diff --git a/envoy-gateway/crds/envoy-gateway-crds.yaml b/envoy-gateway/crds/envoy-gateway-crds.yaml
index 27db15ff..87dbeb61 100644
--- a/envoy-gateway/crds/envoy-gateway-crds.yaml
+++ b/envoy-gateway/crds/envoy-gateway-crds.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
+ controller-gen.kubebuilder.io/version: v0.18.0
name: backends.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -167,6 +167,27 @@ spec:
be a merge of both configurations. In case of overlapping fields, the values defined in the BackendTLSPolicy will
take precedence.
properties:
+ alpnProtocols:
+ description: |-
+ ALPNProtocols supplies the list of ALPN protocols that should be
+ exposed by the listener or used by the proxy to connect to the backend.
+ Defaults:
+ 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
+ 2. Other Routes: ALPN is disabled.
+ 3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
+ When an empty list is provided, the ALPN TLS extension is disabled.
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
+ - http/1.0
+ - http/1.1
+ - h2
+ items:
+ description: ALPNProtocol specifies the protocol to be negotiated
+ using ALPN
+ type: string
+ type: array
caCertificateRefs:
description: |-
CACertificateRefs contains one or more references to Kubernetes objects that
@@ -216,12 +237,128 @@ spec:
type: object
maxItems: 8
type: array
+ ciphers:
+ description: |-
+ Ciphers specifies the set of cipher suites supported when
+ negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+ In non-FIPS Envoy Proxy builds the default cipher list is:
+ - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+ - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ In builds using BoringSSL FIPS the default cipher list is:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ items:
+ type: string
+ type: array
+ clientCertificateRef:
+ description: |-
+ ClientCertificateRef defines the reference to a Kubernetes Secret that contains
+ the client certificate and private key for Envoy to use when connecting to
+ backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+ This secret should be located within the same namespace as the Envoy proxy resource that references it.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ ecdhCurves:
+ description: |-
+ ECDHCurves specifies the set of supported ECDH curves.
+ In non-FIPS Envoy Proxy builds the default curves are:
+ - X25519
+ - P-256
+ In builds using BoringSSL FIPS the default curve is:
+ - P-256
+ items:
+ type: string
+ type: array
insecureSkipVerify:
default: false
description: |-
InsecureSkipVerify indicates whether the upstream's certificate verification
should be skipped. Defaults to "false".
type: boolean
+ maxVersion:
+ description: |-
+ Max specifies the maximal TLS protocol version to allow
+ The default is TLS 1.3 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ minVersion:
+ description: |-
+ Min specifies the minimal TLS protocol version to allow.
+ The default is TLS 1.2 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ signatureAlgorithms:
+ description: |-
+ SignatureAlgorithms specifies which signature algorithms the listener should
+ support.
+ items:
+ type: string
+ type: array
+ sni:
+ description: |-
+ SNI is specifies the SNI value used when establishing an upstream TLS connection to the backend.
+
+ Envoy Gateway will use the HTTP host header value for SNI, when all resources referenced in BackendRefs are:
+ 1. Backend resources that do not set SNI, or
+ 2. Service/ServiceImport resources that do not have a BackendTLSPolicy attached to them
+
+ When a BackendTLSPolicy attaches to a Backend resource, the BackendTLSPolicy's Hostname value takes precedence
+ over this value.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
wellKnownCACertificates:
description: |-
WellKnownCACertificates specifies whether system CA certificates may be used in
@@ -245,6 +382,15 @@ spec:
&& ((has(self.caCertificateRefs) && size(self.caCertificateRefs)
> 0) || (has(self.wellKnownCACertificates) && self.wellKnownCACertificates
!= "")))'
+ - message: setting ciphers has no effect if the minimum possible TLS
+ version is 1.3
+ rule: 'has(self.minVersion) && self.minVersion == ''1.3'' ? !has(self.ciphers)
+ : true'
+ - message: minVersion must be smaller or equal to maxVersion
+ rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion]
+ <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : !has(self.minVersion) && has(self.maxVersion) ? 3 <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : true'
type:
default: Endpoints
description: Type defines the type of the backend. Defaults to "Endpoints"
@@ -333,7 +479,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
+ controller-gen.kubebuilder.io/version: v0.18.0
name: backendtrafficpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -444,7 +590,9 @@ spec:
type: object
type: object
compression:
- description: The compression config for the http streams.
+ description: |-
+ The compression config for the http streams.
+ Deprecated: Use Compressor instead.
items:
description: |-
Compression defines the config of enabling compression.
@@ -462,7 +610,41 @@ spec:
enum:
- Gzip
- Brotli
+ - Zstd
type: string
+ zstd:
+ description: The configuration for Zstd compressor.
+ type: object
+ required:
+ - type
+ type: object
+ type: array
+ compressor:
+ description: |-
+ The compressor config for the http streams.
+ This provides more granular control over compression configuration.
+ items:
+ description: |-
+ Compression defines the config of enabling compression.
+ This can help reduce the bandwidth at the expense of higher CPU.
+ properties:
+ brotli:
+ description: The configuration for Brotli compressor.
+ type: object
+ gzip:
+ description: The configuration for GZIP compressor.
+ type: object
+ type:
+ description: CompressorType defines the compressor type to use
+ for compression.
+ enum:
+ - Gzip
+ - Brotli
+ - Zstd
+ type: string
+ zstd:
+ description: The configuration for Zstd compressor.
+ type: object
required:
- type
type: object
@@ -484,6 +666,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -649,8 +866,7 @@ spec:
Defaults to 200 only
items:
description: HTTPStatus defines the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -820,7 +1036,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors sets the number of consecutive
gateway errors triggering ejection.
format: int32
@@ -832,6 +1047,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines the time between passive health
@@ -961,8 +1185,10 @@ spec:
- name
type: object
header:
- description: Header configures the header hash policy when
- the consistent hash type is set to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header to hash.
@@ -970,6 +1196,21 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures the header hash policy for
+ each header, when the consistent hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for consistent hashing, must be
@@ -983,10 +1224,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -996,6 +1239,9 @@ spec:
- message: If consistent hash type is header, the header field
must be set.
rule: 'self.type == ''Header'' ? has(self.header) : !has(self.header)'
+ - message: If consistent hash type is headers, the headers field
+ must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers) : !has(self.headers)'
- message: If consistent hash type is cookie, the cookie field
must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie) : !has(self.cookie)'
@@ -1084,6 +1330,14 @@ spec:
to enable zone-aware routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage of requests that will
+ be considered for zone aware routing if zone aware routing
+ is configured. If not specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -1169,12 +1423,12 @@ spec:
RateLimitSelectCondition specifies the attributes within the traffic flow that can
be used to select a subset of clients to be ratelimited.
All the individual conditions must hold True for the overall condition to hold True.
+ And, at least one of headers or methods or path or sourceCIDR condition must be specified.
properties:
headers:
description: |-
Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
- At least one of headers or sourceCIDR condition must be specified.
items:
description: HeaderMatch defines the match attributes
within the HTTP Headers of the request.
@@ -1215,10 +1469,66 @@ spec:
type: object
maxItems: 16
type: array
- sourceCIDR:
+ methods:
description: |-
- SourceCIDR is the client IP Address range to match on.
- At least one of headers or sourceCIDR condition must be specified.
+ Methods is a list of request methods to match. Multiple method values are ORed together,
+ meaning, a request can match any one of the specified methods. If not specified, it matches all methods.
+ items:
+ description: MethodMatch defines the matching
+ criteria for the HTTP method of a request.
+ properties:
+ invert:
+ default: false
+ description: Invert specifies whether the
+ value match result will be inverted.
+ type: boolean
+ value:
+ description: Value specifies the HTTP method.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ path:
+ description: |-
+ Path is the request path to match.
+ Support Exact, PathPrefix and RegularExpression match types.
+ properties:
+ invert:
+ default: false
+ description: Invert specifies whether the
+ value match result will be inverted.
+ type: boolean
+ type:
+ default: PathPrefix
+ description: Type specifies how to match against
+ the value of the path.
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value specifies the HTTP path.
+ maxLength: 1024
+ type: string
+ required:
+ - value
+ type: object
+ sourceCIDR:
+ description: SourceCIDR is the client IP Address
+ range to match on.
properties:
type:
default: Exact
@@ -1238,6 +1548,11 @@ spec:
- value
type: object
type: object
+ x-kubernetes-validations:
+ - message: at least one of headers, methods, path
+ or sourceCIDR must be specified
+ rule: has(self.headers) || has(self.methods) ||
+ has(self.path) || has(self.sourceCIDR)
maxItems: 8
type: array
cost:
@@ -1382,7 +1697,7 @@ spec:
required:
- limit
type: object
- maxItems: 64
+ maxItems: 128
type: array
required:
- rules
@@ -1420,12 +1735,12 @@ spec:
RateLimitSelectCondition specifies the attributes within the traffic flow that can
be used to select a subset of clients to be ratelimited.
All the individual conditions must hold True for the overall condition to hold True.
+ And, at least one of headers or methods or path or sourceCIDR condition must be specified.
properties:
headers:
description: |-
Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
- At least one of headers or sourceCIDR condition must be specified.
items:
description: HeaderMatch defines the match attributes
within the HTTP Headers of the request.
@@ -1466,10 +1781,66 @@ spec:
type: object
maxItems: 16
type: array
- sourceCIDR:
+ methods:
+ description: |-
+ Methods is a list of request methods to match. Multiple method values are ORed together,
+ meaning, a request can match any one of the specified methods. If not specified, it matches all methods.
+ items:
+ description: MethodMatch defines the matching
+ criteria for the HTTP method of a request.
+ properties:
+ invert:
+ default: false
+ description: Invert specifies whether the
+ value match result will be inverted.
+ type: boolean
+ value:
+ description: Value specifies the HTTP method.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ path:
description: |-
- SourceCIDR is the client IP Address range to match on.
- At least one of headers or sourceCIDR condition must be specified.
+ Path is the request path to match.
+ Support Exact, PathPrefix and RegularExpression match types.
+ properties:
+ invert:
+ default: false
+ description: Invert specifies whether the
+ value match result will be inverted.
+ type: boolean
+ type:
+ default: PathPrefix
+ description: Type specifies how to match against
+ the value of the path.
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value specifies the HTTP path.
+ maxLength: 1024
+ type: string
+ required:
+ - value
+ type: object
+ sourceCIDR:
+ description: SourceCIDR is the client IP Address
+ range to match on.
properties:
type:
default: Exact
@@ -1489,6 +1860,11 @@ spec:
- value
type: object
type: object
+ x-kubernetes-validations:
+ - message: at least one of headers, methods, path
+ or sourceCIDR must be specified
+ rule: has(self.headers) || has(self.methods) ||
+ has(self.path) || has(self.sourceCIDR)
maxItems: 8
type: array
cost:
@@ -1643,12 +2019,12 @@ spec:
description: |-
Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local".
+
+ Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting.
enum:
- Global
- Local
type: string
- required:
- - type
type: object
requestBuffer:
description: |-
@@ -1838,8 +2214,6 @@ spec:
Port will not be added in the 'Location' header if scheme is HTTP and port is 80
or scheme is HTTPS and port is 443.
format: int32
- maximum: 65535
- minimum: 1
type: integer
scheme:
description: |-
@@ -1933,6 +2307,142 @@ spec:
description: Content Type of the response. This will be
set in the Content-Type header.
type: string
+ header:
+ description: |-
+ Header defines headers to add, set or remove from the response.
+ This allows the response policy to append, add or override headers
+ of the final response before it is sent to a downstream client.
+ Note: Header removal is not supported for responseOverride.
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ x-kubernetes-validations:
+ - message: Remove is not supported for header in CustomResponse
+ rule: '!has(self.remove) || size(self.remove) == 0'
statusCode:
description: |-
Status Code of the Custom Response
@@ -2005,8 +2515,7 @@ spec:
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
items:
description: HTTPStatus defines the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -2339,6 +2848,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is the time until which entire
response is received from the upstream.
@@ -2374,8 +2891,6 @@ spec:
- message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''] : true'
- - message: this policy does not yet support the sectionName field
- rule: 'has(self.targetRef) ? !has(self.targetRef.sectionName) : true'
- message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
''gateway.networking.k8s.io'') : true '
@@ -2383,9 +2898,14 @@ spec:
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
''HTTPRoute'', ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''])
: true '
- - message: this policy does not yet support the sectionName field
- rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName))
- : true'
+ - message: either compression or compressor can be set, not both
+ rule: '!has(self.compression) || !has(self.compressor)'
+ - message: predictivePercent in preconnect policy only works with RoundRobin
+ or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect) &&
+ has(self.connection.preconnect.predictivePercent)) && !(has(self.loadBalancer)
+ && has(self.loadBalancer.type) && self.loadBalancer.type in [''Random'',
+ ''RoundRobin'']))'
status:
description: status defines the current status of BackendTrafficPolicy.
properties:
@@ -2591,8 +3111,38 @@ spec:
- name
type: object
conditions:
- description: Conditions describes the status of the Policy with
- respect to the given Ancestor.
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -2675,10 +3225,12 @@ spec:
type: string
required:
- ancestorRef
+ - conditions
- controllerName
type: object
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
required:
- ancestors
type: object
@@ -2694,7 +3246,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
+ controller-gen.kubebuilder.io/version: v0.18.0
name: clienttrafficpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -2774,9 +3326,18 @@ spec:
properties:
numTrustedHops:
description: |-
- NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
- headers to trust when determining the origin client's IP address.
- Only one of NumTrustedHops and TrustedCIDRs must be set.
+ NumTrustedHops specifies how many trusted hops to count from the rightmost side of
+ the X-Forwarded-For (XFF) header when determining the original client’s IP address.
+
+ If NumTrustedHops is set to N, the client IP is taken from the Nth address from the
+ right end of the XFF header.
