI, + }, + FailOpen: p.FailOpen, + ResponseTimeout: p.ExtensionServiceConfig.Timeout, + ProcessingMode: p.ProcessingMode, + MutationRules: p.MutationRules, + } +} + func envoyGlobalRateLimitConfig(config *RateLimitConfig) *envoy_v3.GlobalRateLimitConfig { if config == nil { return nil From 70aca50b3b8a87caf2a03b2a68793c22ad221900 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 14 Mar 2024 17:56:04 +0800 Subject: [PATCH 20/31] remove deadcode Signed-off-by: gang.liu --- internal/dag/dag.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/internal/dag/dag.go b/internal/dag/dag.go index 5ec670e4d82..6a98268485e 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -771,10 +771,6 @@ type VirtualHost struct { IPFilterRules []IPFilterRule Routes map[string]*Route - - // ExtProcs contains the configurations for enabling - // the ExtProc filters. - ExtProcs []*ExtProc } func (v *VirtualHost) AddRoute(route *Route) { From daa54f69c886959d8644f7335694f8922a3193a3 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Fri, 15 Mar 2024 10:53:19 +0800 Subject: [PATCH 21/31] fix crash Signed-off-by: gang.liu --- apis/projectcontour/v1/helpers.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apis/projectcontour/v1/helpers.go b/apis/projectcontour/v1/helpers.go index 3b9fd80bc30..e5ff1c17b86 100644 --- a/apis/projectcontour/v1/helpers.go +++ b/apis/projectcontour/v1/helpers.go @@ -53,7 +53,7 @@ func (v *VirtualHost) AuthorizationContext() map[string]string { // ExtProcConfigured returns whether external processing are // configured on this virtual host. func (v *VirtualHost) ExtProcConfigured() bool { - return v.ExtProc.Processor != nil + return v.ExtProc != nil && v.ExtProc.Processor != nil } // ExtProcDisabled returns true if this virtual host disables From 9ac6f52948a934d38e44c5883fed47c9c74e1e09 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Fri, 15 Mar 2024 11:42:00 +0800 Subject: [PATCH 22/31] fix crash Signed-off-by: gang.liu --- internal/dag/httpproxy_processor.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index bde37349b28..f34385e9497 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -205,13 +205,13 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { return } - if proxy.Spec.VirtualHost.ExtProc != nil && proxy.Spec.VirtualHost.TLS == nil && - len(proxy.Spec.VirtualHost.ExtProc.Processor.GRPCService.ExtensionServiceRef.Name) > 0 { + extProc := proxy.Spec.VirtualHost.ExtProc + if extProc != nil && extProc.Processor != nil && extProc.Processor.GRPCService != nil && + proxy.Spec.VirtualHost.TLS == nil && len(extProc.Processor.GRPCService.ExtensionServiceRef.Name) > 0 { validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef can only be defined for root HTTPProxies that terminate TLS") return } - if len(proxy.Spec.VirtualHost.IPAllowFilterPolicy) > 0 && len(proxy.Spec.VirtualHost.IPDenyFilterPolicy) > 0 { validCond.AddError(contour_v1.ConditionTypeIPFilterError, "IncompatibleIPAddressFilters", "Spec.VirtualHost.IPAllowFilterPolicy and Spec.VirtualHost.IPDepnyFilterPolicy cannot both be defined.") From e1e8c194d299284b49ad006c17c556b78f435644 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Fri, 15 Mar 2024 17:23:45 +0800 Subject: [PATCH 23/31] enable disabled for globalExtProc Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 1 - cmd/contour/serve.go | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index ae40e7ce982..b63c45c1b51 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -524,7 +524,6 @@ type ExternalProcessor struct { // // if both Disabled and Processor are set. use disabled. // - // it just work for virtualhost // +optional Disabled bool `json:"disabled,omitempty"` } diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index f8b9476eac0..325d8de3beb 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -890,11 +890,12 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_ } func (s *Server) setupGlobalExtProc(contourCfg contour_v1alpha1.ContourConfigurationSpec) (*xdscache_v3.GlobalExtProcConfig, error) { - if contourCfg.GlobalExtProc == nil || contourCfg.GlobalExtProc.Processor == nil || contourCfg.GlobalExtProc.Processor.GRPCService == nil { + extProc := contourCfg.GlobalExtProc + if extProc == nil || extProc.Disabled || extProc.Processor == nil || extProc.Processor.GRPCService == nil { return nil, nil } - grpcSvc := contourCfg.GlobalExtProc.Processor.GRPCService + grpcSvc := extProc.Processor.GRPCService // ensure the specified ExtensionService exists extSvcCfg, err := s.getExtensionSvcConfig(grpcSvc.ExtensionServiceRef.Name, grpcSvc.ExtensionServiceRef.Namespace) From b401806f7ac94cfba61b782e1e298bb4461c22fc Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Mon, 18 Mar 2024 16:09:17 +0800 Subject: [PATCH 24/31] read extProc config from configMap Signed-off-by: gang.liu --- cmd/contour/servecontext.go | 23 ++++++++++++++++++++ pkg/config/parameters.go | 43 +++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go index 3a1057b6479..1b557499053 100644 --- a/cmd/contour/servecontext.go +++ b/cmd/contour/servecontext.go @@ -457,6 +457,28 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co } } + var globalExtProc *contour_v1.ExternalProcessor + if ctx.Config.GlobalExtProc != nil { + // disabled or no processor, ignore it + if !ctx.Config.GlobalExtProc.Disabled && ctx.Config.GlobalExtProc.Processor != nil { + extProc := ctx.Config.GlobalExtProc.Processor + + nsedName := k8s.NamespacedNameFrom(extProc.ExtensionService) + globalExtProc = &contour_v1.ExternalProcessor{ + Processor: &contour_v1.ExtProc{ + GRPCService: &contour_v1.GRPCService{ + ExtensionServiceRef: contour_v1.ExtensionServiceReference{ + Name: nsedName.Name, + Namespace: nsedName.Namespace, + }, + ResponseTimeout: extProc.ResponseTimeout, + FailOpen: extProc.FailOpen, + }, + }, + } + } + } + policy := &contour_v1alpha1.PolicyConfig{ RequestHeadersPolicy: &contour_v1alpha1.HeadersPolicy{ Set: ctx.Config.Policy.RequestHeadersPolicy.Set, @@ -590,6 +612,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co }, EnableExternalNameService: &ctx.Config.EnableExternalNameService, GlobalExternalAuthorization: globalExtAuth, + GlobalExtProc: globalExtProc, RateLimitService: rateLimitService, Policy: policy, Metrics: &contourMetrics, diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index e1bafe249f9..48f6691a391 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -712,6 +712,9 @@ type Parameters struct { // from k8s endpoint slices. defaults to false and reading endpoint // data from the k8s endpoints. FeatureFlags []string `yaml:"featureFlags,omitempty"` + + // GlobalExtProc optionally holds properties of the global external processing configurations. + GlobalExtProc *GlobalExternalProcessor `yaml:"globalExtProc,omitempty"` } // Tracing defines properties for exporting trace data to OpenTelemetry. @@ -820,6 +823,46 @@ type GlobalAuthorizationPolicy struct { Context map[string]string `yaml:"context,omitempty"` } +// The External Processing filter allows an external service to act on HTTP traffic in a flexible way +// The external server must implement the v3 Envoy +// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). +type ExternalProcessor struct { + // ExtensionService identifies the extension service defining the RLS, + // formatted as /. + ExtensionService string `yaml:"extensionService,omitempty"` + + // ResponseTimeout configures maximum time to wait for a check response from the expProc server. + // Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + // Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + // The string "infinity" is also a valid input and specifies no timeout. + // + // +optional + ResponseTimeout string `yaml:"responseTimeout,omitempty"` + + // If FailOpen is true, the client request is forwarded to the upstream service + // even if the authorization server fails to respond. This field should not be + // set in most cases. It is intended for use only while migrating applications + // from internal authorization to Contour external authorization. + // + // +optional + FailOpen bool `yaml:"failOpen,omitempty"` +} + +// The External Processing filter allows an external service to act on HTTP traffic in a flexible way +// The external server must implement the v3 Envoy +// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). +type GlobalExternalProcessor struct { + // Processor configures the global external processing + // + // +optional + Processor *ExternalProcessor `yaml:"processor,omitempty"` + + // If Disabled is true, no external processing will be append to the filter chain + // + // +optional + Disabled bool `yaml:"disabled,omitempty"` +} + // RateLimitService defines properties of a global Rate Limit Service. type RateLimitService struct { // ExtensionService identifies the extension service defining the RLS, From ffb64947540f04ccf5b54001df0e5b6467a89e9e Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Mon, 18 Mar 2024 17:03:08 +0800 Subject: [PATCH 25/31] make lint happy Signed-off-by: gang.liu --- examples/contour/01-crds.yaml | 3 --- examples/render/contour-deployment.yaml | 3 --- examples/render/contour-gateway-provisioner.yaml | 3 --- examples/render/contour-gateway.yaml | 3 --- examples/render/contour.yaml | 3 --- internal/envoy/v3/listener.go | 9 --------- 6 files changed, 24 deletions(-) diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 2b8efd3253e..1eb34d042ee 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -723,7 +723,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -4583,7 +4582,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -7881,7 +7879,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index e5b3b32fac3..e7f1073fd59 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -943,7 +943,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -4803,7 +4802,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -8101,7 +8099,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index f9bf2b2e8cb..e3a7de80efc 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -734,7 +734,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -4594,7 +4593,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -7892,7 +7890,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index f63c1427cbd..69a211afeb5 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -759,7 +759,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -4619,7 +4618,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -7917,7 +7915,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index a647ae2609c..e79113d803a 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -943,7 +943,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -4803,7 +4802,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- @@ -8101,7 +8099,6 @@ spec: When true, this field disables the external processor: (neither global nor virtualHost) for the scope of the policy. if both Disabled and Processor are set. use disabled. - it just work for virtualhost type: boolean processor: description: |- diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 72fba8c2a28..24691d1cd4a 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -405,15 +405,6 @@ func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBu return b } -func findFilterIndex(filters []*envoy_filter_network_http_connection_manager_v3.HttpFilter, name string) int { - for i, v := range filters { - if v.Name == name { - return i - } - } - return -1 -} - // AddFilter appends f to the list of filters for this HTTPConnectionManager. f // may be nil, in which case it is ignored. Note that Router filters // (filters with TypeUrl `type.googleapis.com/envoy.extensions.filters.envoy_filter_network_http_connection_manager_v3.router.v3.Router`) From 7bb8868886f6c5f4ce8fadfd9e377daa3f54f3ce Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Tue, 19 Mar 2024 10:26:32 +0800 Subject: [PATCH 26/31] refactor Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 19 ++---- .../v1/zz_generated.deepcopy.go | 27 +------- cmd/contour/serve.go | 1 + examples/contour/01-crds.yaml | 67 +++++++++++++++++++ examples/render/contour-deployment.yaml | 67 +++++++++++++++++++ .../render/contour-gateway-provisioner.yaml | 67 +++++++++++++++++++ examples/render/contour-gateway.yaml | 67 +++++++++++++++++++ examples/render/contour.yaml | 67 +++++++++++++++++++ internal/dag/dag.go | 4 ++ internal/dag/httpproxy_processor.go | 13 ++-- internal/envoy/v3/listener.go | 2 +- internal/xdscache/v3/listener.go | 14 ++-- 12 files changed, 363 insertions(+), 52 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index b63c45c1b51..98dc0d5f4d0 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -490,23 +490,16 @@ type ExtProc struct { // MutationRules specifies what headers may be manipulated by a processing filter. // This set of rules makes it possible to control which modifications a filter may make. // - // +optional - MutationRules *HeaderMutationRules `json:"mutationRules,omitempty"` -} - -// ExtProcOverride override aspects of the configuration for this route. -// A set of overrides in a more specific configuration will override a “disabled” flag set in a less-specific one. -type ExtProcOverride struct { - // GRPCService configure the gRPC service that the filter will communicate with. + // for Overrides is must be nil // // +optional - GRPCService *GRPCService `json:"grpcService,omitempty"` + MutationRules *HeaderMutationRules `json:"mutationRules,omitempty"` - // ProcessingMode describes which parts of an HTTP request and response are sent to a remote server - // and how they are delivered. + // If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + // If false, `mode_override` API in the response message will be ignored. // // +optional - ProcessingMode *ProcessingMode `json:"processingMode,omitempty"` + AllowModeOverride bool `json:"allowModeOverride,omitempty"` } // ExternalProcessor defines a processing filter list and the policy for fine-grained at VirutalHost and/or Route level. @@ -541,7 +534,7 @@ type ExtProcPolicy struct { // Overrides aspects of the configuration for this route. // // +optional - Overrides *ExtProcOverride `json:"overrides,omitempty"` + Overrides *ExtProc `json:"overrides,omitempty"` } // VirtualHost appears at most once. If it is present, the object is considered diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go index fcd3b8fd613..57171908c07 100644 --- a/apis/projectcontour/v1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1/zz_generated.deepcopy.go @@ -298,37 +298,12 @@ func (in *ExtProc) DeepCopy() *ExtProc { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ExtProcOverride) DeepCopyInto(out *ExtProcOverride) { - *out = *in - if in.GRPCService != nil { - in, out := &in.GRPCService, &out.GRPCService - *out = new(GRPCService) - **out = **in - } - if in.ProcessingMode != nil { - in, out := &in.ProcessingMode, &out.ProcessingMode - *out = new(ProcessingMode) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProcOverride. -func (in *ExtProcOverride) DeepCopy() *ExtProcOverride { - if in == nil { - return nil - } - out := new(ExtProcOverride) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtProcPolicy) DeepCopyInto(out *ExtProcPolicy) { *out = *in if in.Overrides != nil { in, out := &in.Overrides, &out.Overrides - *out = new(ExtProcOverride) + *out = new(ExtProc) (*in).DeepCopyInto(*out) } } diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 325d8de3beb..d7b285a23b0 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -907,6 +907,7 @@ func (s *Server) setupGlobalExtProc(contourCfg contour_v1alpha1.ContourConfigura FailOpen: grpcSvc.FailOpen, ProcessingMode: contourCfg.GlobalExtProc.Processor.ProcessingMode, MutationRules: contourCfg.GlobalExtProc.Processor.MutationRules, + AllowModeOverride: contourCfg.GlobalExtProc.Processor.AllowModeOverride, }, nil } diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 1eb34d042ee..ca253137e6a 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -731,6 +731,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -778,6 +783,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -4590,6 +4596,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -4637,6 +4648,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -6203,6 +6215,11 @@ spec: description: Overrides aspects of the configuration for this route. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -6246,6 +6263,50 @@ spec: pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object processingMode: description: |- ProcessingMode describes which parts of an HTTP request and response are sent to a remote server @@ -7887,6 +7948,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -7934,6 +8000,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 531e1147ab5..7a1dc8dddf6 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -951,6 +951,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -998,6 +1003,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -4810,6 +4816,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -4857,6 +4868,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -6423,6 +6435,11 @@ spec: description: Overrides aspects of the configuration for this route. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -6466,6 +6483,50 @@ spec: pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object processingMode: description: |- ProcessingMode describes which parts of an HTTP request and response are sent to a remote server @@ -8107,6 +8168,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -8154,6 +8220,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index e3a7de80efc..575d7cbb019 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -742,6 +742,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -789,6 +794,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -4601,6 +4607,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -4648,6 +4659,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -6214,6 +6226,11 @@ spec: description: Overrides aspects of the configuration for this route. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -6257,6 +6274,50 @@ spec: pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object processingMode: description: |- ProcessingMode describes which parts of an HTTP request and response are sent to a remote server @@ -7898,6 +7959,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -7945,6 +8011,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index c9b5e13394c..7eeb078af36 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -767,6 +767,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -814,6 +819,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -4626,6 +4632,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -4673,6 +4684,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -6239,6 +6251,11 @@ spec: description: Overrides aspects of the configuration for this route. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -6282,6 +6299,50 @@ spec: pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object processingMode: description: |- ProcessingMode describes which parts of an HTTP request and response are sent to a remote server @@ -7923,6 +7984,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -7970,6 +8036,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 8d1e0f0e0e6..753eb0e2e2c 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -951,6 +951,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -998,6 +1003,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -4810,6 +4816,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -4857,6 +4868,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- @@ -6423,6 +6435,11 @@ spec: description: Overrides aspects of the configuration for this route. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -6466,6 +6483,50 @@ spec: pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object + mutationRules: + description: |- + MutationRules specifies what headers may be manipulated by a processing filter. + This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil + properties: + allowAllRouting: + description: |- + By default, certain headers that could affect processing of subsequent + filters or request routing cannot be modified. These headers are + ``host``, ``:authority``, ``:scheme``, and ``:method``. + Setting this parameter to true allows these headers to be modified as well. + type: boolean + allowEnvoy: + description: |- + If true, allow modification of envoy internal headers. By default, these + start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` configuration. + Default is false. + type: boolean + disallowAll: + description: |- + If true, prevent modifications of all header values, regardless of any + other settings. A processing server may still override the ``:status`` + of an HTTP response using an ``ImmediateResponse`` message. + Default is false. + type: boolean + disallowIsError: + description: |- + If true, and if the rules in this list cause a header mutation to be + disallowed, then the filter using this configuration will terminate the + request with a 500 error. In addition, regardless of the setting of this + parameter, any attempt to set, add, or modify a disallowed header will + cause the ``rejected_header_mutations`` counter to be incremented. + Default is false. + type: boolean + disallowSystem: + description: |- + If true, prevent modification of any system header, defined as a header + that starts with a ``:`` character, regardless of any other settings. + A processing server may still override the ``:status`` of an HTTP response + using an ``ImmediateResponse`` message. + Default is false. + type: boolean + type: object processingMode: description: |- ProcessingMode describes which parts of an HTTP request and response are sent to a remote server @@ -8107,6 +8168,11 @@ spec: If no phase is specified, it will be added before the Router. If no Priority is specified, the filters will be added in the order they appear in the list. properties: + allowModeOverride: + description: |- + If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + If false, `mode_override` API in the response message will be ignored. + type: boolean grpcService: description: GRPCService configure the gRPC service that the filter will communicate with. @@ -8154,6 +8220,7 @@ spec: description: |- MutationRules specifies what headers may be manipulated by a processing filter. This set of rules makes it possible to control which modifications a filter may make. + for Overrides is must be nil properties: allowAllRouting: description: |- diff --git a/internal/dag/dag.go b/internal/dag/dag.go index 6a98268485e..dd93cf127f2 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -912,6 +912,10 @@ type ExtProc struct { // from internal to external authorization. FailOpen bool + // If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + // If false, `mode_override` API in the response message will be ignored. + AllowModeOverride bool + // Specifies default options for how HTTP headers, trailers, and bodies are sent. ProcessingMode *contour_v1.ProcessingMode diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index f34385e9497..ca5334c37b4 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -1157,7 +1157,7 @@ func (p *HTTPProxyProcessor) computeRoutes( } func toExtProcOverrides( - override *contour_v1.ExtProcOverride, + override *contour_v1.ExtProc, validCond *contour_v1.DetailedCondition, defaultNamespace string, extClusterGetter func(name string) *ExtensionCluster, @@ -1511,11 +1511,12 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProc( } return &ExtProc{ - ExtProcService: extSvc, - ResponseTimeout: *respTimeout, - FailOpen: grpcSvc.FailOpen, - ProcessingMode: extProc.Processor.ProcessingMode, - MutationRules: extProc.Processor.MutationRules, + ExtProcService: extSvc, + ResponseTimeout: *respTimeout, + FailOpen: grpcSvc.FailOpen, + AllowModeOverride: extProc.Processor.AllowModeOverride, + ProcessingMode: extProc.Processor.ProcessingMode, + MutationRules: extProc.Processor.MutationRules, } } diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index 24691d1cd4a..8b8a1e9d2e3 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -840,7 +840,7 @@ func FilterExtProc(extProc *dag.ExtProc) *envoy_filter_network_http_connection_m MessageTimeout: envoy.Timeout(extProc.ResponseTimeout), MaxMessageTimeout: envoy.Timeout(extProc.ResponseTimeout), DisableClearRouteCache: false, - AllowModeOverride: true, + AllowModeOverride: extProc.AllowModeOverride, MutationRules: &envoy_mutation_rules_v3.HeaderMutationRules{ AllowAllRouting: &wrapperspb.BoolValue{Value: extProc.MutationRules.AllowAllRouting}, AllowEnvoy: &wrapperspb.BoolValue{Value: extProc.MutationRules.AllowEnvoy}, diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index 78fc74ef04a..abd624e834a 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -210,8 +210,9 @@ type GlobalExtProcConfig struct { ExtensionServiceConfig FailOpen bool - ProcessingMode *contour_v1.ProcessingMode - MutationRules *contour_v1.HeaderMutationRules + AllowModeOverride bool + ProcessingMode *contour_v1.ProcessingMode + MutationRules *contour_v1.HeaderMutationRules } // httpAccessLog returns the access log for the HTTP (non TLS) @@ -641,10 +642,11 @@ func toExtProc(p *GlobalExtProcConfig) *dag.ExtProc { Name: dag.ExtensionClusterName(p.ExtensionServiceConfig.ExtensionService), SNI: p.ExtensionServiceConfig.SNI, }, - FailOpen: p.FailOpen, - ResponseTimeout: p.ExtensionServiceConfig.Timeout, - ProcessingMode: p.ProcessingMode, - MutationRules: p.MutationRules, + FailOpen: p.FailOpen, + ResponseTimeout: p.ExtensionServiceConfig.Timeout, + ProcessingMode: p.ProcessingMode, + MutationRules: p.MutationRules, + AllowModeOverride: p.AllowModeOverride, } } From 23ae148432550a04e100fd158dee474431649abf Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 21 Mar 2024 17:38:52 +0800 Subject: [PATCH 27/31] fix comments Signed-off-by: gang.liu --- apis/projectcontour/v1/httpproxy.go | 7 ++---- examples/contour/01-crds.yaml | 24 +++++++------------ examples/render/contour-deployment.yaml | 24 +++++++------------ .../render/contour-gateway-provisioner.yaml | 24 +++++++------------ examples/render/contour-gateway.yaml | 24 +++++++------------ examples/render/contour.yaml | 24 +++++++------------ 6 files changed, 47 insertions(+), 80 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index 98dc0d5f4d0..fe3558146a0 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -502,12 +502,9 @@ type ExtProc struct { AllowModeOverride bool `json:"allowModeOverride,omitempty"` } -// ExternalProcessor defines a processing filter list and the policy for fine-grained at VirutalHost and/or Route level. +// ExternalProcessor defines a external processing filter and the policy for fine-grained at VirutalHost and/or Route level. type ExternalProcessor struct { - // Processor defines a processing filter list,and each filter in the list - // will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - // If no phase is specified, it will be added before the Router. - // If no Priority is specified, the filters will be added in the order they appear in the list. + // Processor defines a external processing filter which allows an external service to act on HTTP traffic in a flexible way. // // +optional Processor *ExtProc `json:"processor,omitempty"` diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index ca253137e6a..70e22a40fe7 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -725,11 +725,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter which + allows an external service to act on HTTP traffic in a flexible + way. properties: allowModeOverride: description: |- @@ -4590,11 +4588,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- @@ -7942,11 +7938,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 7a1dc8dddf6..ccb47c4e92f 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -945,11 +945,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter which + allows an external service to act on HTTP traffic in a flexible + way. properties: allowModeOverride: description: |- @@ -4810,11 +4808,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- @@ -8162,11 +8158,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 575d7cbb019..827e7826bf8 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -736,11 +736,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter which + allows an external service to act on HTTP traffic in a flexible + way. properties: allowModeOverride: description: |- @@ -4601,11 +4599,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- @@ -7953,11 +7949,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index 7eeb078af36..a254c999e86 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -761,11 +761,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter which + allows an external service to act on HTTP traffic in a flexible + way. properties: allowModeOverride: description: |- @@ -4626,11 +4624,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- @@ -7978,11 +7974,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 753eb0e2e2c..43e22d1ae5f 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -945,11 +945,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter which + allows an external service to act on HTTP traffic in a flexible + way. properties: allowModeOverride: description: |- @@ -4810,11 +4808,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- @@ -8162,11 +8158,9 @@ spec: if both Disabled and Processor are set. use disabled. type: boolean processor: - description: |- - Processor defines a processing filter list,and each filter in the list - will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase. - If no phase is specified, it will be added before the Router. - If no Priority is specified, the filters will be added in the order they appear in the list. + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- From b1955c6e42e182825fb80cb23460f43626de2700 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Tue, 2 Apr 2024 18:21:10 +0800 Subject: [PATCH 28/31] refactor Signed-off-by: gang.liu --- Makefile | 3 +- apis/projectcontour/v1/helpers.go | 6 +- apis/projectcontour/v1/httpproxy.go | 53 +-- .../v1/zz_generated.deepcopy.go | 90 ++--- apis/projectcontour/v1alpha1/contourconfig.go | 4 +- .../v1alpha1/zz_generated.deepcopy.go | 6 +- cmd/contour/serve.go | 22 +- cmd/contour/servecontext.go | 29 +- examples/contour/01-crds.yaml | 331 +++++++++--------- examples/render/contour-deployment.yaml | 331 +++++++++--------- .../render/contour-gateway-provisioner.yaml | 331 +++++++++--------- examples/render/contour-gateway.yaml | 331 +++++++++--------- examples/render/contour.yaml | 331 +++++++++--------- internal/dag/httpproxy_processor.go | 46 ++- pkg/config/parameters.go | 40 ++- 15 files changed, 905 insertions(+), 1049 deletions(-) diff --git a/Makefile b/Makefile index 6cb045d51fb..76427d5d822 100644 --- a/Makefile +++ b/Makefile @@ -232,8 +232,7 @@ format: ## Run gofumpt to format the codebase. .PHONY: generate generate: ## Re-generate generated code and documentation -#generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go -generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-deployment generate-metrics-docs generate-uml generate-go +generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go .PHONY: generate-rbac generate-rbac: diff --git a/apis/projectcontour/v1/helpers.go b/apis/projectcontour/v1/helpers.go index e5ff1c17b86..8dbbf7b9090 100644 --- a/apis/projectcontour/v1/helpers.go +++ b/apis/projectcontour/v1/helpers.go @@ -53,17 +53,17 @@ func (v *VirtualHost) AuthorizationContext() map[string]string { // ExtProcConfigured returns whether external processing are // configured on this virtual host. func (v *VirtualHost) ExtProcConfigured() bool { - return v.ExtProc != nil && v.ExtProc.Processor != nil + return v.ExternalProcessing != nil && v.ExternalProcessing.Processor != nil } // ExtProcDisabled returns true if this virtual host disables // external processing explicit. If an external processor is present, the default // policy is to not disable. func (v *VirtualHost) ExtProcDisabled() bool { - if v.ExtProc == nil { + if v.ExternalProcessing == nil { return false } - return v.ExtProc.Disabled + return v.ExternalProcessing.Disabled } // GetPrefixReplacements returns replacement prefixes from the path diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index fe3558146a0..f664d8c8335 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -448,8 +448,10 @@ type ProcessingMode struct { ResponseTrailerMode HeaderSendMode `json:"responseTrailerMode,omitempty"` } -// GRPCService configure the gRPC service that the filter will communicate with. -type GRPCService struct { +// ExternalProcessor defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way +// The external server must implement the v3 Envoy external processing GRPC protocol +// (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). +type ExternalProcessor struct { // ExtensionServiceRef specifies the extension resource that will handle the client requests. // // +optional @@ -470,16 +472,6 @@ type GRPCService struct { // // +optional FailOpen bool `json:"failOpen,omitempty"` -} - -// ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way -// The external server must implement the v3 Envoy external processing GRPC protocol -// (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). -type ExtProc struct { - // GRPCService configure the gRPC service that the filter will communicate with. - // - // +optional - GRPCService *GRPCService `json:"grpcService,omitempty"` // ProcessingMode describes which parts of an HTTP request and response are sent to a remote server // and how they are delivered. @@ -502,15 +494,15 @@ type ExtProc struct { AllowModeOverride bool `json:"allowModeOverride,omitempty"` } -// ExternalProcessor defines a external processing filter and the policy for fine-grained at VirutalHost and/or Route level. -type ExternalProcessor struct { +// ExternalProcessing defines a external processing filter and the policy to act on HTTP traffic in a flexible way. +type ExternalProcessing struct { // Processor defines a external processing filter which allows an external service to act on HTTP traffic in a flexible way. // // +optional - Processor *ExtProc `json:"processor,omitempty"` + Processor *ExternalProcessor `json:"processor,omitempty"` - // When true, this field disables the external processor: (neither global nor virtualHost) - // for the scope of the policy. + // When true, this field disables the external processor for the scope of the policy. + // - for global: no external processing will be append to the filter chain // // if both Disabled and Processor are set. use disabled. // @@ -518,22 +510,6 @@ type ExternalProcessor struct { Disabled bool `json:"disabled,omitempty"` } -// ExtProcPolicy modifies how requests/responses are operated. -type ExtProcPolicy struct { - // When true, this field disables the specific client request external processor - // for the scope of the policy. - // - // if both disabled and overrides are set. use disabled. - // - // +optional - Disabled bool `json:"disabled,omitempty"` - - // Overrides aspects of the configuration for this route. - // - // +optional - Overrides *ExtProc `json:"overrides,omitempty"` -} - // VirtualHost