+
+ Example:
+ XFF = "203.0.113.128, 203.0.113.10, 203.0.113.1"
+ NumTrustedHops = 2
+ → Trusted client address = 203.0.113.10
+
+ Only one of NumTrustedHops or TrustedCIDRs should be configured.
format: int32
type: integer
trustedCIDRs:
@@ -2833,6 +3394,25 @@ spec:
Default: none.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxConnectionDuration:
+ description: |-
+ MaxConnectionDuration is the maximum amount of time a connection can remain established
+ (usually via TCP/HTTP Keepalive packets) before being drained and/or closed.
+ If not specified, there is no limit.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxRequestsPerConnection:
+ description: |-
+ MaxRequestsPerConnection defines the maximum number of requests allowed over a single connection.
+ If not specified, there is no limit. Setting this parameter to 1 will effectively disable keep alive.
+ format: int32
+ type: integer
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum amount of time to keep alive an http stream. When the limit is reached
+ the stream will be reset independent of any other timeouts. If not specified, no value is set.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
value:
description: |-
Value of the maximum concurrent connections limit.
@@ -3019,17 +3599,148 @@ spec:
EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses.
type: boolean
+ lateResponseHeaders:
+ description: LateResponseHeaders defines settings for global response
+ header modification.
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
preserveXRequestID:
description: |-
PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
Defaults to false and cannot be combined with RequestID.
- Deprecated: use RequestID=Preserve instead
+ Deprecated: use RequestID=PreserveOrGenerate instead
type: boolean
requestID:
description: |-
RequestID configures Envoy's behavior for handling the `X-Request-ID` header.
- Defaults to `Generate` and builds the `X-Request-ID` for every request and ignores pre-existing values from the edge.
+ When omitted default behavior is `Generate` which builds the `X-Request-ID` for every request
+ and ignores pre-existing values from the edge.
(An "edge request" refers to a request from an external client to the Envoy entrypoint.)
enum:
- PreserveOrGenerate
@@ -3117,6 +3828,14 @@ spec:
http1:
description: HTTP1 provides HTTP/1 configuration on the listener.
properties:
+ disableSafeMaxConnectionDuration:
+ description: |-
+ DisableSafeMaxConnectionDuration controls the close behavior for HTTP/1 connections.
+ By default, connection closure is delayed until the next request arrives after maxConnectionDuration is exceeded.
+ It then adds a Connection: close header and gracefully closes the connection after the response completes.
+ When set to true (disabled), Envoy uses its default drain behavior, closing the connection shortly after maxConnectionDuration elapses.
+ Has no effect unless maxConnectionDuration is set.
+ type: boolean
enableTrailers:
description: EnableTrailers defines if HTTP/1 trailers should
be proxied by Envoy.
@@ -3127,11 +3846,18 @@ spec:
properties:
useDefaultHost:
description: |-
- UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
- then the hostname associated with the listener should be injected into the
- request.
- If this is not set and an HTTP/1.0 request arrives without a host, then
- it will be rejected.
+ UseDefaultHost specifies whether a default Host header should be injected
+ into HTTP/1.0 requests that do not include one.
+
+ When set to true, Envoy Gateway injects the hostname associated with the
+ listener or route into the request, in the following order:
+
+ 1. If the targeted listener has a non-wildcard hostname, use that hostname.
+ 2. If there is exactly one HTTPRoute with a non-wildcard hostname under
+ the targeted listener, use that hostname.
+
+ Note: Setting this field to true without a non-wildcard hostname makes the
+ ClientTrafficPolicy invalid.
type: boolean
type: object
preserveHeaderCase:
@@ -3468,17 +4194,16 @@ spec:
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
- Supported values are:
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
- http/1.0
- http/1.1
- h2
items:
description: ALPNProtocol specifies the protocol to be negotiated
using ALPN
- enum:
- - http/1.0
- - http/1.1
- - h2
type: string
type: array
ciphers:
@@ -3577,6 +4302,81 @@ spec:
items:
type: string
type: array
+ crl:
+ description: Crl specifies the crl configuration that can
+ be used to validate the client initiating the TLS connection
+ properties:
+ onlyVerifyLeafCertificate:
+ description: |-
+ If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+ Defaults to false, which will verify the entire certificate chain against the CRL.
+ type: boolean
+ refs:
+ description: |-
+ Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
+ containing the certificate revocation list in PEM format
+ Expects the content in a key named `ca.crl`.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the crl
+ to be attached.
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ required:
+ - refs
+ type: object
optional:
description: |-
Optional set to true accepts connections even when a client doesn't present a certificate.
@@ -4032,8 +4832,38 @@ spec:
- name
type: object
conditions:
- description: Conditions describes the status of the Policy with
- respect to the given Ancestor.
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -4116,10 +4946,12 @@ spec:
type: string
required:
- ancestorRef
+ - conditions
- controllerName
type: object
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
required:
- ancestors
type: object
@@ -4135,7 +4967,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
+ controller-gen.kubebuilder.io/version: v0.18.0
name: envoyextensionpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -4433,6 +5265,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -4548,8 +5415,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -4726,7 +5592,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors sets the number
of consecutive gateway errors triggering ejection.
format: int32
@@ -4738,6 +5603,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines the time between passive
@@ -4838,8 +5712,10 @@ spec:
- name
type: object
header:
- description: Header configures the header hash policy
- when the consistent hash type is set to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header to hash.
@@ -4847,6 +5723,22 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures the header hash
+ policy for each header, when the consistent hash
+ type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for consistent hashing,
@@ -4860,10 +5752,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -4874,6 +5768,10 @@ spec:
field must be set.
rule: 'self.type == ''Header'' ? has(self.header)
: !has(self.header)'
+ - message: If consistent hash type is headers, the headers
+ field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
- message: If consistent hash type is cookie, the cookie
field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
@@ -4965,6 +5863,15 @@ spec:
all zones required to enable zone-aware routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage of requests
+ that will be considered for zone aware routing
+ if zone aware routing is configured. If not
+ specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -5059,8 +5966,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -5133,6 +6039,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is the time until which
entire response is received from the upstream.
@@ -5151,6 +6065,13 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only works
+ with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent)) &&
+ !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
failOpen:
default: false
description: |-
@@ -5824,8 +6745,6 @@ spec:
- message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''] : true'
- - message: this policy does not yet support the sectionName field
- rule: 'has(self.targetRef) ? !has(self.targetRef.sectionName) : true'
- message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
''gateway.networking.k8s.io'') : true '
@@ -5833,9 +6752,6 @@ spec:
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
''HTTPRoute'', ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''])
: true '
- - message: this policy does not yet support the sectionName field
- rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName))
- : true'
status:
description: Status defines the current status of EnvoyExtensionPolicy.
properties:
@@ -6041,8 +6957,38 @@ spec:
- name
type: object
conditions:
- description: Conditions describes the status of the Policy with
- respect to the given Ancestor.
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -6125,10 +7071,12 @@ spec:
type: string
required:
- ancestorRef
+ - conditions
- controllerName
type: object
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
required:
- ancestors
type: object
@@ -6144,7 +7092,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
+ controller-gen.kubebuilder.io/version: v0.18.0
name: envoypatchpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -6516,8 +7464,38 @@ spec:
- name
type: object
conditions:
- description: Conditions describes the status of the Policy with
- respect to the given Ancestor.
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -6600,10 +7578,12 @@ spec:
type: string
required:
- ancestorRef
+ - conditions
- controllerName
type: object
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
required:
- ancestors
type: object
@@ -6619,7 +7599,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
+ controller-gen.kubebuilder.io/version: v0.18.0
name: envoyproxies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -6673,17 +7653,16 @@ spec:
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
- Supported values are:
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
- http/1.0
- http/1.1
- h2
items:
description: ALPNProtocol specifies the protocol to be negotiated
using ALPN
- enum:
- - http/1.0
- - http/1.1
- - h2
type: string
type: array
ciphers:
@@ -6908,6 +7887,8 @@ spec:
- envoy.filters.http.ext_authz
+ - envoy.filters.http.api_key_auth
+
- envoy.filters.http.basic_auth
- envoy.filters.http.oauth2
@@ -6916,6 +7897,8 @@ spec:
- envoy.filters.http.stateful_session
+ - envoy.filters.http.buffer
+
- envoy.filters.http.lua
- envoy.filters.http.ext_proc
@@ -6928,8 +7911,16 @@ spec:
- envoy.filters.http.ratelimit
+ - envoy.filters.http.grpc_web
+
+ - envoy.filters.http.grpc_stats
+
- envoy.filters.http.custom_response
+ - envoy.filters.http.credential_injector
+
+ - envoy.filters.http.compressor
+
- envoy.filters.http.router
Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain.
@@ -6951,13 +7942,17 @@ spec:
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
+ - envoy.filters.http.buffer
- envoy.filters.http.lua
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
+ - envoy.filters.http.grpc_web
+ - envoy.filters.http.grpc_stats
- envoy.filters.http.custom_response
+ - envoy.filters.http.credential_injector
- envoy.filters.http.compressor
type: string
before:
@@ -6974,13 +7969,17 @@ spec:
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
+ - envoy.filters.http.buffer
- envoy.filters.http.lua
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
+ - envoy.filters.http.grpc_web
+ - envoy.filters.http.grpc_stats
- envoy.filters.http.custom_response
+ - envoy.filters.http.credential_injector
- envoy.filters.http.compressor
type: string
name:
@@ -6995,13 +7994,17 @@ spec:
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
+ - envoy.filters.http.buffer
- envoy.filters.http.lua
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
+ - envoy.filters.http.grpc_web
+ - envoy.filters.http.grpc_stats
- envoy.filters.http.custom_response
+ - envoy.filters.http.credential_injector
- envoy.filters.http.compressor
type: string
required:
@@ -7058,6 +8061,7 @@ spec:
Default: Strict
enum:
- Strict
+ - InsecureSyntax
- Disabled
type: string
mergeGateways:
@@ -7070,7 +8074,7 @@ spec:
preserveRouteOrder:
description: |-
PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
- specification (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule)
+ specification (https://gateway-api.sigs.k8s.io/reference/1.4/spec/#httprouterule)
or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
Default: False
type: boolean
@@ -7080,6 +8084,19 @@ spec:
If unspecified, the "Kubernetes" resource provider is used with default configuration
parameters.
properties:
+ host:
+ description: |-
+ Host provides runtime deployment of the data plane as a child process on the
+ host environment.
+ If unspecified and type is "Host", default settings for the custom provider
+ are applied.
+ properties:
+ envoyVersion:
+ description: |-
+ EnvoyVersion is the version of Envoy to use. If unspecified, the version
+ against which Envoy Gateway is built will be used.
+ type: string
+ type: object
kubernetes:
description: |-
Kubernetes defines the desired state of the Kubernetes resource provider.
@@ -7104,8 +8121,9 @@ spec:
present in a Container.
properties:
name:
- description: Name of the environment variable.
- Must be a C_IDENTIFIER.
+ description: |-
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
type: string
value:
description: |-
@@ -7164,6 +8182,43 @@ spec:
- fieldPath
type: object
x-kubernetes-map-type: atomic
+ fileKeyRef:
+ description: |-
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+ properties:
+ key:
+ description: |-
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ type: string
+ optional:
+ default: false
+ description: |-
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ type: boolean
+ path:
+ description: |-
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ type: string
+ volumeName:
+ description: The name of the volume
+ mount containing the env file.
+ type: string
+ required:
+ - key
+ - path
+ - volumeName
+ type: object
+ x-kubernetes-map-type: atomic
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
@@ -7229,7 +8284,7 @@ spec:
x-kubernetes-validations:
- message: Image must include a tag and allowed characters
only (e.g., 'repo:tag').
- rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')
imageRepository:
description: |-
ImageRepository specifies the container image repository to be used without specifying a tag.
@@ -7250,7 +8305,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -8178,8 +9233,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched
@@ -9724,15 +10779,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -9917,12 +10970,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: |-
- endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ description: endpoints is the endpoint name
+ that details Glusterfs topology.
type: string
path:
description: |-
@@ -10001,7 +11052,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether
@@ -10445,6 +11496,112 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated
+ CSRs will be addressed to this
+ signer.
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
description: secret information about
the secret data to project
@@ -10582,7 +11739,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
@@ -10898,7 +12054,7 @@ spec:
pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
on that node is marked deleted. If the old pod becomes unavailable for any
reason (Ready transitions to false, is evicted, or is drained) an updated
- pod is immediatedly created on that node without considering surge limits.
+ pod is immediately created on that node without considering surge limits.
Allowing surge implies the possibility that the resources consumed by the
daemonset on any given node can double if the readiness check fails, and
so resource intensive daemonsets should take into account that they may
@@ -10949,8 +12105,9 @@ spec:
present in a Container.
properties:
name:
- description: Name of the environment variable.
- Must be a C_IDENTIFIER.
+ description: |-
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
type: string
value:
description: |-
@@ -11009,6 +12166,43 @@ spec:
- fieldPath
type: object
x-kubernetes-map-type: atomic
+ fileKeyRef:
+ description: |-
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+ properties:
+ key:
+ description: |-
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ type: string
+ optional:
+ default: false
+ description: |-
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ type: boolean
+ path:
+ description: |-
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ type: string
+ volumeName:
+ description: The name of the volume
+ mount containing the env file.
+ type: string
+ required:
+ - key
+ - path
+ - volumeName
+ type: object
+ x-kubernetes-map-type: atomic
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
@@ -11074,7 +12268,7 @@ spec:
x-kubernetes-validations:
- message: Image must include a tag and allowed characters
only (e.g., 'repo:tag').
- rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')
imageRepository:
description: |-
ImageRepository specifies the container image repository to be used without specifying a tag.
@@ -11095,7 +12289,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -11457,8 +12651,9 @@ spec:
variable present in a Container.
properties:
name:
- description: Name of the environment variable.
- Must be a C_IDENTIFIER.
+ description: |-
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
type: string
value:
description: |-
@@ -11517,6 +12712,43 @@ spec:
- fieldPath
type: object
x-kubernetes-map-type: atomic
+ fileKeyRef:
+ description: |-
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+ properties:
+ key:
+ description: |-
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ type: string
+ optional:
+ default: false
+ description: |-
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ type: boolean
+ path:
+ description: |-
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ type: string
+ volumeName:
+ description: The name of the volume
+ mount containing the env file.