appears at most once. If it is present, the object is considered // to be a "root". type VirtualHost struct { @@ -582,11 +558,11 @@ type VirtualHost struct { // The rules defined here may be overridden in a Route. IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"` - // ExtProc which allow to act on HTTP traffic in a flexible way - // and the policy for fine-grained at VirtualHost level. + // ExternalProcessing defines a external processing filter and the policy + // to act on HTTP traffic in a flexible way. // // +optional - ExtProc *ExternalProcessor `json:"extProc,omitempty"` + ExternalProcessing *ExternalProcessing `json:"externalProcessing,omitempty"` } // JWTProvider defines how to verify JWTs on requests. @@ -855,11 +831,10 @@ type Route struct { // The rules defined here override any rules set on the root HTTPProxy. IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"` - // ExtProcPolicy updates the external processing policy that were set - // on the root HTTPProxy object for client requests/responses + // ExternalProcessing override/disable the policy to act on HTTP traffic for the specific route in a flexible way. // // +optional - ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"` + ExternalProcessing *ExternalProcessing `json:"externalProcessing,omitempty"` } type JWTVerificationPolicy struct { diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go index 57171908c07..3709093279b 100644 --- a/apis/projectcontour/v1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1/zz_generated.deepcopy.go @@ -268,56 +268,6 @@ func (in *DownstreamValidation) DeepCopy() *DownstreamValidation { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ExtProc) DeepCopyInto(out *ExtProc) { - *out = *in - if in.GRPCService != nil { - in, out := &in.GRPCService, &out.GRPCService - *out = new(GRPCService) - **out = **in - } - if in.ProcessingMode != nil { - in, out := &in.ProcessingMode, &out.ProcessingMode - *out = new(ProcessingMode) - **out = **in - } - if in.MutationRules != nil { - in, out := &in.MutationRules, &out.MutationRules - *out = new(HeaderMutationRules) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProc. -func (in *ExtProc) DeepCopy() *ExtProc { - if in == nil { - return nil - } - out := new(ExtProc) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ExtProcPolicy) DeepCopyInto(out *ExtProcPolicy) { - *out = *in - if in.Overrides != nil { - in, out := &in.Overrides, &out.Overrides - *out = new(ExtProc) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProcPolicy. -func (in *ExtProcPolicy) DeepCopy() *ExtProcPolicy { - if in == nil { - return nil - } - out := new(ExtProcPolicy) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtensionServiceReference) DeepCopyInto(out *ExtensionServiceReference) { *out = *in @@ -334,37 +284,47 @@ func (in *ExtensionServiceReference) DeepCopy() *ExtensionServiceReference { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ExternalProcessor) DeepCopyInto(out *ExternalProcessor) { +func (in *ExternalProcessing) DeepCopyInto(out *ExternalProcessing) { *out = *in if in.Processor != nil { in, out := &in.Processor, &out.Processor - *out = new(ExtProc) + *out = new(ExternalProcessor) (*in).DeepCopyInto(*out) } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalProcessor. -func (in *ExternalProcessor) DeepCopy() *ExternalProcessor { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalProcessing. +func (in *ExternalProcessing) DeepCopy() *ExternalProcessing { if in == nil { return nil } - out := new(ExternalProcessor) + out := new(ExternalProcessing) in.DeepCopyInto(out) return out } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GRPCService) DeepCopyInto(out *GRPCService) { +func (in *ExternalProcessor) DeepCopyInto(out *ExternalProcessor) { *out = *in out.ExtensionServiceRef = in.ExtensionServiceRef + if in.ProcessingMode != nil { + in, out := &in.ProcessingMode, &out.ProcessingMode + *out = new(ProcessingMode) + **out = **in + } + if in.MutationRules != nil { + in, out := &in.MutationRules, &out.MutationRules + *out = new(HeaderMutationRules) + **out = **in + } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCService. -func (in *GRPCService) DeepCopy() *GRPCService { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalProcessor. +func (in *ExternalProcessor) DeepCopy() *ExternalProcessor { if in == nil { return nil } - out := new(GRPCService) + out := new(ExternalProcessor) in.DeepCopyInto(out) return out } @@ -1248,9 +1208,9 @@ func (in *Route) DeepCopyInto(out *Route) { *out = make([]IPFilterPolicy, len(*in)) copy(*out, *in) } - if in.ExtProcPolicy != nil { - in, out := &in.ExtProcPolicy, &out.ExtProcPolicy - *out = new(ExtProcPolicy) + if in.ExternalProcessing != nil { + in, out := &in.ExternalProcessing, &out.ExternalProcessing + *out = new(ExternalProcessing) (*in).DeepCopyInto(*out) } } @@ -1612,9 +1572,9 @@ func (in *VirtualHost) DeepCopyInto(out *VirtualHost) { *out = make([]IPFilterPolicy, len(*in)) copy(*out, *in) } - if in.ExtProc != nil { - in, out := &in.ExtProc, &out.ExtProc - *out = new(ExternalProcessor) + if in.ExternalProcessing != nil { + in, out := &in.ExternalProcessing, &out.ExternalProcessing + *out = new(ExternalProcessing) (*in).DeepCopyInto(*out) } } diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index 9a23eea7998..2d5d2ccdd81 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -92,10 +92,10 @@ type ContourConfigurationSpec struct { // data from the k8s endpoints. FeatureFlags FeatureFlags `json:"featureFlags,omitempty"` - // GlobalExtProc allows envoys external processing filter + // GlobalExternalProcessing allows envoys external processing filter // to be enabled for all virtual hosts. // +optional - GlobalExtProc *contour_v1.ExternalProcessor `json:"globalExtProc,omitempty"` + GlobalExternalProcessing *contour_v1.ExternalProcessing `json:"globalExternalProcessing,omitempty"` } // FeatureFlags defines the set of feature flags diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go index 2e58e59b583..f075bd92db1 100644 --- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go @@ -214,9 +214,9 @@ func (in *ContourConfigurationSpec) DeepCopyInto(out *ContourConfigurationSpec) *out = make(FeatureFlags, len(*in)) copy(*out, *in) } - if in.GlobalExtProc != nil { - in, out := &in.GlobalExtProc, &out.GlobalExtProc - *out = new(v1.ExternalProcessor) + if in.GlobalExternalProcessing != nil { + in, out := &in.GlobalExternalProcessing, &out.GlobalExternalProcessing + *out = new(v1.ExternalProcessing) (*in).DeepCopyInto(*out) } } diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index d7b285a23b0..b1ee6bcd0a5 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -576,7 +576,7 @@ func (s *Server) doServe() error { globalRateLimitService: contourConfiguration.RateLimitService, maxRequestsPerConnection: contourConfiguration.Envoy.Cluster.MaxRequestsPerConnection, perConnectionBufferLimitBytes: contourConfiguration.Envoy.Cluster.PerConnectionBufferLimitBytes, - globalExtProc: contourConfiguration.GlobalExtProc, + globalExternalProcessing: contourConfiguration.GlobalExternalProcessing, globalCircuitBreakerDefaults: contourConfiguration.Envoy.Cluster.GlobalCircuitBreakerDefaults, upstreamTLS: &dag.UpstreamTLS{ MinimumProtocolVersion: annotation.TLSVersion(contourConfiguration.Envoy.Cluster.UpstreamTLS.MinimumProtocolVersion, "1.2"), @@ -890,24 +890,22 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_ } func (s *Server) setupGlobalExtProc(contourCfg contour_v1alpha1.ContourConfigurationSpec) (*xdscache_v3.GlobalExtProcConfig, error) { - extProc := contourCfg.GlobalExtProc - if extProc == nil || extProc.Disabled || extProc.Processor == nil || extProc.Processor.GRPCService == nil { + extProc := contourCfg.GlobalExternalProcessing + if extProc == nil || extProc.Disabled || extProc.Processor == nil { return nil, nil } - grpcSvc := extProc.Processor.GRPCService - // ensure the specified ExtensionService exists - extSvcCfg, err := s.getExtensionSvcConfig(grpcSvc.ExtensionServiceRef.Name, grpcSvc.ExtensionServiceRef.Namespace) + extSvcCfg, err := s.getExtensionSvcConfig(extProc.Processor.ExtensionServiceRef.Name, extProc.Processor.ExtensionServiceRef.Namespace) if err != nil { return nil, err } return &xdscache_v3.GlobalExtProcConfig{ ExtensionServiceConfig: extSvcCfg, - FailOpen: grpcSvc.FailOpen, - ProcessingMode: contourCfg.GlobalExtProc.Processor.ProcessingMode, - MutationRules: contourCfg.GlobalExtProc.Processor.MutationRules, - AllowModeOverride: contourCfg.GlobalExtProc.Processor.AllowModeOverride, + FailOpen: extProc.Processor.FailOpen, + ProcessingMode: contourCfg.GlobalExternalProcessing.Processor.ProcessingMode, + MutationRules: contourCfg.GlobalExternalProcessing.Processor.MutationRules, + AllowModeOverride: contourCfg.GlobalExternalProcessing.Processor.AllowModeOverride, }, nil } @@ -1090,7 +1088,7 @@ type dagBuilderConfig struct { maxRequestsPerConnection *uint32 perConnectionBufferLimitBytes *uint32 globalRateLimitService *contour_v1alpha1.RateLimitServiceConfig - globalExtProc *contour_v1.ExternalProcessor + globalExternalProcessing *contour_v1.ExternalProcessing globalCircuitBreakerDefaults *contour_v1alpha1.GlobalCircuitBreakerDefaults upstreamTLS *dag.UpstreamTLS } @@ -1187,7 +1185,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { GlobalRateLimitService: dbc.globalRateLimitService, PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes, SetSourceMetadataOnRoutes: true, - GlobalExtProc: dbc.globalExtProc, + GlobalExternalProcessing: dbc.globalExternalProcessing, GlobalCircuitBreakerDefaults: dbc.globalCircuitBreakerDefaults, UpstreamTLS: dbc.upstreamTLS, }, diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go index 1b557499053..c900e7116cc 100644 --- a/cmd/contour/servecontext.go +++ b/cmd/contour/servecontext.go @@ -457,23 +457,24 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co } } - var globalExtProc *contour_v1.ExternalProcessor - if ctx.Config.GlobalExtProc != nil { + var globalExtProc *contour_v1.ExternalProcessing + if ctx.Config.GlobalExternalProcessing != nil { // disabled or no processor, ignore it - if !ctx.Config.GlobalExtProc.Disabled && ctx.Config.GlobalExtProc.Processor != nil { - extProc := ctx.Config.GlobalExtProc.Processor + if !ctx.Config.GlobalExternalProcessing.Disabled && ctx.Config.GlobalExternalProcessing.Processor != nil { + extProc := ctx.Config.GlobalExternalProcessing.Processor nsedName := k8s.NamespacedNameFrom(extProc.ExtensionService) - globalExtProc = &contour_v1.ExternalProcessor{ - Processor: &contour_v1.ExtProc{ - GRPCService: &contour_v1.GRPCService{ - ExtensionServiceRef: contour_v1.ExtensionServiceReference{ - Name: nsedName.Name, - Namespace: nsedName.Namespace, - }, - ResponseTimeout: extProc.ResponseTimeout, - FailOpen: extProc.FailOpen, + globalExtProc = &contour_v1.ExternalProcessing{ + Processor: &contour_v1.ExternalProcessor{ + ExtensionServiceRef: contour_v1.ExtensionServiceReference{ + Name: nsedName.Name, + Namespace: nsedName.Namespace, }, + ResponseTimeout: extProc.ResponseTimeout, + FailOpen: extProc.FailOpen, + AllowModeOverride: extProc.AllowModeOverride, + ProcessingMode: extProc.ProcessingMode, + MutationRules: extProc.MutationRules, }, } } @@ -612,7 +613,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co }, EnableExternalNameService: &ctx.Config.EnableExternalNameService, GlobalExternalAuthorization: globalExtAuth, - GlobalExtProc: globalExtProc, + GlobalExternalProcessing: globalExtProc, RateLimitService: rateLimitService, Policy: policy, Metrics: &contourMetrics, diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 70e22a40fe7..01a8d19bb91 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -713,15 +713,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -734,49 +734,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that the - filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -889,6 +876,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -4576,15 +4571,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -4597,49 +4592,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -4752,6 +4734,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -6196,69 +6186,57 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: - description: |- - ExtProcPolicy updates the external processing policy that were set - on the root HTTPProxy object for client requests/responses + externalProcessing: + description: ExternalProcessing override/disable the policy + to act on HTTP traffic for the specific route in a flexible + way. properties: disabled: description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain + if both Disabled and Processor are set. use disabled. type: boolean - overrides: - description: Overrides aspects of the configuration for - this route. + processor: + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -6371,6 +6349,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object healthCheckPolicy: @@ -7926,15 +7912,15 @@ spec: - allowMethods - allowOrigin type: object - extProc: + externalProcessing: description: |- - ExtProc which allow to act on HTTP traffic in a flexible way - and the policy for fine-grained at VirtualHost level. + ExternalProcessing defines a external processing filter and the policy + to act on HTTP traffic in a flexible way. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -7947,49 +7933,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -8102,6 +8075,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object fqdn: diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index ccb47c4e92f..ad3e4e3bfb1 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -933,15 +933,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -954,49 +954,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that the - filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -1109,6 +1096,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -4796,15 +4791,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -4817,49 +4812,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -4972,6 +4954,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -6416,69 +6406,57 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: - description: |- - ExtProcPolicy updates the external processing policy that were set - on the root HTTPProxy object for client requests/responses + externalProcessing: + description: ExternalProcessing override/disable the policy + to act on HTTP traffic for the specific route in a flexible + way. properties: disabled: description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain + if both Disabled and Processor are set. use disabled. type: boolean - overrides: - description: Overrides aspects of the configuration for - this route. + processor: + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -6591,6 +6569,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object healthCheckPolicy: @@ -8146,15 +8132,15 @@ spec: - allowMethods - allowOrigin type: object - extProc: + externalProcessing: description: |- - ExtProc which allow to act on HTTP traffic in a flexible way - and the policy for fine-grained at VirtualHost level. + ExternalProcessing defines a external processing filter and the policy + to act on HTTP traffic in a flexible way. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -8167,49 +8153,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -8322,6 +8295,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object fqdn: diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 827e7826bf8..63a27d2a144 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -724,15 +724,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -745,49 +745,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that the - filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -900,6 +887,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -4587,15 +4582,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -4608,49 +4603,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -4763,6 +4745,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -6207,69 +6197,57 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: - description: |- - ExtProcPolicy updates the external processing policy that were set - on the root HTTPProxy object for client requests/responses + externalProcessing: + description: ExternalProcessing override/disable the policy + to act on HTTP traffic for the specific route in a flexible + way. properties: disabled: description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain + if both Disabled and Processor are set. use disabled. type: boolean - overrides: - description: Overrides aspects of the configuration for - this route. + processor: + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -6382,6 +6360,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object healthCheckPolicy: @@ -7937,15 +7923,15 @@ spec: - allowMethods - allowOrigin type: object - extProc: + externalProcessing: description: |- - ExtProc which allow to act on HTTP traffic in a flexible way - and the policy for fine-grained at VirtualHost level. + ExternalProcessing defines a external processing filter and the policy + to act on HTTP traffic in a flexible way. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -7958,49 +7944,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -8113,6 +8086,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object fqdn: diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index a254c999e86..2c547e9604e 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -749,15 +749,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -770,49 +770,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that the - filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -925,6 +912,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -4612,15 +4607,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -4633,49 +4628,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -4788,6 +4770,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -6232,69 +6222,57 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: - description: |- - ExtProcPolicy updates the external processing policy that were set - on the root HTTPProxy object for client requests/responses + externalProcessing: + description: ExternalProcessing override/disable the policy + to act on HTTP traffic for the specific route in a flexible + way. properties: disabled: description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain + if both Disabled and Processor are set. use disabled. type: boolean - overrides: - description: Overrides aspects of the configuration for - this route. + processor: + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -6407,6 +6385,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object healthCheckPolicy: @@ -7962,15 +7948,15 @@ spec: - allowMethods - allowOrigin type: object - extProc: + externalProcessing: description: |- - ExtProc which allow to act on HTTP traffic in a flexible way - and the policy for fine-grained at VirtualHost level. + ExternalProcessing defines a external processing filter and the policy + to act on HTTP traffic in a flexible way. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -7983,49 +7969,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -8138,6 +8111,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object fqdn: diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 43e22d1ae5f..86c7d516232 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -933,15 +933,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -954,49 +954,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that the - filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -1109,6 +1096,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -4796,15 +4791,15 @@ spec: type: boolean type: object type: object - globalExtProc: + globalExternalProcessing: description: |- - GlobalExtProc allows envoys external processing filter + GlobalExternalProcessing allows envoys external processing filter to be enabled for all virtual hosts. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -4817,49 +4812,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -4972,6 +4954,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object health: @@ -6416,69 +6406,57 @@ spec: enableWebsockets: description: Enables websocket support for the route. type: boolean - extProcPolicy: - description: |- - ExtProcPolicy updates the external processing policy that were set - on the root HTTPProxy object for client requests/responses + externalProcessing: + description: ExternalProcessing override/disable the policy + to act on HTTP traffic for the specific route in a flexible + way. properties: disabled: description: |- - When true, this field disables the specific client request external processor - for the scope of the policy. - if both disabled and overrides are set. use disabled. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain + if both Disabled and Processor are set. use disabled. type: boolean - overrides: - description: Overrides aspects of the configuration for - this route. + processor: + description: Processor defines a external processing filter + which allows an external service to act on HTTP traffic + in a flexible way. properties: allowModeOverride: description: |- If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service - that the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -6591,6 +6569,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object healthCheckPolicy: @@ -8146,15 +8132,15 @@ spec: - allowMethods - allowOrigin type: object - extProc: + externalProcessing: description: |- - ExtProc which allow to act on HTTP traffic in a flexible way - and the policy for fine-grained at VirtualHost level. + ExternalProcessing defines a external processing filter and the policy + to act on HTTP traffic in a flexible way. properties: disabled: description: |- - When true, this field disables the external processor: (neither global nor virtualHost) - for the scope of the policy. + When true, this field disables the external processor for the scope of the policy. + - for global: no external processing will be append to the filter chain if both Disabled and Processor are set. use disabled. type: boolean processor: @@ -8167,49 +8153,36 @@ spec: If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. If false, `mode_override` API in the response message will be ignored. type: boolean - grpcService: - description: GRPCService configure the gRPC service that - the filter will communicate with. + extensionRef: + description: ExtensionServiceRef specifies the extension + resource that will handle the client requests. properties: - extensionRef: - description: ExtensionServiceRef specifies the extension - resource that will handle the client requests. - properties: - apiVersion: - description: |- - API version of the referent. - If this field is not specified, the default "projectcontour.io/v1alpha1" will be used - minLength: 1 - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - minLength: 1 - type: string - namespace: - description: |- - Namespace of the referent. - If this field is not specifies, the namespace of the resource that targets the referent will be used. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - type: object - failOpen: + apiVersion: description: |- - If FailOpen is true, the client request is forwarded to the upstream service - even if the server fails to respond. This field should not be - set in most cases. - type: boolean - responseTimeout: + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used + minLength: 1 + type: string + name: description: |- - ResponseTimeout sets how long the proxy should wait for responses. - Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no timeout. - pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + minLength: 1 type: string type: object + failOpen: + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the server fails to respond. This field should not be + set in most cases. + type: boolean mutationRules: description: |- MutationRules specifies what headers may be manipulated by a processing filter. @@ -8322,6 +8295,14 @@ spec: - SKIP type: string type: object + responseTimeout: + description: |- + ResponseTimeout sets how long the proxy should wait for responses. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string type: object type: object fqdn: diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index ca5334c37b4..cd58f9a702b 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -120,8 +120,8 @@ type HTTPProxyProcessor struct { // and cipher suites for upstream connections. UpstreamTLS *UpstreamTLS - // GlobalExtProc defines how requests/responses will be operatred - GlobalExtProc *contour_v1.ExternalProcessor + // GlobalExternalProcessing defines how requests/responses will be operatred + GlobalExternalProcessing *contour_v1.ExternalProcessing } // Run translates HTTPProxies into DAG objects and @@ -205,9 +205,8 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { return } - extProc := proxy.Spec.VirtualHost.ExtProc - if extProc != nil && extProc.Processor != nil && extProc.Processor.GRPCService != nil && - proxy.Spec.VirtualHost.TLS == nil && len(extProc.Processor.GRPCService.ExtensionServiceRef.Name) > 0 { + extProc := proxy.Spec.VirtualHost.ExternalProcessing + if proxy.Spec.VirtualHost.TLS == nil && extProc != nil && extProc.Processor != nil && len(extProc.Processor.ExtensionServiceRef.Name) > 0 { validCond.AddError(contour_v1.ConditionTypeExtProcError, "VirtualHostExtProcNotPermitted", "Spec.VirtualHost.ExternalProcessor.Processors[*].ExtensionServiceRef can only be defined for root HTTPProxies that terminate TLS") return @@ -572,8 +571,8 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_v1.HTTPProxy) { _ = p.computeVirtualHostAuthorization(p.GlobalExternalAuthorization, validCond, proxy) } - if p.GlobalExtProc != nil && !proxy.Spec.VirtualHost.ExtProcDisabled() { - _ = p.computeVirtualHostExtProc(p.GlobalExtProc, validCond, proxy) + if p.GlobalExternalProcessing != nil && !proxy.Spec.VirtualHost.ExtProcDisabled() { + _ = p.computeVirtualHostExtProc(p.GlobalExternalProcessing.Processor, validCond, proxy) } insecure.IPFilterAllow, insecure.IPFilterRules, err = toIPFilterRules(proxy.Spec.VirtualHost.IPAllowFilterPolicy, proxy.Spec.VirtualHost.IPDenyFilterPolicy, validCond) @@ -907,16 +906,16 @@ func (p *HTTPProxyProcessor) computeRoutes( // If the enclosing root proxy enabled external processing, // enable it on the route and propagate defaults // downwards. - if !rootProxy.Spec.VirtualHost.ExtProcDisabled() && route.ExtProcPolicy != nil { + if !rootProxy.Spec.VirtualHost.ExtProcDisabled() && route.ExternalProcessing != nil { // Take the default for enabling external processing // from the virtual host. If this route has a // policy, let that override. var overrides *ExtProcOverrides - disabled := route.ExtProcPolicy.Disabled - if !disabled && route.ExtProcPolicy.Overrides != nil { - overrides = toExtProcOverrides(route.ExtProcPolicy.Overrides, validCond, proxy.Namespace, p.dag.GetExtensionCluster) + disabled := route.ExternalProcessing.Disabled + if !disabled && route.ExternalProcessing.Processor != nil { + overrides = toExtProcOverrides(route.ExternalProcessing.Processor, validCond, proxy.Namespace, p.dag.GetExtensionCluster) if overrides == nil { return nil } @@ -1157,13 +1156,13 @@ func (p *HTTPProxyProcessor) computeRoutes( } func toExtProcOverrides( - override *contour_v1.ExtProc, + override *contour_v1.ExternalProcessor, validCond *contour_v1.DetailedCondition, defaultNamespace string, extClusterGetter func(name string) *ExtensionCluster, ) *ExtProcOverrides { ok, extSvc := validateExtensionService( - defaultExtensionRef(override.GRPCService.ExtensionServiceRef), + defaultExtensionRef(override.ExtensionServiceRef), validCond, defaultNamespace, contour_v1.ConditionTypeExtProcError, @@ -1173,7 +1172,7 @@ func toExtProcOverrides( } ok, respTimeout := determineExtensionServiceTimeout( contour_v1.ConditionTypeExtProcError, - override.GRPCService.ResponseTimeout, + override.ResponseTimeout, validCond, extSvc) if !ok { @@ -1495,9 +1494,8 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProc( validCond *contour_v1.DetailedCondition, httpproxy *contour_v1.HTTPProxy, ) *ExtProc { - grpcSvc := extProc.Processor.GRPCService ok, extSvc := validateExtensionService( - defaultExtensionRef(grpcSvc.ExtensionServiceRef), + defaultExtensionRef(extProc.ExtensionServiceRef), validCond, httpproxy.Namespace, contour_v1.ConditionTypeExtProcError, @@ -1505,7 +1503,7 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProc( if !ok { return nil } - ok, respTimeout := determineExtensionServiceTimeout(contour_v1.ConditionTypeExtProcError, grpcSvc.ResponseTimeout, validCond, extSvc) + ok, respTimeout := determineExtensionServiceTimeout(contour_v1.ConditionTypeExtProcError, extProc.ResponseTimeout, validCond, extSvc) if !ok { return nil } @@ -1513,10 +1511,10 @@ func (p *HTTPProxyProcessor) computeVirtualHostExtProc( return &ExtProc{ ExtProcService: extSvc, ResponseTimeout: *respTimeout, - FailOpen: grpcSvc.FailOpen, - AllowModeOverride: extProc.Processor.AllowModeOverride, - ProcessingMode: extProc.Processor.ProcessingMode, - MutationRules: extProc.Processor.MutationRules, + FailOpen: extProc.FailOpen, + AllowModeOverride: extProc.AllowModeOverride, + ProcessingMode: extProc.ProcessingMode, + MutationRules: extProc.MutationRules, } } @@ -1602,10 +1600,10 @@ func (p *HTTPProxyProcessor) computeSecureVirtualHostExtProc( ) if httpproxy.Spec.VirtualHost.ExtProcConfigured() { computed = true - ep = p.computeVirtualHostExtProc(httpproxy.Spec.VirtualHost.ExtProc, validCond, httpproxy) - } else if p.GlobalExtProc != nil { + ep = p.computeVirtualHostExtProc(httpproxy.Spec.VirtualHost.ExternalProcessing.Processor, validCond, httpproxy) + } else if p.GlobalExternalProcessing != nil && p.GlobalExternalProcessing.Processor != nil { computed = true - ep = p.computeVirtualHostExtProc(p.GlobalExtProc, validCond, httpproxy) + ep = p.computeVirtualHostExtProc(p.GlobalExternalProcessing.Processor, validCond, httpproxy) } if computed && ep == nil { return false diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index 48f6691a391..d0e4fbcba6b 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -713,8 +713,8 @@ type Parameters struct { // data from the k8s endpoints. FeatureFlags []string `yaml:"featureFlags,omitempty"` - // GlobalExtProc optionally holds properties of the global external processing configurations. - GlobalExtProc *GlobalExternalProcessor `yaml:"globalExtProc,omitempty"` + // GlobalExternalProcessing optionally holds properties of the global external processing configurations. + GlobalExternalProcessing *GlobalExternalProcessing `yaml:"globalExternalProcessing,omitempty"` } // Tracing defines properties for exporting trace data to OpenTelemetry. @@ -823,35 +823,55 @@ type GlobalAuthorizationPolicy struct { Context map[string]string `yaml:"context,omitempty"` } -// The External Processing filter allows an external service to act on HTTP traffic in a flexible way -// The external server must implement the v3 Envoy -// external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). +// ExternalProcessor defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way +// The external server must implement the v3 Envoy external processing GRPC protocol +// (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). type ExternalProcessor struct { // ExtensionService identifies the extension service defining the RLS, // formatted as /. ExtensionService string `yaml:"extensionService,omitempty"` - // ResponseTimeout configures maximum time to wait for a check response from the expProc server. + // ResponseTimeout sets how long the proxy should wait for responses. // Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). // Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". // The string "infinity" is also a valid input and specifies no timeout. // // +optional + // +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$` ResponseTimeout string `yaml:"responseTimeout,omitempty"` // If FailOpen is true, the client request is forwarded to the upstream service - // even if the authorization server fails to respond. This field should not be - // set in most cases. It is intended for use only while migrating applications - // from internal authorization to Contour external authorization. + // even if the server fails to respond. This field should not be + // set in most cases. // // +optional FailOpen bool `yaml:"failOpen,omitempty"` + + // ProcessingMode describes which parts of an HTTP request and response are sent to a remote server + // and how they are delivered. + // + // +optional + ProcessingMode *contour_v1.ProcessingMode `yaml:"processingMode,omitempty"` + + // MutationRules specifies what headers may be manipulated by a processing filter. + // This set of rules makes it possible to control which modifications a filter may make. + // + // for Overrides is must be nil + // + // +optional + MutationRules *contour_v1.HeaderMutationRules `yaml:"mutationRules,omitempty"` + + // If true, the filter config processingMode can be overridden by the response message from the external processing server `mode_override``. + // If false, `mode_override` API in the response message will be ignored. + // + // +optional + AllowModeOverride bool `yaml:"allowModeOverride,omitempty"` } // The External Processing filter allows an external service to act on HTTP traffic in a flexible way // The external server must implement the v3 Envoy // external processing GRPC protocol (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto). -type GlobalExternalProcessor struct { +type GlobalExternalProcessing struct { // Processor configures the global external processing // // +optional From ea39c991f8a2de97ea0e6d116f28d98ae362266d Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Wed, 3 Apr 2024 11:31:24 +0800 Subject: [PATCH 29/31] make generate Signed-off-by: gang.liu --- examples/gateway/00-crds.yaml | 2 +- .../render/contour-gateway-provisioner.yaml | 1 + examples/render/contour-gateway.yaml | 1 + .../docs/main/config/api-reference.html | 403 +++++------------- 4 files changed, 108 insertions(+), 299 deletions(-) diff --git a/examples/gateway/00-crds.yaml b/examples/gateway/00-crds.yaml index 73dde95928d..bbb71f11f65 100644 --- a/examples/gateway/00-crds.yaml +++ b/examples/gateway/00-crds.yaml @@ -11760,4 +11760,4 @@ status: kind: "" plural: "" conditions: null - storedVersions: null \ No newline at end of file + storedVersions: null diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 63a27d2a144..a80bd151325 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -20993,6 +20993,7 @@ status: plural: "" conditions: null storedVersions: null + --- apiVersion: v1 kind: Namespace diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index 2c547e9604e..b8cac762221 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -21526,6 +21526,7 @@ status: plural: "" conditions: null storedVersions: null + --- kind: GatewayClass apiVersion: gateway.networking.k8s.io/v1 diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index d3cc99ec6e7..042a690b198 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -1150,16 +1150,15 @@