+ type: string
+ required:
+ - key
+ - path
+ - volumeName
+ type: object
+ x-kubernetes-map-type: atomic
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
@@ -11580,8 +12812,8 @@ spec:
envFrom:
description: |-
List of sources to populate environment variables in the container.
- The keys defined within a source must be a C_IDENTIFIER. All invalid keys
- will be reported as an event when the container is starting. When a key exists in multiple
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ When a key exists in multiple
sources, the value associated with the last source will take precedence.
Values defined by an Env with a duplicate key will take precedence.
Cannot be updated.
@@ -11608,9 +12840,9 @@ spec:
type: object
x-kubernetes-map-type: atomic
prefix:
- description: Optional text to prepend to the
- name of each environment variable. Must
- be a C_IDENTIFIER.
+ description: |-
+ Optional text to prepend to the name of each environment variable.
+ May consist of any printable ASCII characters except '='.
type: string
secretRef:
description: The Secret to select from
@@ -12297,7 +13529,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -12352,10 +13584,10 @@ spec:
restartPolicy:
description: |-
RestartPolicy defines the restart behavior of individual containers in a pod.
- This field may only be set for init containers, and the only allowed value is "Always".
- For non-init containers or when this field is not specified,
+ This overrides the pod-level restart policy. When this field is not specified,
the restart behavior is defined by the Pod's restart policy and the container type.
- Setting the RestartPolicy as "Always" for the init container will have the following effect:
+ Additionally, setting the RestartPolicy as "Always" for the init container will
+ have the following effect:
this init container will be continually restarted on
exit until all regular containers have terminated. Once all regular
containers have completed, all init containers with restartPolicy "Always"
@@ -12367,6 +13599,59 @@ spec:
init container is started, or after any startupProbe has successfully
completed.
type: string
+ restartPolicyRules:
+ description: |-
+ Represents a list of rules to be checked to determine if the
+ container should be restarted on exit. The rules are evaluated in
+ order. Once a rule matches a container exit condition, the remaining
+ rules are ignored. If no rule matches the container exit condition,
+ the Container-level restart policy determines the whether the container
+ is restarted or not. Constraints on the rules:
+ - At most 20 rules are allowed.
+ - Rules can have the same action.
+ - Identical rules are not forbidden in validations.
+ When rules are specified, container MUST set RestartPolicy explicitly
+ even it if matches the Pod's RestartPolicy.
+ items:
+ description: ContainerRestartRule describes how
+ a container exit is handled.
+ properties:
+ action:
+ description: |-
+ Specifies the action taken on a container exit if the requirements
+ are satisfied. The only possible value is "Restart" to restart the
+ container.
+ type: string
+ exitCodes:
+ description: Represents the exit codes to
+ check on container exits.
+ properties:
+ operator:
+ description: |-
+ Represents the relationship between the container exit code(s) and the
+ specified values. Possible values are:
+ - In: the requirement is satisfied if the container exit code is in the
+ set of specified values.
+ - NotIn: the requirement is satisfied if the container exit code is
+ not in the set of specified values.
+ type: string
+ values:
+ description: |-
+ Specifies the set of values to check for container exit codes.
+ At most 255 elements are allowed.
+ items:
+ format: int32
+ type: integer
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - operator
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
securityContext:
description: |-
SecurityContext defines the security options the container should be run with.
@@ -13481,8 +14766,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched
@@ -15027,15 +16312,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -15220,12 +16503,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: |-
- endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ description: endpoints is the endpoint name
+ that details Glusterfs topology.
type: string
path:
description: |-
@@ -15304,7 +16585,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether
@@ -15748,6 +17029,112 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated
+ CSRs will be addressed to this
+ signer.
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
description: secret information about
the secret data to project
@@ -15885,7 +17272,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
@@ -17110,10 +18496,10 @@ spec:
description: |-
Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
- optional auxiliary control planes. Supported types are "Kubernetes".
+ optional auxiliary control planes. Supported types are "Kubernetes"and "Host".
enum:
- Kubernetes
- - Custom
+ - Host
type: string
required:
- type
@@ -17468,6 +18854,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -17592,8 +19013,7 @@ spec:
description: HTTPStatus
defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -17794,7 +19214,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors
sets the number of consecutive
gateway errors triggering ejection.
@@ -17807,6 +19226,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines
@@ -17913,10 +19341,10 @@ spec:
- name
type: object
header:
- description: Header configures
- the header hash policy when
- the consistent hash type is
- set to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header
@@ -17925,6 +19353,24 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures
+ the header hash policy for each
+ header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the
+ header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for
@@ -17939,10 +19385,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -17954,6 +19402,11 @@ spec:
be set.
rule: 'self.type == ''Header'' ?
has(self.header) : !has(self.header)'
+ - message: If consistent hash type
+ is headers, the headers field
+ must be set.
+ rule: 'self.type == ''Headers''
+ ? has(self.headers) : !has(self.headers)'
- message: If consistent hash type
is cookie, the cookie field must
be set.
@@ -18052,6 +19505,17 @@ spec:
to enable zone-aware routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage
+ of requests that will be
+ considered for zone aware
+ routing if zone aware routing
+ is configured. If not specified,
+ Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -18152,8 +19616,7 @@ spec:
items:
description: HTTPStatus defines
the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -18229,6 +19692,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is
the time until which entire
@@ -18250,6 +19721,15 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect
+ policy only works with RoundRobin or Random
+ load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'',
+ ''RoundRobin'']))'
http:
description: HTTP defines additional configuration
specific to HTTP access logs.
@@ -18581,6 +20061,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -18705,8 +20220,7 @@ spec:
description: HTTPStatus
defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -18907,7 +20421,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors
sets the number of consecutive
gateway errors triggering ejection.
@@ -18920,6 +20433,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines
@@ -19026,10 +20548,10 @@ spec:
- name
type: object
header:
- description: Header configures
- the header hash policy when
- the consistent hash type is
- set to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header
@@ -19038,6 +20560,24 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures
+ the header hash policy for each
+ header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the
+ header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for
@@ -19052,10 +20592,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -19067,6 +20609,11 @@ spec:
be set.
rule: 'self.type == ''Header'' ?
has(self.header) : !has(self.header)'
+ - message: If consistent hash type
+ is headers, the headers field
+ must be set.
+ rule: 'self.type == ''Headers''
+ ? has(self.headers) : !has(self.headers)'
- message: If consistent hash type
is cookie, the cookie field must
be set.
@@ -19165,6 +20712,17 @@ spec:
to enable zone-aware routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage
+ of requests that will be
+ considered for zone aware
+ routing if zone aware routing
+ is configured. If not specified,
+ Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -19265,8 +20823,7 @@ spec:
items:
description: HTTPStatus defines
the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -19342,6 +20899,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is
the time until which entire
@@ -19363,6 +20928,15 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect
+ policy only works with RoundRobin or Random
+ load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'',
+ ''RoundRobin'']))'
host:
description: |-
Host define the extension service hostname.
@@ -19531,7 +21105,11 @@ spec:
enum:
- Gzip
- Brotli
+ - Zstd
type: string
+ zstd:
+ description: The configuration for Zstd compressor.
+ type: object
required:
- type
type: object
@@ -19803,6 +21381,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -19922,8 +21535,7 @@ spec:
items:
description: HTTPStatus defines
the http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -20112,7 +21724,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors
sets the number of consecutive gateway
errors triggering ejection.
@@ -20125,6 +21736,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines the time
@@ -20227,9 +21847,10 @@ spec:
- name
type: object
header:
- description: Header configures the header
- hash policy when the consistent hash
- type is set to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header
@@ -20238,6 +21859,24 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures the
+ header hash policy for each header,
+ when the consistent hash type is set
+ to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for consistent
@@ -20252,10 +21891,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -20266,6 +21907,10 @@ spec:
the header field must be set.
rule: 'self.type == ''Header'' ? has(self.header)
: !has(self.header)'
+ - message: If consistent hash type is headers,
+ the headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
- message: If consistent hash type is cookie,
the cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
@@ -20361,6 +22006,17 @@ spec:
routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage
+ of requests that will be considered
+ for zone aware routing if zone
+ aware routing is configured. If
+ not specified, Envoy defaults
+ to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -20457,8 +22113,7 @@ spec:
items:
description: HTTPStatus defines the
http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -20532,6 +22187,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is the time
until which entire response is received
@@ -20551,6 +22214,13 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy
+ only works with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
host:
description: |-
Host define the service hostname.
@@ -20921,6 +22591,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -21039,8 +22744,7 @@ spec:
items:
description: HTTPStatus defines the
http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -21228,7 +22932,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors sets
the number of consecutive gateway errors
triggering ejection.
@@ -21241,6 +22944,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines the time between
@@ -21343,9 +23055,10 @@ spec:
- name
type: object
header:
- description: Header configures the header
- hash policy when the consistent hash type
- is set to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header to hash.
@@ -21353,6 +23066,22 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures the header
+ hash policy for each header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for consistent
@@ -21367,10 +23096,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -21381,6 +23112,10 @@ spec:
the header field must be set.
rule: 'self.type == ''Header'' ? has(self.header)
: !has(self.header)'
+ - message: If consistent hash type is headers,
+ the headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
- message: If consistent hash type is cookie,
the cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
@@ -21475,6 +23210,16 @@ spec:
to enable zone-aware routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage of
+ requests that will be considered for
+ zone aware routing if zone aware routing
+ is configured. If not specified, Envoy
+ defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -21570,8 +23315,7 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -21644,6 +23388,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is the time until
which entire response is received from the
@@ -21663,6 +23415,13 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only
+ works with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
host:
description: |-
Host define the provider service hostname.
@@ -21785,7 +23544,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
+ controller-gen.kubebuilder.io/version: v0.18.0
name: httproutefilters.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -21910,7 +23669,7 @@ spec:
return a fixed response.
properties:
body:
- description: Body of the Response
+ description: Body of the direct response.
properties:
inline:
description: Inline contains the value as an inline string.
@@ -21934,50 +23693,182 @@ spec:
specified as a local object reference.
Only a reference to ConfigMap is supported.
- The value of key `response.body` in the ConfigMap will be used as the response body.
- If the key is not found, the first value in the ConfigMap will be used.
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For example
- "HTTPRoute" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
+ The value of key `response.body` in the ConfigMap will be used as the response body.
+ If the key is not found, the first value in the ConfigMap will be used.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: inline must be set for type Inline
+ rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline)
+ : true'
+ - message: valueRef must be set for type ValueRef
+ rule: '(has(self.type) && self.type == ''ValueRef'')? has(self.valueRef)
+ : true'
+ - message: only ConfigMap is supported for ValueRef
+ rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap''
+ : true'
+ contentType:
+ description: Content Type of the direct response. This will be
+ set in the Content-Type header.
+ type: string
+ header:
+ description: Header defines the headers of the direct response.
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
- name
- type: object
- required:
- - type
+ x-kubernetes-list-type: map
type: object
x-kubernetes-validations:
- - message: inline must be set for type Inline
- rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline)
- : true'
- - message: valueRef must be set for type ValueRef
- rule: '(has(self.type) && self.type == ''ValueRef'')? has(self.valueRef)
- : true'
- - message: only ConfigMap is supported for ValueRef
- rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap''
- : true'
- contentType:
- description: Content Type of the response. This will be set in
- the Content-Type header.
- type: string
+ - message: header.remove is not supported for DirectResponse
+ rule: '!has(self.remove) || size(self.remove) == 0'
statusCode:
description: |-
Status Code of the HTTP response
@@ -22079,7 +23970,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
+ controller-gen.kubebuilder.io/version: v0.18.0
name: securitypolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -22330,6 +24221,15 @@ spec:
or the proxy protocol.
You can use the `ClientIPDetection` or the `ProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected.
+
+ For TCPRoute targets (raw TCP connections), HTTP headers such as
+ X-Forwarded-For are not available. The client IP is obtained from the
+ TCP connection's peer address. If intermediaries (load balancers, NAT)
+ terminate or proxy TCP, the original client IP will only be available
+ if the intermediary preserves the source address (for example by
+ enabling the PROXY protocol or avoiding SNAT). Ensure your L4 proxy is
+ configured to preserve the source IP to enable correct client-IP
+ matching for TCPRoute targets.
items:
description: |-
CIDR defines a CIDR Address range.
@@ -22415,7 +24315,7 @@ spec:
If multiple values are specified, one of the values must match for the rule to match.
items:
type: string
- maxItems: 16
+ maxItems: 128
minItems: 1
type: array
required:
@@ -22882,6 +24782,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -22997,8 +24932,7 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -23177,7 +25111,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors sets the
number of consecutive gateway errors triggering
ejection.
@@ -23190,6 +25123,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines the time between
@@ -23292,9 +25234,10 @@ spec:
- name
type: object
header:
- description: Header configures the header hash
- policy when the consistent hash type is set
- to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header to hash.
@@ -23302,6 +25245,22 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures the header hash
+ policy for each header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for consistent hashing,
@@ -23315,10 +25274,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -23329,6 +25290,10 @@ spec:
header field must be set.
rule: 'self.type == ''Header'' ? has(self.header)
: !has(self.header)'
+ - message: If consistent hash type is headers, the
+ headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
- message: If consistent hash type is cookie, the
cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
@@ -23422,6 +25387,15 @@ spec:
routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage of requests
+ that will be considered for zone aware routing
+ if zone aware routing is configured. If
+ not specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -23517,8 +25491,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -23591,6 +25564,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is the time until
which entire response is received from the upstream.
@@ -23609,6 +25590,13 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only works
+ with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
type: object
x-kubernetes-validations:
- message: backendRef or backendRefs needs to be set
@@ -23891,6 +25879,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -24006,8 +26029,7 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -24186,7 +26208,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors sets the
number of consecutive gateway errors triggering
ejection.
@@ -24199,6 +26220,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines the time between
@@ -24301,9 +26331,10 @@ spec:
- name
type: object
header:
- description: Header configures the header hash
- policy when the consistent hash type is set
- to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header to hash.
@@ -24311,6 +26342,22 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures the header hash
+ policy for each header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for consistent hashing,
@@ -24324,10 +26371,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -24338,6 +26387,10 @@ spec:
header field must be set.
rule: 'self.type == ''Header'' ? has(self.header)
: !has(self.header)'
+ - message: If consistent hash type is headers, the
+ headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
- message: If consistent hash type is cookie, the
cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
@@ -24431,6 +26484,15 @@ spec:
routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage of requests
+ that will be considered for zone aware routing
+ if zone aware routing is configured. If
+ not specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -24526,8 +26588,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -24600,6 +26661,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is the time until
which entire response is received from the upstream.
@@ -24618,6 +26687,13 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only works
+ with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
headersToBackend:
description: |-
HeadersToBackend are the authorization response headers that will be added
@@ -24660,6 +26736,12 @@ spec:
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied.
type: boolean
+ timeout:
+ description: |-
+ Timeout defines the timeout for requests to the external authorization service.
+ If not specified, defaults to 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
type: object
x-kubernetes-validations:
- message: one of grpc or http must be specified
@@ -25092,6 +27174,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -25210,8 +27327,7 @@ spec:
items:
description: HTTPStatus defines the
http status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -25400,7 +27516,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors sets
the number of consecutive gateway errors
triggering ejection.
@@ -25413,6 +27528,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines the time between
@@ -25515,9 +27639,10 @@ spec:
- name
type: object
header:
- description: Header configures the header
- hash policy when the consistent hash type
- is set to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header to hash.
@@ -25525,6 +27650,23 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures the header
+ hash policy for each header, when the
+ consistent hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to
+ hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for consistent
@@ -25539,10 +27681,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -25553,6 +27697,10 @@ spec:
the header field must be set.
rule: 'self.type == ''Header'' ? has(self.header)
: !has(self.header)'
+ - message: If consistent hash type is headers,
+ the headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
- message: If consistent hash type is cookie,
the cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
@@ -25647,6 +27795,16 @@ spec:
to enable zone-aware routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage of
+ requests that will be considered for
+ zone aware routing if zone aware routing
+ is configured. If not specified, Envoy
+ defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -25743,8 +27901,7 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -25817,6 +27974,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is the time
until which entire response is received
@@ -25836,6 +28001,20 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only
+ works with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
+ cacheDuration:
+ default: 300s
+ description: |-
+ Duration is a string value representing a duration in time. The format is as specified
+ in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
uri:
description: |-
URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.
@@ -25984,7 +28163,6 @@ spec:
By default, its unset.
properties:
sameSite:
- default: Strict
enum:
- Lax
- Strict
@@ -26018,6 +28196,16 @@ spec:
If not specified, defaults to "IdToken-(randomly generated uid)"
type: string
type: object
+ csrfTokenTTL:
+ description: |-
+ CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.
+
+ This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token
+ in the "state" parameter when the provider redirects back to the callback endpoint.
+
+ If omitted, Envoy Gateway defaults the token expiration to 10 minutes.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
defaultRefreshTokenTTL:
description: |-
DefaultRefreshTokenTTL is the default lifetime of the refresh token.
@@ -26082,6 +28270,12 @@ spec:
required:
- headers
type: object
+ disableTokenEncryption:
+ description: |-
+ Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text.
+ This option should only be used in secure environments where token encryption is not required.
+ Default is false (tokens are encrypted).
+ type: boolean
forwardAccessToken:
description: |-
ForwardAccessToken indicates whether the Envoy should forward the access token
@@ -26359,6 +28553,41 @@ spec:
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
socketBufferLimit:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -26474,8 +28703,7 @@ spec:
items:
description: HTTPStatus defines the http
status code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -26654,7 +28882,6 @@ spec:
format: int32
type: integer
consecutiveGatewayErrors:
- default: 0
description: ConsecutiveGatewayErrors sets the
number of consecutive gateway errors triggering
ejection.
@@ -26667,6 +28894,15 @@ spec:
Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
interval:
default: 3s
description: Interval defines the time between
@@ -26769,9 +29005,10 @@ spec:
- name
type: object
header:
- description: Header configures the header hash
- policy when the consistent hash type is set
- to Header.
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
properties:
name:
description: Name of the header to hash.
@@ -26779,6 +29016,22 @@ spec:
required:
- name
type: object
+ headers:
+ description: Headers configures the header hash
+ policy for each header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
tableSize:
default: 65537
description: The table size for consistent hashing,
@@ -26792,10 +29045,12 @@ spec:
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
enum:
- SourceIP
- Header
+ - Headers
- Cookie
type: string
required:
@@ -26806,6 +29061,10 @@ spec:
header field must be set.
rule: 'self.type == ''Header'' ? has(self.header)
: !has(self.header)'
+ - message: If consistent hash type is headers, the
+ headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
- message: If consistent hash type is cookie, the
cookie field must be set.
rule: 'self.type == ''Cookie'' ? has(self.cookie)
@@ -26899,6 +29158,15 @@ spec:
routing.
format: int64
type: integer
+ percentageEnabled:
+ description: Configures percentage of requests
+ that will be considered for zone aware routing
+ if zone aware routing is configured. If
+ not specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
type: object
type: object
required:
@@ -26994,8 +29262,7 @@ spec:
items:
description: HTTPStatus defines the http status
code.
- exclusiveMaximum: true
- maximum: 600
+ maximum: 599
minimum: 100
type: integer
type: array
@@ -27068,6 +29335,14 @@ spec:
Default: unlimited.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestTimeout:
description: RequestTimeout is the time until
which entire response is received from the upstream.
@@ -27086,6 +29361,13 @@ spec:
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only works
+ with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
endSessionEndpoint:
description: |-
The OIDC Provider's [end session endpoint](https://openid.net/specs/openid-connect-core-1_0.html#RPLogout).
@@ -27125,13 +29407,14 @@ spec:
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
type: string
refreshToken:
+ default: true
description: |-
RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.
- If not specified, defaults to false.
+ If not specified, defaults to true.
type: boolean
resources:
description: |-
@@ -27332,15 +29615,15 @@ spec:
- message: this policy can only have a targetRef.group of gateway.networking.k8s.io
rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
: true'
- - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute
+ - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute
rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
- ''GRPCRoute''] : true'
+ ''GRPCRoute'', ''TCPRoute''] : true'
- message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
''gateway.networking.k8s.io'') : true '
- - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute
+ - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute
rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
- ''HTTPRoute'', ''GRPCRoute'']) : true '
+ ''HTTPRoute'', ''GRPCRoute'', ''TCPRoute'']) : true '
- message: if authorization.rules.principal.jwt is used, jwt must be defined
rule: '(has(self.authorization) && has(self.authorization.rules) &&
self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt)
@@ -27550,8 +29833,38 @@ spec:
- name
type: object
conditions:
- description: Conditions describes the status of the Policy with
- respect to the given Ancestor.
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
items:
description: Condition contains details for one aspect of
the current state of this API Resource.
@@ -27634,10 +29947,12 @@ spec:
type: string
required:
- ancestorRef
+ - conditions
- controllerName
type: object
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
required:
- ancestors
type: object
diff --git a/envoy-gateway/kcl.mod b/envoy-gateway/kcl.mod
index e95a95c5..c64f508b 100644
--- a/envoy-gateway/kcl.mod
+++ b/envoy-gateway/kcl.mod
@@ -1,7 +1,7 @@
[package]
name = "envoy-gateway"
edition = "v0.11.2"
-version = "1.5.0"
+version = "1.6.2"
[dependencies]
k8s = "1.32.4"
diff --git a/envoy-gateway/update.sh b/envoy-gateway/update.sh
index 8fd6c083..97eeb5f3 100755
--- a/envoy-gateway/update.sh
+++ b/envoy-gateway/update.sh
@@ -4,7 +4,7 @@ set -o errexit
set -o nounset
set -eoux pipefail
-VERSION="v1.5.0"
+VERSION="v1.6.2"
rm -rf v* standard crds
curl -L -o envoy-gateway-crds.yaml "https://github.com/envoyproxy/gateway/releases/download/${VERSION}/envoy-gateway-crds.yaml"
diff --git a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_backend.k b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_backend.k
index 80a34f9a..89e47494 100644
--- a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_backend.k
+++ b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_backend.k
@@ -191,6 +191,21 @@ schema GatewayEnvoyproxyIoV1alpha1BackendSpecTLS:
Attributes
----------
+ alpnProtocols : [str], default is Undefined, optional
+ ALPNProtocols supplies the list of ALPN protocols that should be
+ exposed by the listener or used by the proxy to connect to the backend.
+ Defaults:
+ 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
+ 2. Other Routes: ALPN is disabled.
+ 3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
+ When an empty list is provided, the ALPN TLS extension is disabled.
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
+ - http/1.0
+ - http/1.1
+ - h2
caCertificateRefs : [GatewayEnvoyproxyIoV1alpha1BackendSpecTLSCaCertificateRefsItems0], default is Undefined, optional
CACertificateRefs contains one or more references to Kubernetes objects that
contain TLS certificates of the Certificate Authorities that can be used
@@ -202,9 +217,49 @@ schema GatewayEnvoyproxyIoV1alpha1BackendSpecTLS:
If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
not both.
+ ciphers : [str], default is Undefined, optional
+ Ciphers specifies the set of cipher suites supported when
+ negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+ In non-FIPS Envoy Proxy builds the default cipher list is:
+ - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+ - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ In builds using BoringSSL FIPS the default cipher list is:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ clientCertificateRef : GatewayEnvoyproxyIoV1alpha1BackendSpecTLSClientCertificateRef, default is Undefined, optional
+ client certificate ref
+ ecdhCurves : [str], default is Undefined, optional
+ ECDHCurves specifies the set of supported ECDH curves.
+ In non-FIPS Envoy Proxy builds the default curves are:
+ - X25519
+ - P-256
+ In builds using BoringSSL FIPS the default curve is:
+ - P-256
insecureSkipVerify : bool, default is Undefined, optional
InsecureSkipVerify indicates whether the upstream's certificate verification
should be skipped. Defaults to "false".
+ maxVersion : str, default is Undefined, optional
+ Max specifies the maximal TLS protocol version to allow
+ The default is TLS 1.3 if this is not specified.
+ minVersion : str, default is Undefined, optional
+ Min specifies the minimal TLS protocol version to allow.
+ The default is TLS 1.2 if this is not specified.
+ signatureAlgorithms : [str], default is Undefined, optional
+ SignatureAlgorithms specifies which signature algorithms the listener should
+ support.
+ sni : str, default is Undefined, optional
+ SNI is specifies the SNI value used when establishing an upstream TLS connection to the backend.
+
+ Envoy Gateway will use the HTTP host header value for SNI, when all resources referenced in BackendRefs are:
+ 1. Backend resources that do not set SNI, or
+ 2. Service/ServiceImport resources that do not have a BackendTLSPolicy attached to them
+
+ When a BackendTLSPolicy attaches to a Backend resource, the BackendTLSPolicy's Hostname value takes precedence
+ over this value.
wellKnownCACertificates : str, default is Undefined, optional
WellKnownCACertificates specifies whether system CA certificates may be used in
the TLS handshake between the gateway and backend pod.
@@ -215,15 +270,34 @@ schema GatewayEnvoyproxyIoV1alpha1BackendSpecTLS:
"""
+ alpnProtocols?: [str]
+
caCertificateRefs?: [GatewayEnvoyproxyIoV1alpha1BackendSpecTLSCaCertificateRefsItems0]
+ ciphers?: [str]
+
+ clientCertificateRef?: GatewayEnvoyproxyIoV1alpha1BackendSpecTLSClientCertificateRef
+
+ ecdhCurves?: [str]
+
insecureSkipVerify?: bool = False
+ maxVersion?: "Auto" | "1.0" | "1.1" | "1.2" | "1.3"
+
+ minVersion?: "Auto" | "1.0" | "1.1" | "1.2" | "1.3"
+
+ signatureAlgorithms?: [str]
+
+ sni?: str
+
wellKnownCACertificates?: "System"
check:
len(caCertificateRefs) <= 8 if caCertificateRefs
+ len(sni) <= 253 if sni
+ len(sni) >= 1 if sni
+ _regex_match(str(sni), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if sni
schema GatewayEnvoyproxyIoV1alpha1BackendSpecTLSCaCertificateRefsItems0:
@@ -266,6 +340,57 @@ schema GatewayEnvoyproxyIoV1alpha1BackendSpecTLSCaCertificateRefsItems0:
len(name) >= 1
+schema GatewayEnvoyproxyIoV1alpha1BackendSpecTLSClientCertificateRef:
+ r"""
+ ClientCertificateRef defines the reference to a Kubernetes Secret that contains
+ the client certificate and private key for Envoy to use when connecting to
+ backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+ This secret should be located within the same namespace as the Envoy proxy resource that references it.
+
+ Attributes
+ ----------
+ group : str, default is Undefined, optional
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ kind : str, default is "Secret", optional
+ Kind is kind of the referent. For example "Secret".
+ name : str, default is Undefined, required
+ Name is the name of the referent.
+ namespace : str, default is Undefined, optional
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ """
+
+
+ group?: str = ""
+
+ kind?: str = "Secret"
+
+ name: str
+
+ namespace?: str
+
+
+ check:
+ len(group) <= 253 if group
+ _regex_match(str(group), r"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if group
+ len(kind) <= 63 if kind
+ len(kind) >= 1 if kind
+ _regex_match(str(kind), r"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$") if kind
+ len(name) <= 253
+ len(name) >= 1
+ len(namespace) <= 63 if namespace
+ len(namespace) >= 1 if namespace
+ _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace
+
+
schema GatewayEnvoyproxyIoV1alpha1BackendStatus:
r"""
Status defines the current status of Backend.
diff --git a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_backend_traffic_policy.k b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_backend_traffic_policy.k
index d2a4b763..5f0e3f7b 100644
--- a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_backend_traffic_policy.k
+++ b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_backend_traffic_policy.k
@@ -48,6 +48,10 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpec:
circuit breaker
compression : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecCompressionItems0], default is Undefined, optional
The compression config for the http streams.