DownstreamValidation -

ExtProc +

ExtensionServiceReference

(Appears on: +AuthorizationServer, ExternalProcessor)

-

ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way -The external server must implement the v3 Envoy external processing GRPC protocol -(https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto).

+

ExtensionServiceReference names an ExtensionService resource.

@@ -1171,92 +1170,58 @@

ExtProc

- - - - - - - -
-phase -
- - -ProcessingPhase - - -		 -(Optional) -

Phase determines where in the filter chain this extProc is to be injected.

-
-priority -
- -int32 - -		 -(Optional) -

Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase, -they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value, -they will follow the order in which extProc(s) are added, Defaults to 0.

-
-grpcService +apiVersion
- -GRPCService - +string 		(Optional) -

GRPCService configure the gRPC service that the filter will communicate with.

+

API version of the referent. +If this field is not specified, the default “projectcontour.io/v1alpha1” will be used
-processingMode +namespace
- -ProcessingMode - +string 		(Optional) -

ProcessingMode describes which parts of an HTTP request and response are sent to a remote server -and how they are delivered.

+

Namespace of the referent. +If this field is not specifies, the namespace of the resource that targets the referent will be used.

+

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
-mutationRules +name
- -HeaderMutationRules - +string 		-(Optional) -

MutationRules specifies what headers may be manipulated by a processing filter. -This set of rules makes it possible to control which modifications a filter may make.

+

Name of the referent.

+

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-

ExtProcOverride +

ExternalProcessing

(Appears on: -ExtProcPolicy) +Route, +VirtualHost, +ContourConfigurationSpec)

-

ExtProcOverride override aspects of the configuration for this route. -A set of overrides in a more specific configuration will override a “disabled” flag set in a less-specific one.

+

ExternalProcessing defines a external processing filter and the policy to act on HTTP traffic in a flexible way.

@@ -1268,46 +1233,46 @@

ExtProcOverride

-grpcService +processor
- -GRPCService + +ExternalProcessor 		(Optional) -

GRPCService configure the gRPC service that the filter will communicate with.

+

Processor defines a external processing filter which allows an external service to act on HTTP traffic in a flexible way.
-processingMode +disabled
- -ProcessingMode - +bool 		(Optional) -

ProcessingMode describes which parts of an HTTP request and response are sent to a remote server -and how they are delivered.

+

When true, this field disables the external processor for the scope of the policy. +- for global: no external processing will be append to the filter chain

+

if both Disabled and Processor are set. use disabled.
-

ExtProcPolicy +

ExternalProcessor

(Appears on: -ExternalProcessor, -Route) +ExternalProcessing)

-

ExtProcPolicy modifies how requests/responses are operated.

+

ExternalProcessor defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way +The external server must implement the v3 Envoy external processing GRPC protocol +(https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto).

@@ -1319,58 +1284,22 @@

ExtProcPolicy

- - - - - -
-disabled -
- -bool - -		 -(Optional) -

When true, this field disables client request external processing -for the scope of the policy. -Precisely one of disabled, overrides must be set.

-
-overrides +extensionRef
- -ExtProcOverride + +ExtensionServiceReference 		(Optional) -

Overrides aspects of the configuration for this route.

-

**Note: For VirtualHost, it’s must be nil.

+

ExtensionServiceRef specifies the extension resource that will handle the client requests.
-

ExtensionServiceReference -

-

-(Appears on: -AuthorizationServer, -GRPCService) -

-

-

ExtensionServiceReference names an ExtensionService resource.

-

- - - - - - - - - -
FieldDescription
-apiVersion +responseTimeout
string @@ -1378,91 +1307,72 @@

ExtensionServiceReferenc

(Optional) -

API version of the referent. -If this field is not specified, the default “projectcontour.io/v1alpha1” will be used

+

ResponseTimeout sets how long the proxy should wait for responses. +Timeout durations are expressed in the Go Duration format. +Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. +The string “infinity” is also a valid input and specifies no timeout.
-namespace +failOpen
-string +bool 		(Optional) -

Namespace of the referent. -If this field is not specifies, the namespace of the resource that targets the referent will be used.

-

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

+

If FailOpen is true, the client request is forwarded to the upstream service +even if the server fails to respond. This field should not be +set in most cases.
-name +processingMode
-string + +ProcessingMode + 		-

Name of the referent.

-

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+(Optional) +

ProcessingMode describes which parts of an HTTP request and response are sent to a remote server +and how they are delivered.
-

ExternalProcessor -

-

-(Appears on: -VirtualHost, -ContourConfigurationSpec) -

-

-

ExternalProcessor defines a processing filter list and the policy for fine-grained at VirutalHost and/or Route level.