+ Deprecated: Use Compressor instead.
+ compressor : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecCompressorItems0], default is Undefined, optional
+ The compressor config for the http streams.
+ This provides more granular control over compression configuration.
connection : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnection, default is Undefined, optional
connection
dns : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecDNS, default is Undefined, optional
@@ -104,6 +108,8 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpec:
compression?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecCompressionItems0]
+ compressor?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecCompressorItems0]
+
connection?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnection
dns?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecDNS
@@ -226,6 +232,8 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecCompressionItems0:
The configuration for GZIP compressor.
$type : str, default is Undefined, required
CompressorType defines the compressor type to use for compression.
+ zstd : any, default is Undefined, optional
+ The configuration for Zstd compressor.
"""
@@ -233,7 +241,36 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecCompressionItems0:
gzip?: any
- $type: "Gzip" | "Brotli"
+ $type: "Gzip" | "Brotli" | "Zstd"
+
+ zstd?: any
+
+
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecCompressorItems0:
+ r"""
+ Compression defines the config of enabling compression.
+ This can help reduce the bandwidth at the expense of higher CPU.
+
+ Attributes
+ ----------
+ brotli : any, default is Undefined, optional
+ The configuration for Brotli compressor.
+ gzip : any, default is Undefined, optional
+ The configuration for GZIP compressor.
+ $type : str, default is Undefined, required
+ CompressorType defines the compressor type to use for compression.
+ zstd : any, default is Undefined, optional
+ The configuration for Zstd compressor.
+ """
+
+
+ brotli?: any
+
+ gzip?: any
+
+ $type: "Gzip" | "Brotli" | "Zstd"
+
+ zstd?: any
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnection:
@@ -248,6 +285,8 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnection:
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -259,6 +298,8 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnection:
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -269,6 +310,47 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnection:
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecDNS:
r"""
DNS includes dns resolution settings.
@@ -538,7 +620,7 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecHealthCheckActiveHTTP:
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -647,6 +729,10 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecHealthCheckPassive:
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -660,10 +746,12 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecHealthCheckPassive:
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -673,6 +761,8 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecHealthCheckPassive:
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -764,12 +854,15 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerConsistent
cookie
header : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -778,9 +871,11 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerConsistent
header?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -823,6 +918,23 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerConsistent
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -919,6 +1031,8 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerZoneAwareP
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -926,6 +1040,13 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerZoneAwareP
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -971,9 +1092,11 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimit:
global
local : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocal, default is Undefined, optional
local
- $type : str, default is Undefined, required
+ $type : str, default is Undefined, optional
Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local".
+
+ Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting.
"""
@@ -981,7 +1104,7 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimit:
local?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocal
- $type: "Global" | "Local"
+ $type?: "Global" | "Local"
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobal:
@@ -1006,7 +1129,7 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobal:
check:
- len(rules) <= 64
+ len(rules) <= 128
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0:
@@ -1058,13 +1181,18 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesIt
RateLimitSelectCondition specifies the attributes within the traffic flow that can
be used to select a subset of clients to be ratelimited.
All the individual conditions must hold True for the overall condition to hold True.
+ And, at least one of headers or methods or path or sourceCIDR condition must be specified.
Attributes
----------
headers : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0HeadersItems0], default is Undefined, optional
Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
- At least one of headers or sourceCIDR condition must be specified.
+ methods : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0MethodsItems0], default is Undefined, optional
+ Methods is a list of request methods to match. Multiple method values are ORed together,
+ meaning, a request can match any one of the specified methods. If not specified, it matches all methods.
+ path : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0Path, default is Undefined, optional
+ path
sourceCIDR : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0SourceCIDR, default is Undefined, optional
source c ID r
"""
@@ -1072,6 +1200,10 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesIt
headers?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0HeadersItems0]
+ methods?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0MethodsItems0]
+
+ path?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0Path
+
sourceCIDR?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0SourceCIDR
@@ -1117,10 +1249,54 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesIt
len(value) <= 1024 if value
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0MethodsItems0:
+ r"""
+ MethodMatch defines the matching criteria for the HTTP method of a request.
+
+ Attributes
+ ----------
+ invert : bool, default is Undefined, optional
+ Invert specifies whether the value match result will be inverted.
+ value : str, default is Undefined, required
+ Value specifies the HTTP method.
+ """
+
+
+ invert?: bool = False
+
+ value: "GET" | "HEAD" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE" | "PATCH"
+
+
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0Path:
+ r"""
+ Path is the request path to match.
+ Support Exact, PathPrefix and RegularExpression match types.
+
+ Attributes
+ ----------
+ invert : bool, default is Undefined, optional
+ Invert specifies whether the value match result will be inverted.
+ $type : str, default is "PathPrefix", optional
+ Type specifies how to match against the value of the path.
+ value : str, default is "/", required
+ Value specifies the HTTP path.
+ """
+
+
+ invert?: bool = False
+
+ $type?: "Exact" | "PathPrefix" | "RegularExpression" = "PathPrefix"
+
+ value: str = "/"
+
+
+ check:
+ len(value) <= 1024
+
+
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitGlobalRulesItems0ClientSelectorsItems0SourceCIDR:
r"""
SourceCIDR is the client IP Address range to match on.
- At least one of headers or sourceCIDR condition must be specified.
Attributes
----------
@@ -1356,13 +1532,18 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesIte
RateLimitSelectCondition specifies the attributes within the traffic flow that can
be used to select a subset of clients to be ratelimited.
All the individual conditions must hold True for the overall condition to hold True.
+ And, at least one of headers or methods or path or sourceCIDR condition must be specified.
Attributes
----------
headers : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0HeadersItems0], default is Undefined, optional
Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
- At least one of headers or sourceCIDR condition must be specified.
+ methods : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0MethodsItems0], default is Undefined, optional
+ Methods is a list of request methods to match. Multiple method values are ORed together,
+ meaning, a request can match any one of the specified methods. If not specified, it matches all methods.
+ path : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0Path, default is Undefined, optional
+ path
sourceCIDR : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0SourceCIDR, default is Undefined, optional
source c ID r
"""
@@ -1370,6 +1551,10 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesIte
headers?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0HeadersItems0]
+ methods?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0MethodsItems0]
+
+ path?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0Path
+
sourceCIDR?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0SourceCIDR
@@ -1415,10 +1600,54 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesIte
len(value) <= 1024 if value
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0MethodsItems0:
+ r"""
+ MethodMatch defines the matching criteria for the HTTP method of a request.
+
+ Attributes
+ ----------
+ invert : bool, default is Undefined, optional
+ Invert specifies whether the value match result will be inverted.
+ value : str, default is Undefined, required
+ Value specifies the HTTP method.
+ """
+
+
+ invert?: bool = False
+
+ value: "GET" | "HEAD" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE" | "PATCH"
+
+
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0Path:
+ r"""
+ Path is the request path to match.
+ Support Exact, PathPrefix and RegularExpression match types.
+
+ Attributes
+ ----------
+ invert : bool, default is Undefined, optional
+ Invert specifies whether the value match result will be inverted.
+ $type : str, default is "PathPrefix", optional
+ Type specifies how to match against the value of the path.
+ value : str, default is "/", required
+ Value specifies the HTTP path.
+ """
+
+
+ invert?: bool = False
+
+ $type?: "Exact" | "PathPrefix" | "RegularExpression" = "PathPrefix"
+
+ value: str = "/"
+
+
+ check:
+ len(value) <= 1024
+
+
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRateLimitLocalRulesItems0ClientSelectorsItems0SourceCIDR:
r"""
SourceCIDR is the client IP Address range to match on.
- At least one of headers or sourceCIDR condition must be specified.
Attributes
----------
@@ -1740,8 +1969,6 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
_regex_match(str(hostname), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if hostname
- port <= 65535 if port not in [None, Undefined]
- port >= 1 if port not in [None, Undefined]
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0RedirectPath:
@@ -1808,6 +2035,8 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0
body
contentType : str, default is Undefined, optional
Content Type of the response. This will be set in the Content-Type header.
+ header : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeader, default is Undefined, optional
+ header
statusCode : int, default is Undefined, optional
Status Code of the Custom Response
If unset, does not override the status of response.
@@ -1818,6 +2047,8 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0
contentType?: str
+ header?: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeader
+
statusCode?: int
@@ -1883,6 +2114,148 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0
len(name) >= 1
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeader:
+ r"""
+ Header defines headers to add, set or remove from the response.
+ This allows the response policy to append, add or override headers
+ of the final response before it is sent to a downstream client.
+ Note: Header removal is not supported for responseOverride.
+
+ Attributes
+ ----------
+ add : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeaderAddItems0], default is Undefined, optional
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ remove : [str], default is Undefined, optional
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ set : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeaderSetItems0], default is Undefined, optional
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ """
+
+
+ add?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeaderAddItems0]
+
+ remove?: [str]
+
+ set?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeaderSetItems0]
+
+
+ check:
+ len(add) <= 16 if add
+ len(remove) <= 16 if remove
+ len(set) <= 16 if set
+
+
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeaderAddItems0:
+ r"""
+ HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ value : str, default is Undefined, required
+ Value is the value of HTTP Header to be matched.
+ """
+
+
+ name: str
+
+ value: str
+
+
+ check:
+ len(name) <= 256
+ len(name) >= 1
+ _regex_match(str(name), r"^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$")
+ len(value) <= 4096
+ len(value) >= 1
+
+
+schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecResponseOverrideItems0ResponseHeaderSetItems0:
+ r"""
+ HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ value : str, default is Undefined, required
+ Value is the value of HTTP Header to be matched.
+ """
+
+
+ name: str
+
+ value: str
+
+
+ check:
+ len(name) <= 256
+ len(name) >= 1
+ _regex_match(str(name), r"^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$")
+ len(value) <= 4096
+ len(value) >= 1
+
+
schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRetry:
r"""
Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
@@ -1986,7 +2359,7 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecRetryRetryOn:
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -2364,6 +2737,11 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecTimeoutHTTP:
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -2373,12 +2751,15 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicySpecTimeoutHTTP:
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -2484,8 +2865,38 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicyStatusAncestorsItems0:
----------
ancestorRef : GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicyStatusAncestorsItems0AncestorRef, default is Undefined, required
ancestor ref
- conditions : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, optional
+ conditions : [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, required
Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
controllerName : str, default is Undefined, required
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
@@ -2505,14 +2916,14 @@ schema GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicyStatusAncestorsItems0:
ancestorRef: GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicyStatusAncestorsItems0AncestorRef
- conditions?: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicyStatusAncestorsItems0ConditionsItems0]
+ conditions: [GatewayEnvoyproxyIoV1alpha1BackendTrafficPolicyStatusAncestorsItems0ConditionsItems0]
controllerName: str
check:
- len(conditions) >= 1 if conditions
- len(conditions) <= 8 if conditions
+ len(conditions) >= 1
+ len(conditions) <= 8
len(controllerName) <= 253
len(controllerName) >= 1
_regex_match(str(controllerName), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$")
diff --git a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_client_traffic_policy.k b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_client_traffic_policy.k
index 2ac4daff..680d6bf4 100644
--- a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_client_traffic_policy.k
+++ b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_client_traffic_policy.k
@@ -172,9 +172,18 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecClientIPDetectionXForwa
Attributes
----------
numTrustedHops : int, default is Undefined, optional
- NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
- headers to trust when determining the origin client's IP address.
- Only one of NumTrustedHops and TrustedCIDRs must be set.
+ NumTrustedHops specifies how many trusted hops to count from the rightmost side of
+ the X-Forwarded-For (XFF) header when determining the original client’s IP address.
+
+ If NumTrustedHops is set to N, the client IP is taken from the Nth address from the
+ right end of the XFF header.
+
+ Example:
+ XFF = "203.0.113.128, 203.0.113.10, 203.0.113.1"
+ NumTrustedHops = 2
+ → Trusted client address = 203.0.113.10
+
+ Only one of NumTrustedHops or TrustedCIDRs should be configured.
trustedCIDRs : [str], default is Undefined, optional
TrustedCIDRs is a list of CIDR ranges to trust when evaluating
the remote IP address to determine the original client’s IP address.
@@ -249,6 +258,16 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecConnectionConnectionLim
CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none.
+ maxConnectionDuration : str, default is Undefined, optional
+ MaxConnectionDuration is the maximum amount of time a connection can remain established
+ (usually via TCP/HTTP Keepalive packets) before being drained and/or closed.
+ If not specified, there is no limit.
+ maxRequestsPerConnection : int, default is Undefined, optional
+ MaxRequestsPerConnection defines the maximum number of requests allowed over a single connection.
+ If not specified, there is no limit. Setting this parameter to 1 will effectively disable keep alive.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum amount of time to keep alive an http stream. When the limit is reached
+ the stream will be reset independent of any other timeouts. If not specified, no value is set.
value : int, default is Undefined, required
Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration.
@@ -257,11 +276,19 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecConnectionConnectionLim
closeDelay?: str
+ maxConnectionDuration?: str
+
+ maxRequestsPerConnection?: int
+
+ maxStreamDuration?: str
+
value: int
check:
_regex_match(str(closeDelay), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if closeDelay
+ _regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
value >= 1
@@ -279,14 +306,17 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeaders:
enableEnvoyHeaders : bool, default is Undefined, optional
EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses.
+ lateResponseHeaders : GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeaders, default is Undefined, optional
+ late response headers
preserveXRequestID : bool, default is Undefined, optional
PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
Defaults to false and cannot be combined with RequestID.
- Deprecated: use RequestID=Preserve instead
+ Deprecated: use RequestID=PreserveOrGenerate instead
requestID : str, default is Undefined, optional
RequestID configures Envoy's behavior for handling the `X-Request-ID` header.
- Defaults to `Generate` and builds the `X-Request-ID` for every request and ignores pre-existing values from the edge.
+ When omitted default behavior is `Generate` which builds the `X-Request-ID` for every request
+ and ignores pre-existing values from the edge.
(An "edge request" refers to a request from an external client to the Envoy entrypoint.)
withUnderscoresAction : str, default is Undefined, optional
WithUnderscoresAction configures the action to take when an HTTP header with underscores
@@ -302,6 +332,8 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeaders:
enableEnvoyHeaders?: bool
+ lateResponseHeaders?: GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeaders
+
preserveXRequestID?: bool
requestID?: "PreserveOrGenerate" | "Preserve" | "Generate" | "Disable"
@@ -451,6 +483,145 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersEarlyRequestHead
len(value) >= 1
+schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeaders:
+ r"""
+ LateResponseHeaders defines settings for global response header modification.
+
+ Attributes
+ ----------
+ add : [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeadersAddItems0], default is Undefined, optional
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ remove : [str], default is Undefined, optional
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ set : [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeadersSetItems0], default is Undefined, optional
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ """
+
+
+ add?: [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeadersAddItems0]
+
+ remove?: [str]
+
+ set?: [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeadersSetItems0]
+
+
+ check:
+ len(add) <= 64 if add
+ len(remove) <= 64 if remove
+ len(set) <= 64 if set
+
+
+schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeadersAddItems0:
+ r"""
+ HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ value : str, default is Undefined, required
+ Value is the value of HTTP Header to be matched.
+ """
+
+
+ name: str
+
+ value: str
+
+
+ check:
+ len(name) <= 256
+ len(name) >= 1
+ _regex_match(str(name), r"^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$")
+ len(value) <= 4096
+ len(value) >= 1
+
+
+schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersLateResponseHeadersSetItems0:
+ r"""
+ HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ value : str, default is Undefined, required
+ Value is the value of HTTP Header to be matched.
+ """
+
+
+ name: str
+
+ value: str
+
+
+ check:
+ len(name) <= 256
+ len(name) >= 1
+ _regex_match(str(name), r"^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$")
+ len(value) <= 4096
+ len(value) >= 1
+
+
schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHeadersXForwardedClientCert:
r"""
XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.
@@ -513,6 +684,12 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHttp1:
Attributes
----------
+ disableSafeMaxConnectionDuration : bool, default is Undefined, optional
+ DisableSafeMaxConnectionDuration controls the close behavior for HTTP/1 connections.
+ By default, connection closure is delayed until the next request arrives after maxConnectionDuration is exceeded.
+ It then adds a Connection: close header and gracefully closes the connection after the response completes.
+ When set to true (disabled), Envoy uses its default drain behavior, closing the connection shortly after maxConnectionDuration elapses.
+ Has no effect unless maxConnectionDuration is set.
enableTrailers : bool, default is Undefined, optional
EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy.
http10 : GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHttp1Http10, default is Undefined, optional
@@ -523,6 +700,8 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHttp1:
"""
+ disableSafeMaxConnectionDuration?: bool
+
enableTrailers?: bool
http10?: GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHttp1Http10
@@ -537,11 +716,18 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecHttp1Http10:
Attributes
----------
useDefaultHost : bool, default is Undefined, optional
- UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
- then the hostname associated with the listener should be injected into the
- request.
- If this is not set and an HTTP/1.0 request arrives without a host, then
- it will be rejected.
+ UseDefaultHost specifies whether a default Host header should be injected
+ into HTTP/1.0 requests that do not include one.
+
+ When set to true, Envoy Gateway injects the hostname associated with the
+ listener or route into the request, in the following order:
+
+ 1. If the targeted listener has a non-wildcard hostname, use that hostname.
+ 2. If there is exactly one HTTPRoute with a non-wildcard hostname under
+ the targeted listener, use that hostname.
+
+ Note: Setting this field to true without a non-wildcard hostname makes the
+ ClientTrafficPolicy invalid.
"""
@@ -682,7 +868,10 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLS:
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
- Supported values are:
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
- http/1.0
- http/1.1
- h2
@@ -762,6 +951,8 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidation:
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will
verify that the SHA-256 of the DER-encoded presented certificate matches
one of the specified values.
+ crl : GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidationCrl, default is Undefined, optional
+ crl
optional : bool, default is Undefined, optional
Optional set to true accepts connections even when a client doesn't present a certificate.
Defaults to false, which rejects connections without a valid client certificate.
@@ -778,6 +969,8 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidation:
certificateHashes?: [str]
+ crl?: GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidationCrl
+
optional?: bool
spkiHashes?: [str]
@@ -845,6 +1038,92 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidationCaCe
_regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace
+schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidationCrl:
+ r"""
+ Crl specifies the crl configuration that can be used to validate the client initiating the TLS connection
+
+ Attributes
+ ----------
+ onlyVerifyLeafCertificate : bool, default is Undefined, optional
+ If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+ Defaults to false, which will verify the entire certificate chain against the CRL.
+ refs : [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidationCrlRefsItems0], default is Undefined, required
+ Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
+ containing the certificate revocation list in PEM format
+ Expects the content in a key named `ca.crl`.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the crl
+ to be attached.
+ """
+
+
+ onlyVerifyLeafCertificate?: bool
+
+ refs: [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidationCrlRefsItems0]
+
+
+ check:
+ len(refs) >= 1
+ len(refs) <= 8
+
+
+schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidationCrlRefsItems0:
+ r"""
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+
+ Attributes
+ ----------
+ group : str, default is Undefined, optional
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ kind : str, default is "Secret", optional
+ Kind is kind of the referent. For example "Secret".
+ name : str, default is Undefined, required
+ Name is the name of the referent.
+ namespace : str, default is Undefined, optional
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ """
+
+
+ group?: str = ""
+
+ kind?: str = "Secret"
+
+ name: str
+
+ namespace?: str
+
+
+ check:
+ len(group) <= 253 if group
+ _regex_match(str(group), r"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if group
+ len(kind) <= 63 if kind
+ len(kind) >= 1 if kind
+ _regex_match(str(kind), r"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$") if kind
+ len(name) <= 253
+ len(name) >= 1
+ len(namespace) <= 63 if namespace
+ len(namespace) >= 1 if namespace
+ _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace
+
+
schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicySpecTLSClientValidationSubjectAltNames:
r"""
An optional list of Subject Alternative name matchers. If specified, Envoy
@@ -1363,8 +1642,38 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicyStatusAncestorsItems0:
----------
ancestorRef : GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicyStatusAncestorsItems0AncestorRef, default is Undefined, required
ancestor ref
- conditions : [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, optional
+ conditions : [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, required
Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
controllerName : str, default is Undefined, required
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
@@ -1384,14 +1693,14 @@ schema GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicyStatusAncestorsItems0:
ancestorRef: GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicyStatusAncestorsItems0AncestorRef
- conditions?: [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicyStatusAncestorsItems0ConditionsItems0]
+ conditions: [GatewayEnvoyproxyIoV1alpha1ClientTrafficPolicyStatusAncestorsItems0ConditionsItems0]
controllerName: str
check:
- len(conditions) >= 1 if conditions
- len(conditions) <= 8 if conditions
+ len(conditions) >= 1
+ len(conditions) <= 8
len(controllerName) <= 253
len(controllerName) >= 1
_regex_match(str(controllerName), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$")
diff --git a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_extension_policy.k b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_extension_policy.k
index 453a8d62..c0b02f24 100644
--- a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_extension_policy.k
+++ b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_extension_policy.k
@@ -419,6 +419,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -430,6 +432,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -440,6 +444,47 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -607,7 +652,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -716,6 +761,10 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -729,10 +778,12 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -742,6 +793,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -833,12 +886,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
cookie
header : GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -847,9 +903,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
header?: GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -892,6 +950,23 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -988,6 +1063,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -995,6 +1072,13 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -1132,7 +1216,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -1200,6 +1284,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -1209,12 +1298,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicySpecExtProcItems0BackendSe
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -2006,8 +2098,38 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicyStatusAncestorsItems0:
----------
ancestorRef : GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicyStatusAncestorsItems0AncestorRef, default is Undefined, required
ancestor ref
- conditions : [GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, optional
+ conditions : [GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, required
Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
controllerName : str, default is Undefined, required
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
@@ -2027,14 +2149,14 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicyStatusAncestorsItems0:
ancestorRef: GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicyStatusAncestorsItems0AncestorRef
- conditions?: [GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicyStatusAncestorsItems0ConditionsItems0]
+ conditions: [GatewayEnvoyproxyIoV1alpha1EnvoyExtensionPolicyStatusAncestorsItems0ConditionsItems0]
controllerName: str
check:
- len(conditions) >= 1 if conditions
- len(conditions) <= 8 if conditions
+ len(conditions) >= 1
+ len(conditions) <= 8
len(controllerName) <= 253
len(controllerName) >= 1
_regex_match(str(controllerName), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$")
diff --git a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_patch_policy.k b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_patch_policy.k
index c868d03e..6ef30b07 100644
--- a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_patch_policy.k
+++ b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_patch_policy.k
@@ -253,8 +253,38 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyPatchPolicyStatusAncestorsItems0:
----------
ancestorRef : GatewayEnvoyproxyIoV1alpha1EnvoyPatchPolicyStatusAncestorsItems0AncestorRef, default is Undefined, required
ancestor ref
- conditions : [GatewayEnvoyproxyIoV1alpha1EnvoyPatchPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, optional
+ conditions : [GatewayEnvoyproxyIoV1alpha1EnvoyPatchPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, required
Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
controllerName : str, default is Undefined, required
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
@@ -274,14 +304,14 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyPatchPolicyStatusAncestorsItems0:
ancestorRef: GatewayEnvoyproxyIoV1alpha1EnvoyPatchPolicyStatusAncestorsItems0AncestorRef
- conditions?: [GatewayEnvoyproxyIoV1alpha1EnvoyPatchPolicyStatusAncestorsItems0ConditionsItems0]
+ conditions: [GatewayEnvoyproxyIoV1alpha1EnvoyPatchPolicyStatusAncestorsItems0ConditionsItems0]
controllerName: str
check:
- len(conditions) >= 1 if conditions
- len(conditions) <= 8 if conditions
+ len(conditions) >= 1
+ len(conditions) <= 8
len(controllerName) <= 253
len(controllerName) >= 1
_regex_match(str(controllerName), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$")
diff --git a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_proxy.k b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_proxy.k
index e28ceb75..ccc64046 100644
--- a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_proxy.k
+++ b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_envoy_proxy.k
@@ -68,6 +68,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpec:
- envoy.filters.http.ext_authz
+ - envoy.filters.http.api_key_auth
+
- envoy.filters.http.basic_auth
- envoy.filters.http.oauth2
@@ -76,6 +78,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpec:
- envoy.filters.http.stateful_session
+ - envoy.filters.http.buffer
+
- envoy.filters.http.lua
- envoy.filters.http.ext_proc
@@ -88,8 +92,16 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpec:
- envoy.filters.http.ratelimit
+ - envoy.filters.http.grpc_web
+
+ - envoy.filters.http.grpc_stats
+
- envoy.filters.http.custom_response
+ - envoy.filters.http.credential_injector
+
+ - envoy.filters.http.compressor
+
- envoy.filters.http.router
Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain.
@@ -113,7 +125,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpec:
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition.
preserveRouteOrder : bool, default is Undefined, optional
PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
- specification (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule)
+ specification (https://gateway-api.sigs.k8s.io/reference/1.4/spec/#httprouterule)
or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
Default: False
provider : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProvider, default is Undefined, optional
@@ -142,7 +154,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpec:
logging?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecLogging
- luaValidation?: "Strict" | "Disabled"
+ luaValidation?: "Strict" | "InsecureSyntax" | "Disabled"
mergeGateways?: bool
@@ -172,7 +184,10 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecBackendTLS:
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
- Supported values are:
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
- http/1.0
- http/1.1
- h2
@@ -366,11 +381,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecFilterOrderItems0:
"""
- after?: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.lua" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.custom_response" | "envoy.filters.http.compressor"
+ after?: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.buffer" | "envoy.filters.http.lua" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.grpc_web" | "envoy.filters.http.grpc_stats" | "envoy.filters.http.custom_response" | "envoy.filters.http.credential_injector" | "envoy.filters.http.compressor"
- before?: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.lua" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.custom_response" | "envoy.filters.http.compressor"
+ before?: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.buffer" | "envoy.filters.http.lua" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.grpc_web" | "envoy.filters.http.grpc_stats" | "envoy.filters.http.custom_response" | "envoy.filters.http.credential_injector" | "envoy.filters.http.compressor"
- name: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.lua" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.custom_response" | "envoy.filters.http.compressor"
+ name: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.buffer" | "envoy.filters.http.lua" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.grpc_web" | "envoy.filters.http.grpc_stats" | "envoy.filters.http.custom_response" | "envoy.filters.http.credential_injector" | "envoy.filters.http.compressor"
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecLogging:
@@ -396,18 +411,40 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProvider:
Attributes
----------
+ host : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderHost, default is Undefined, optional
+ host
kubernetes : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetes, default is Undefined, optional
kubernetes
$type : str, default is Undefined, required
Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
- optional auxiliary control planes. Supported types are "Kubernetes".
+ optional auxiliary control planes. Supported types are "Kubernetes"and "Host".
"""
+ host?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderHost
+
kubernetes?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetes
- $type: "Kubernetes" | "Custom"
+ $type: "Kubernetes" | "Host"
+
+
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderHost:
+ r"""
+ Host provides runtime deployment of the data plane as a child process on the
+ host environment.
+ If unspecified and type is "Host", default settings for the custom provider
+ are applied.
+
+ Attributes
+ ----------
+ envoyVersion : str, default is Undefined, optional
+ EnvoyVersion is the version of Envoy to use. If unspecified, the version
+ against which Envoy Gateway is built will be used.
+ """
+
+
+ envoyVersion?: str
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetes:
@@ -530,7 +567,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
Attributes
----------
name : str, default is Undefined, required
- Name of the environment variable. Must be a C_IDENTIFIER.