-

- - - - - - - - @@ -1475,72 +1385,6 @@

Feature

-

GRPCService -

-

-(Appears on: -ExtProc, -ExtProcOverride) -

-

-

GRPCService configure the gRPC service that the filter will communicate with.

-

-
FieldDescription
-processors +mutationRules
- -[]ExtProc + +HeaderMutationRules 		(Optional) -

Processors defines a processing filter list,and each filter in the list -will be added to the corresponding processing Priority in ascending order of it’s Priority within the same phase. -If no phase is specified, it will be added before the Router. -If no Priority is specified, the filters will be added in the order they appear in the list.

+

MutationRules specifies what headers may be manipulated by a processing filter. +This set of rules makes it possible to control which modifications a filter may make.

+

for Overrides is must be nil
-extProcPolicy +allowModeOverride
- -ExtProcPolicy - +bool 		(Optional) -

ExtProcPolicy sets a external processing policy. -This policy will be used unless overridden by individual routes.

-

**Note: for the Global External Processor, it’s must be nil.

+

If true, the filter config processingMode can be overridden by the response message from the external processing server mode_override. +If false,mode_override` API in the response message will be ignored.
- - - - - - - - - - - - - - - - - - - - -
FieldDescription
-extensionRef -
- - -ExtensionServiceReference - - -		 -(Optional) -

ExtensionServiceRef specifies the extension resource that will handle the client requests.

-
-responseTimeout -
- -string - -		 -(Optional) -

ResponseTimeout sets how long the proxy should wait for responses. -Timeout durations are expressed in the Go Duration format. -Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. -The string “infinity” is also a valid input and specifies no timeout.

-
-failOpen -
- -bool - -		 -(Optional) -

If FailOpen is true, the client request is forwarded to the upstream service -even if the server fails to respond. This field should not be -set in most cases.

-

GenericKeyDescriptor

@@ -2413,7 +2257,7 @@

HeaderMutationRules

(Appears on: -ExtProc) +ExternalProcessor)

HeaderMutationRules specifies what headers may be manipulated by a processing filter. @@ -3235,8 +3079,7 @@

ProcessingMode

(Appears on: -ExtProc, -ExtProcOverride) +ExternalProcessor)

ProcessingMode describes which parts of an HTTP request and response are sent to a remote server @@ -3348,40 +3191,6 @@

ProcessingMode -

ProcessingPhase -(string alias)

-

-(Appears on: -ExtProc) -

-

-

ProcessingPhase define the phase in the filter chain where the external processing filter will be injected

-

- - - - - - - - - - - - - - - - - - -
ValueDescription

"AuthN"

Insert before contour authentication filter(s).

-

"AuthZ"

Insert before contour authorization filter(s) and after the authentication filter(s).

-

"CORS"

Insert before contour CORS filter(s).

-

"DefaultPhase"

DefaultPhase decides insert the external processing service at the end of the filter chain, right before the Router.

-

**NOTE: if not specify, default to DefaultPhase

-

"RateLimit"

Insert before contour RateLimit.

-

QueryParameterHashOptions

@@ -4527,19 +4336,17 @@

Route -extProcPolicy +externalProcessing
- -ExtProcPolicy + +ExternalProcessing (Optional) -

ExtProcPolicy updates the external processing policy that was set -on the root HTTPProxy object for client requests/responses that -match this route.

+

ExternalProcessing override/disable the policy to act on HTTP traffic for the specific route in a flexible way.

@@ -5562,18 +5369,18 @@

VirtualHost -extProc +externalProcessing
- -ExternalProcessor + +ExternalProcessing (Optional) -

ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way -and the policy for fine-grained at VirtualHost level.

+

ExternalProcessing defines a external processing filter and the policy +to act on HTTP traffic in a flexible way.

@@ -5852,36 +5659,36 @@

ContourConfiguration -globalExtProc +featureFlags
- -ExternalProcessor + +FeatureFlags -(Optional) -

GlobalExternalProcessor allows envoys external processing filters -to be enabled for all virtual hosts.

+

FeatureFlags defines toggle to enable new contour features. +Available toggles are: +useEndpointSlices - configures contour to fetch endpoint data +from k8s endpoint slices. defaults to false and reading endpoint +data from the k8s endpoints.

-featureFlags +globalExternalProcessing
- -FeatureFlags + +ExternalProcessing -

FeatureFlags defines toggle to enable new contour features. -Available toggles are: -useEndpointSlices - configures contour to fetch endpoint data -from k8s endpoint slices. defaults to false and reading endpoint -data from the k8s endpoints.

+(Optional) +

GlobalExternalProcessing allows envoys external processing filter +to be enabled for all virtual hosts.

@@ -6661,36 +6468,36 @@

ContourConfiguratio -globalExtProc +featureFlags
- -ExternalProcessor + +FeatureFlags -(Optional) -

GlobalExternalProcessor allows envoys external processing filters -to be enabled for all virtual hosts.

+

FeatureFlags defines toggle to enable new contour features. +Available toggles are: +useEndpointSlices - configures contour to fetch endpoint data +from k8s endpoint slices. defaults to false and reading endpoint +data from the k8s endpoints.

-featureFlags +globalExternalProcessing
- -FeatureFlags + +ExternalProcessing -

FeatureFlags defines toggle to enable new contour features. -Available toggles are: -useEndpointSlices - configures contour to fetch endpoint data -from k8s endpoint slices. defaults to false and reading endpoint -data from the k8s endpoints.

+(Optional) +

GlobalExternalProcessing allows envoys external processing filter +to be enabled for all virtual hosts.

From 19e6c3e6d89def5aedcfe021b370d9c71745ab5b Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Tue, 9 Apr 2024 17:48:15 +0800 Subject: [PATCH 30/31] refactor Signed-off-by: gang.liu --- go.mod | 1 - go.sum | 6 ++---- internal/fixture/httpproxy.go | 4 ++-- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index f327b1967ca..867b1294a9b 100644 --- a/go.mod +++ b/go.mod @@ -105,7 +105,6 @@ require ( github.com/opencontainers/go-digest v1.0.0 // indirect github.com/pelletier/go-toml/v2 v2.0.6 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/procfs v0.12.0 // indirect github.com/rs/zerolog v1.29.0 // indirect diff --git a/go.sum b/go.sum index fb78b072ce5..4ae6be846b8 100644 --- a/go.sum +++ b/go.sum @@ -98,8 +98,8 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240221204751-2259f2656a1f h1:gNzN3eFZ++vuUfC63sx/cyG8Ucs5ElRIBIo477HzpTM= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240221204751-2259f2656a1f/go.mod h1:lFu6itz1hckLR2A3aJ+ZKf3lu8HpjTsJSsqvVF6GL6g= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240111020705-5401a878d8bb h1:1BlzJS6JUqCF+HY7RLLafmZdZPmpHLvUWZSw8Jz+GcM= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240111020705-5401a878d8bb/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= @@ -316,8 +316,6 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= -github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 h1:pH+U6pJP0BhxqQ4njBUjOg0++WMMvv3eByWzB+oATBY= -github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= diff --git a/internal/fixture/httpproxy.go b/internal/fixture/httpproxy.go index b68168f7fae..2036d6448ee 100644 --- a/internal/fixture/httpproxy.go +++ b/internal/fixture/httpproxy.go @@ -90,8 +90,8 @@ func (b *ProxyBuilder) WithAuthServer(auth contour_v1.AuthorizationServer) *Prox return b } -func (b *ProxyBuilder) WithExternalProcessor(extProc *contour_v1.ExternalProcessor) *ProxyBuilder { +func (b *ProxyBuilder) WithExternalProcessing(extProc *contour_v1.ExternalProcessing) *ProxyBuilder { b.ensureTLS() - b.Spec.VirtualHost.ExtProc = extProc + b.Spec.VirtualHost.ExternalProcessing = extProc return b } From f6b0772156104374d59b06529a9e4681bd3a2dca Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Mon, 4 Nov 2024 11:16:02 +0800 Subject: [PATCH 31/31] fix typo & little refactor Signed-off-by: gang.liu --- apis/projectcontour/v1/helpers.go | 5 +---- internal/dag/dag.go | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/apis/projectcontour/v1/helpers.go b/apis/projectcontour/v1/helpers.go index 3f59b33e068..721b6f253c5 100644 --- a/apis/projectcontour/v1/helpers.go +++ b/apis/projectcontour/v1/helpers.go @@ -60,10 +60,7 @@ func (v *VirtualHost) ExtProcConfigured() bool { // external processing explicit. If an external processor is present, the default // policy is to not disable. func (v *VirtualHost) ExtProcDisabled() bool { - if v.ExternalProcessing == nil { - return false - } - return v.ExternalProcessing.Disabled + return v.ExternalProcessing != nil && v.ExternalProcessing.Disabled } // GetPrefixReplacements returns replacement prefixes from the path diff --git a/internal/dag/dag.go b/internal/dag/dag.go index 2176f61f61f..6e2a8e1d74f 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -384,7 +384,7 @@ type Route struct { // If false, traffic is allowed only if it doesn't match any rule. IPFilterAllow bool - // IPFilterRules i /6 filter rules for which matching + // IPFilterRules is a list of ipv4/6 filter rules for which matching // requests should be filtered. The behavior of the filters is governed // by IPFilterAllow. IPFilterRules []IPFilterRule