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
value : str, default is Undefined, optional
Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
@@ -563,6 +601,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
config map key ref
fieldRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromFieldRef, default is Undefined, optional
field ref
+ fileKeyRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromFileKeyRef, default is Undefined, optional
+ file key ref
resourceFieldRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromResourceFieldRef, default is Undefined, optional
resource field ref
secretKeyRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromSecretKeyRef, default is Undefined, optional
@@ -574,6 +614,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
fieldRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromFieldRef
+ fileKeyRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromFileKeyRef
+
resourceFieldRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromResourceFieldRef
secretKeyRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromSecretKeyRef
@@ -624,6 +666,42 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
fieldPath: str
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromFileKeyRef:
+ r"""
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+
+ Attributes
+ ----------
+ key : str, default is Undefined, required
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ optional : bool, default is Undefined, optional
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ path : str, default is Undefined, required
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ volumeName : str, default is Undefined, required
+ The name of the volume mount containing the env file.
+ """
+
+
+ key: str
+
+ optional?: bool = False
+
+ path: str
+
+ volumeName: str
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetContainerEnvItems0ValueFromResourceFieldRef:
r"""
Selects a resource of the container: only resources limits and requests
@@ -688,7 +766,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -1720,8 +1798,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
requiredDuringSchedulingIgnoredDuringExecution : [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionItems0], default is Undefined, optional
If the anti-affinity requirements specified by this field are not met at
@@ -3285,15 +3363,13 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
volumeMode : str, default is Undefined, optional
volumeMode defines what type of volume is required by the claim.
Value of Filesystem is implied when not included in claim spec.
@@ -3665,13 +3741,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
r"""
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
Attributes
----------
endpoints : str, default is Undefined, required
endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
path : str, default is Undefined, required
path is the Glusterfs volume path.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
@@ -3759,7 +3833,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
r"""
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
Attributes
----------
@@ -3973,6 +4047,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
config map
downwardAPI : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0DownwardAPI, default is Undefined, optional
downward API
+ podCertificate : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0PodCertificate, default is Undefined, optional
+ pod certificate
secret : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0Secret, default is Undefined, optional
secret
serviceAccountToken : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0ServiceAccountToken, default is Undefined, optional
@@ -3986,6 +4062,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
downwardAPI?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0DownwardAPI
+ podCertificate?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0PodCertificate
+
secret?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0Secret
serviceAccountToken?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0ServiceAccountToken
@@ -4242,6 +4320,112 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
_regex_match(str(divisor), r"^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$") if divisor
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0PodCertificate:
+ r"""
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+
+ Attributes
+ ----------
+ certificateChainPath : str, default is Undefined, optional
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ credentialBundlePath : str, default is Undefined, optional
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ keyPath : str, default is Undefined, optional
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ keyType : str, default is Undefined, required
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ maxExpirationSeconds : int, default is Undefined, optional
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ signerName : str, default is Undefined, required
+ Kubelet's generated CSRs will be addressed to this signer.
+ """
+
+
+ certificateChainPath?: str
+
+ credentialBundlePath?: str
+
+ keyPath?: str
+
+ keyType: str
+
+ maxExpirationSeconds?: int
+
+ signerName: str
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSetPodVolumesItems0ProjectedSourcesItems0Secret:
r"""
secret information about the secret data to project
@@ -4380,7 +4564,6 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
r"""
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
Attributes
----------
@@ -4727,7 +4910,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDaemonSet
pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
on that node is marked deleted. If the old pod becomes unavailable for any
reason (Ready transitions to false, is evicted, or is drained) an updated
- pod is immediatedly created on that node without considering surge limits.
+ pod is immediately created on that node without considering surge limits.
Allowing surge implies the possibility that the resources consumed by the
daemonset on any given node can double if the readiness check fails, and
so resource intensive daemonsets should take into account that they may
@@ -4842,7 +5025,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
Attributes
----------
name : str, default is Undefined, required
- Name of the environment variable. Must be a C_IDENTIFIER.
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
value : str, default is Undefined, optional
Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
@@ -4875,6 +5059,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
config map key ref
fieldRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromFieldRef, default is Undefined, optional
field ref
+ fileKeyRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromFileKeyRef, default is Undefined, optional
+ file key ref
resourceFieldRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromResourceFieldRef, default is Undefined, optional
resource field ref
secretKeyRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromSecretKeyRef, default is Undefined, optional
@@ -4886,6 +5072,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
fieldRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromFieldRef
+ fileKeyRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromFileKeyRef
+
resourceFieldRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromResourceFieldRef
secretKeyRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromSecretKeyRef
@@ -4936,6 +5124,42 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
fieldPath: str
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromFileKeyRef:
+ r"""
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+
+ Attributes
+ ----------
+ key : str, default is Undefined, required
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ optional : bool, default is Undefined, optional
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ path : str, default is Undefined, required
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ volumeName : str, default is Undefined, required
+ The name of the volume mount containing the env file.
+ """
+
+
+ key: str
+
+ optional?: bool = False
+
+ path: str
+
+ volumeName: str
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentContainerEnvItems0ValueFromResourceFieldRef:
r"""
Selects a resource of the container: only resources limits and requests
@@ -5000,7 +5224,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -5373,8 +5597,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
Cannot be updated.
envFrom : [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvFromItems0], default is Undefined, optional
List of sources to populate environment variables in the container.
- The keys defined within a source must be a C_IDENTIFIER. All invalid keys
- will be reported as an event when the container is starting. When a key exists in multiple
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ When a key exists in multiple
sources, the value associated with the last source will take precedence.
Values defined by an Env with a duplicate key will take precedence.
Cannot be updated.
@@ -5413,10 +5637,10 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
resources
restartPolicy : str, default is Undefined, optional
RestartPolicy defines the restart behavior of individual containers in a pod.
- This field may only be set for init containers, and the only allowed value is "Always".
- For non-init containers or when this field is not specified,
+ This overrides the pod-level restart policy. When this field is not specified,
the restart behavior is defined by the Pod's restart policy and the container type.
- Setting the RestartPolicy as "Always" for the init container will have the following effect:
+ Additionally, setting the RestartPolicy as "Always" for the init container will
+ have the following effect:
this init container will be continually restarted on
exit until all regular containers have terminated. Once all regular
containers have completed, all init containers with restartPolicy "Always"
@@ -5427,6 +5651,18 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
container. Instead, the next init container starts immediately after this
init container is started, or after any startupProbe has successfully
completed.
+ restartPolicyRules : [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0RestartPolicyRulesItems0], default is Undefined, optional
+ Represents a list of rules to be checked to determine if the
+ container should be restarted on exit. The rules are evaluated in
+ order. Once a rule matches a container exit condition, the remaining
+ rules are ignored. If no rule matches the container exit condition,
+ the Container-level restart policy determines the whether the container
+ is restarted or not. Constraints on the rules:
+ - At most 20 rules are allowed.
+ - Rules can have the same action.
+ - Identical rules are not forbidden in validations.
+ When rules are specified, container MUST set RestartPolicy explicitly
+ even it if matches the Pod's RestartPolicy.
securityContext : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0SecurityContext, default is Undefined, optional
security context
startupProbe : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0StartupProbe, default is Undefined, optional
@@ -5503,6 +5739,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
restartPolicy?: str
+ restartPolicyRules?: [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0RestartPolicyRulesItems0]
+
securityContext?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0SecurityContext
startupProbe?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0StartupProbe
@@ -5533,7 +5771,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
configMapRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvFromItems0ConfigMapRef, default is Undefined, optional
config map ref
prefix : str, default is Undefined, optional
- Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
+ Optional text to prepend to the name of each environment variable.
+ May consist of any printable ASCII characters except '='.
secretRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvFromItems0SecretRef, default is Undefined, optional
secret ref
"""
@@ -5597,7 +5836,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
Attributes
----------
name : str, default is Undefined, required
- Name of the environment variable. Must be a C_IDENTIFIER.
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
value : str, default is Undefined, optional
Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
@@ -5630,6 +5870,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
config map key ref
fieldRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromFieldRef, default is Undefined, optional
field ref
+ fileKeyRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromFileKeyRef, default is Undefined, optional
+ file key ref
resourceFieldRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromResourceFieldRef, default is Undefined, optional
resource field ref
secretKeyRef : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromSecretKeyRef, default is Undefined, optional
@@ -5641,6 +5883,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
fieldRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromFieldRef
+ fileKeyRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromFileKeyRef
+
resourceFieldRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromResourceFieldRef
secretKeyRef?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromSecretKeyRef
@@ -5691,6 +5935,42 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
fieldPath: str
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromFileKeyRef:
+ r"""
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+
+ Attributes
+ ----------
+ key : str, default is Undefined, required
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ optional : bool, default is Undefined, optional
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ path : str, default is Undefined, required
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ volumeName : str, default is Undefined, required
+ The name of the volume mount containing the env file.
+ """
+
+
+ key: str
+
+ optional?: bool = False
+
+ path: str
+
+ volumeName: str
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0EnvItems0ValueFromResourceFieldRef:
r"""
Selects a resource of the container: only resources limits and requests
@@ -6475,7 +6755,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -6524,6 +6804,50 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
request?: str
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0RestartPolicyRulesItems0:
+ r"""
+ ContainerRestartRule describes how a container exit is handled.
+
+ Attributes
+ ----------
+ action : str, default is Undefined, required
+ Specifies the action taken on a container exit if the requirements
+ are satisfied. The only possible value is "Restart" to restart the
+ container.
+ exitCodes : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0RestartPolicyRulesItems0ExitCodes, default is Undefined, optional
+ exit codes
+ """
+
+
+ action: str
+
+ exitCodes?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0RestartPolicyRulesItems0ExitCodes
+
+
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0RestartPolicyRulesItems0ExitCodes:
+ r"""
+ Represents the exit codes to check on container exits.
+
+ Attributes
+ ----------
+ operator : str, default is Undefined, required
+ Represents the relationship between the container exit code(s) and the
+ specified values. Possible values are:
+ - In: the requirement is satisfied if the container exit code is in the
+ set of specified values.
+ - NotIn: the requirement is satisfied if the container exit code is
+ not in the set of specified values.
+ values : [int], default is Undefined, optional
+ Specifies the set of values to check for container exit codes.
+ At most 255 elements are allowed.
+ """
+
+
+ operator: str
+
+ values?: [int]
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentInitContainersItems0SecurityContext:
r"""
SecurityContext defines the security options the container should be run with.
@@ -7708,8 +8032,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
requiredDuringSchedulingIgnoredDuringExecution : [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionItems0], default is Undefined, optional
If the anti-affinity requirements specified by this field are not met at
@@ -9273,15 +9597,13 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
volumeMode : str, default is Undefined, optional
volumeMode defines what type of volume is required by the claim.
Value of Filesystem is implied when not included in claim spec.
@@ -9653,13 +9975,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
r"""
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
Attributes
----------
endpoints : str, default is Undefined, required
endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
path : str, default is Undefined, required
path is the Glusterfs volume path.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
@@ -9747,7 +10067,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
r"""
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
Attributes
----------
@@ -9961,6 +10281,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
config map
downwardAPI : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0DownwardAPI, default is Undefined, optional
downward API
+ podCertificate : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0PodCertificate, default is Undefined, optional
+ pod certificate
secret : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0Secret, default is Undefined, optional
secret
serviceAccountToken : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0ServiceAccountToken, default is Undefined, optional
@@ -9974,6 +10296,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
downwardAPI?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0DownwardAPI
+ podCertificate?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0PodCertificate
+
secret?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0Secret
serviceAccountToken?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0ServiceAccountToken
@@ -10230,6 +10554,112 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
_regex_match(str(divisor), r"^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$") if divisor
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0PodCertificate:
+ r"""
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+
+ Attributes
+ ----------
+ certificateChainPath : str, default is Undefined, optional
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ credentialBundlePath : str, default is Undefined, optional
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ keyPath : str, default is Undefined, optional
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ keyType : str, default is Undefined, required
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ maxExpirationSeconds : int, default is Undefined, optional
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ signerName : str, default is Undefined, required
+ Kubelet's generated CSRs will be addressed to this signer.
+ """
+
+
+ certificateChainPath?: str
+
+ credentialBundlePath?: str
+
+ keyPath?: str
+
+ keyType: str
+
+ maxExpirationSeconds?: int
+
+ signerName: str
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymentPodVolumesItems0ProjectedSourcesItems0Secret:
r"""
secret information about the secret data to project
@@ -10368,7 +10798,6 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecProviderKubernetesEnvoyDeploymen
r"""
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
Attributes
----------
@@ -12165,6 +12594,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -12176,6 +12607,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -12186,6 +12619,47 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -12353,7 +12827,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -12462,6 +12936,10 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -12475,10 +12953,12 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -12488,6 +12968,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -12579,12 +13061,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
cookie
header : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -12593,9 +13078,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
header?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -12638,6 +13125,23 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -12734,6 +13238,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -12741,6 +13247,13 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0AlsBackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -12878,7 +13391,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -12946,6 +13459,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -12955,12 +13473,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -13351,6 +13872,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -13362,6 +13885,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -13372,6 +13897,47 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -13539,7 +14105,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -13648,6 +14214,10 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -13661,10 +14231,12 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -13674,6 +14246,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -13765,12 +14339,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
cookie
header : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -13779,9 +14356,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
header?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -13824,6 +14403,23 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -13920,6 +14516,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -13927,6 +14525,13 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0SinksItems0OpenTelemetryBackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -14064,7 +14669,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -14132,6 +14737,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -14141,12 +14751,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryAccessLogSettingsItems0
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -14283,6 +14896,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsPrometheusCompre
The configuration for GZIP compressor.
$type : str, default is Undefined, required
CompressorType defines the compressor type to use for compression.
+ zstd : any, default is Undefined, optional
+ The configuration for Zstd compressor.
"""
@@ -14290,7 +14905,9 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsPrometheusCompre
gzip?: any
- $type: "Gzip" | "Brotli"
+ $type: "Gzip" | "Brotli" | "Zstd"
+
+ zstd?: any
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0:
@@ -14638,6 +15255,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -14649,6 +15268,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -14659,6 +15280,47 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -14826,7 +15488,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -14935,6 +15597,10 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -14948,10 +15614,12 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -14961,6 +15629,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -15052,12 +15722,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
cookie
header : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -15066,9 +15739,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
header?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -15111,6 +15786,23 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -15207,6 +15899,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -15214,6 +15908,13 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenTelemetryBackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -15351,7 +16052,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -15419,6 +16120,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -15428,12 +16134,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryMetricsSinksItems0OpenT
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -15913,6 +16622,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -15924,6 +16635,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -15934,6 +16647,47 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -16101,7 +16855,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -16210,6 +16964,10 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -16223,10 +16981,12 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -16236,6 +16996,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -16327,12 +17089,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
cookie
header : GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -16341,9 +17106,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
header?: GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -16386,6 +17153,23 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -16482,6 +17266,8 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -16489,6 +17275,13 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -16626,7 +17419,7 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -16694,6 +17487,11 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -16703,12 +17501,15 @@ schema GatewayEnvoyproxyIoV1alpha1EnvoyProxySpecTelemetryTracingProviderBackendS
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
diff --git a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_http_route_filter.k b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_http_route_filter.k
index 2af2f9e7..d904ac93 100644
--- a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_http_route_filter.k
+++ b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_http_route_filter.k
@@ -159,7 +159,9 @@ schema GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponse:
body : GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseBody, default is Undefined, optional
body
contentType : str, default is Undefined, optional
- Content Type of the response. This will be set in the Content-Type header.
+ Content Type of the direct response. This will be set in the Content-Type header.
+ header : GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeader, default is Undefined, optional
+ header
statusCode : int, default is Undefined, optional
Status Code of the HTTP response
If unset, defaults to 200.
@@ -170,12 +172,14 @@ schema GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponse:
contentType?: str
+ header?: GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeader
+
statusCode?: int
schema GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseBody:
r"""
- Body of the Response
+ Body of the direct response.
Attributes
----------
@@ -234,6 +238,145 @@ schema GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseBodyValueRef:
len(name) >= 1
+schema GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeader:
+ r"""
+ Header defines the headers of the direct response.
+
+ Attributes
+ ----------
+ add : [GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeaderAddItems0], default is Undefined, optional
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ remove : [str], default is Undefined, optional
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ set : [GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeaderSetItems0], default is Undefined, optional
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ """
+
+
+ add?: [GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeaderAddItems0]
+
+ remove?: [str]
+
+ set?: [GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeaderSetItems0]
+
+
+ check:
+ len(add) <= 16 if add
+ len(remove) <= 16 if remove
+ len(set) <= 16 if set
+
+
+schema GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeaderAddItems0:
+ r"""
+ HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ value : str, default is Undefined, required
+ Value is the value of HTTP Header to be matched.
+ """
+
+
+ name: str
+
+ value: str
+
+
+ check:
+ len(name) <= 256
+ len(name) >= 1
+ _regex_match(str(name), r"^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$")
+ len(value) <= 4096
+ len(value) >= 1
+
+
+schema GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecDirectResponseHeaderSetItems0:
+ r"""
+ HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ value : str, default is Undefined, required
+ Value is the value of HTTP Header to be matched.
+ """
+
+
+ name: str
+
+ value: str
+
+
+ check:
+ len(name) <= 256
+ len(name) >= 1
+ _regex_match(str(name), r"^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$")
+ len(value) <= 4096
+ len(value) >= 1
+
+
schema GatewayEnvoyproxyIoV1alpha1HTTPRouteFilterSpecURLRewrite:
r"""
HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host
diff --git a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_security_policy.k b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_security_policy.k
index e69670dd..8898d9f7 100644
--- a/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_security_policy.k
+++ b/envoy-gateway/v1alpha1/gateway_envoyproxy_io_v1alpha1_security_policy.k
@@ -302,6 +302,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecAuthorizationRulesItems0Prin
or the proxy protocol.
You can use the `ClientIPDetection` or the `ProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected.
+
+ For TCPRoute targets (raw TCP connections), HTTP headers such as
+ X-Forwarded-For are not available. The client IP is obtained from the
+ TCP connection's peer address. If intermediaries (load balancers, NAT)
+ terminate or proxy TCP, the original client IP will only be available
+ if the intermediary preserves the source address (for example by
+ enabling the PROXY protocol or avoiding SNAT). Ensure your L4 proxy is
+ configured to preserve the source IP to enable correct client-IP
+ matching for TCPRoute targets.
headers : [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecAuthorizationRulesItems0PrincipalHeadersItems0], default is Undefined, optional
Headers authorize the request based on user identity extracted from custom headers.
If multiple headers are specified, all headers must match for the rule to match.
@@ -432,7 +441,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecAuthorizationRulesItems0Prin
len(name) <= 253
len(name) >= 1
len(values) >= 1
- len(values) <= 16
+ len(values) <= 128
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecBasicAuth:
@@ -604,6 +613,9 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuth:
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied.
+ timeout : str, default is Undefined, optional
+ Timeout defines the timeout for requests to the external authorization service.
+ If not specified, defaults to 10 seconds.
"""
@@ -619,6 +631,12 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuth:
recomputeRoute?: bool
+ timeout?: str
+
+
+ check:
+ _regex_match(str(timeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if timeout
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthBodyToExtAuth:
r"""
@@ -955,6 +973,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsCo
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -966,6 +986,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsCo
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -976,6 +998,47 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsCo
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -1143,7 +1206,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsHe
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -1252,6 +1315,10 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsHe
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -1265,10 +1332,12 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsHe
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -1278,6 +1347,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsHe
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -1369,12 +1440,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLo
cookie
header : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -1383,9 +1457,11 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLo
header?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -1428,6 +1504,23 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLo
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -1524,6 +1617,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLo
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -1531,6 +1626,13 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLo
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -1668,7 +1770,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsRe
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -1736,6 +1838,11 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsTi
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -1745,12 +1852,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthGrpcBackendSettingsTi
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -2106,6 +2216,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsCo
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -2117,6 +2229,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsCo
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -2127,6 +2241,47 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsCo
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -2294,7 +2449,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsHe
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -2403,6 +2558,10 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsHe
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -2416,10 +2575,12 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsHe
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -2429,6 +2590,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsHe
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -2520,12 +2683,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLo
cookie
header : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -2534,9 +2700,11 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLo
header?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -2579,6 +2747,23 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLo
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -2675,6 +2860,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLo
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -2682,6 +2869,13 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLo
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -2819,7 +3013,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsRe
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -2887,6 +3081,11 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsTi
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -2896,12 +3095,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecExtAuthHTTPBackendSettingsTi
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -3148,6 +3350,9 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
backend server to which the authorization request will be sent.
backendSettings : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettings, default is Undefined, optional
backend settings
+ cacheDuration : str, default is "300s", optional
+ Duration is a string value representing a duration in time. The format is as specified
+ in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
uri : str, default is Undefined, required
URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.
If a custom trust bundle is needed, it can be specified in a BackendTLSConfig resource and target the BackendRefs.
@@ -3160,11 +3365,14 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
backendSettings?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettings
+ cacheDuration?: str = "300s"
+
uri: str
check:
len(backendRefs) <= 16 if backendRefs
+ _regex_match(str(cacheDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if cacheDuration
len(uri) <= 253
len(uri) >= 1
@@ -3454,6 +3662,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -3465,6 +3675,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -3475,6 +3687,47 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -3642,7 +3895,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -3751,6 +4004,10 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -3764,10 +4021,12 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -3777,6 +4036,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -3868,12 +4129,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
cookie
header : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -3882,9 +4146,11 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
header?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -3927,6 +4193,23 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -4023,6 +4306,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -4030,6 +4315,13 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKSBackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -4167,7 +4459,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -4235,6 +4527,11 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -4244,12 +4541,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecJwtProvidersItems0RemoteJWKS
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -4296,6 +4596,13 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidc:
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
cookieNames : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcCookieNames, default is Undefined, optional
cookie names
+ csrfTokenTTL : str, default is Undefined, optional
+ CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.
+
+ This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token
+ in the "state" parameter when the provider redirects back to the callback endpoint.
+
+ If omitted, Envoy Gateway defaults the token expiration to 10 minutes.
defaultRefreshTokenTTL : str, default is Undefined, optional
DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
@@ -4314,6 +4621,10 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidc:
OAuth flow will fail.
denyRedirect : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcDenyRedirect, default is Undefined, optional
deny redirect
+ disableTokenEncryption : bool, default is Undefined, optional
+ Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text.
+ This option should only be used in secure environments where token encryption is not required.
+ Default is false (tokens are encrypted).
forwardAccessToken : bool, default is Undefined, optional
ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
@@ -4336,13 +4647,13 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidc:
The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
- refreshToken : bool, default is Undefined, optional
+ refreshToken : bool, default is True, optional
RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.
- If not specified, defaults to false.
+ If not specified, defaults to true.
resources : [str], default is Undefined, optional
The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
@@ -4366,12 +4677,16 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidc:
cookieNames?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcCookieNames
+ csrfTokenTTL?: str
+
defaultRefreshTokenTTL?: str
defaultTokenTTL?: str
denyRedirect?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcDenyRedirect
+ disableTokenEncryption?: bool
+
forwardAccessToken?: bool
logoutPath?: str
@@ -4382,7 +4697,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidc:
redirectURL?: str
- refreshToken?: bool
+ refreshToken?: bool = True
resources?: [str]
@@ -4392,6 +4707,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidc:
check:
len(clientID) >= 1 if clientID
_regex_match(str(cookieDomain), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$") if cookieDomain
+ _regex_match(str(csrfTokenTTL), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if csrfTokenTTL
_regex_match(str(defaultRefreshTokenTTL), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if defaultRefreshTokenTTL
_regex_match(str(defaultTokenTTL), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if defaultTokenTTL
@@ -4508,12 +4824,12 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcCookieConfig:
Attributes
----------
- sameSite : str, default is "Strict", optional
+ sameSite : str, default is Undefined, optional
same site
"""
- sameSite?: "Lax" | "Strict" | "None" = "Strict"
+ sameSite?: "Lax" | "Strict" | "None"
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcCookieNames:
@@ -4925,6 +5241,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsC
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes.
+ preconnect : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsConnectionPreconnect, default is Undefined, optional
+ preconnect
socketBufferLimit : int | str, default is Undefined, optional
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
to backend.
@@ -4936,6 +5254,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsC
bufferLimit?: int | str
+ preconnect?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsConnectionPreconnect
+
socketBufferLimit?: int | str
@@ -4946,6 +5266,47 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsC
_regex_match(str(socketBufferLimit), r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") if socketBufferLimit
+schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsConnectionPreconnect:
+ r"""
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+
+ Attributes
+ ----------
+ perEndpointPercent : int, default is Undefined, optional
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ predictivePercent : int, default is Undefined, optional
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ """
+
+
+ perEndpointPercent?: int
+
+ predictivePercent?: int
+
+
+ check:
+ perEndpointPercent <= 300 if perEndpointPercent not in [None, Undefined]
+ perEndpointPercent >= 100 if perEndpointPercent not in [None, Undefined]
+ predictivePercent >= 100 if predictivePercent not in [None, Undefined]
+
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsDNS:
r"""
DNS includes dns resolution settings.
@@ -5113,7 +5474,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsH
check:
- all expectedStatuses in expectedStatuses { expectedStatuses < 600 if expectedStatuses not in [None, Undefined] } if expectedStatuses
+ all expectedStatuses in expectedStatuses { expectedStatuses <= 599 if expectedStatuses not in [None, Undefined] } if expectedStatuses
all expectedStatuses in expectedStatuses { expectedStatuses >= 100 if expectedStatuses not in [None, Undefined] } if expectedStatuses
len(hostname) <= 253 if hostname
len(hostname) >= 1 if hostname
@@ -5222,6 +5583,10 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsH
consecutiveLocalOriginFailures : int, default is 5, optional
ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true.
+ failurePercentageThreshold : int, default is Undefined, optional
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
interval : str, default is "3s", optional
Interval defines the time between passive health checks.
maxEjectionPercent : int, default is 10, optional
@@ -5235,10 +5600,12 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsH
consecutive5XxErrors?: int = 5
- consecutiveGatewayErrors?: int = 0
+ consecutiveGatewayErrors?: int
consecutiveLocalOriginFailures?: int = 5
+ failurePercentageThreshold?: int
+
interval?: str = "3s"
maxEjectionPercent?: int = 10
@@ -5248,6 +5615,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsH
check:
_regex_match(str(baseEjectionTime), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if baseEjectionTime
+ failurePercentageThreshold <= 100 if failurePercentageThreshold not in [None, Undefined]
+ failurePercentageThreshold >= 0 if failurePercentageThreshold not in [None, Undefined]
_regex_match(str(interval), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if interval
@@ -5339,12 +5708,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsL
cookie
header : GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsLoadBalancerConsistentHashHeader, default is Undefined, optional
header
+ headers : [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsLoadBalancerConsistentHashHeadersItems0], default is Undefined, optional
+ Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.
tableSize : int, default is 65537, optional
The table size for consistent hashing, must be prime number limited to 5000011.
$type : str, default is Undefined, required
ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
+ "Headers",
"Cookie".
"""
@@ -5353,9 +5725,11 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsL
header?: GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsLoadBalancerConsistentHashHeader
+ headers?: [GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsLoadBalancerConsistentHashHeadersItems0]
+
tableSize?: int = 65537
- $type: "SourceIP" | "Header" | "Cookie"
+ $type: "SourceIP" | "Header" | "Headers" | "Cookie"
check:
@@ -5398,6 +5772,23 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsL
r"""
Header configures the header hash policy when the consistent hash type is set to Header.
+ Deprecated: use Headers instead
+
+ Attributes
+ ----------
+ name : str, default is Undefined, required
+ Name of the header to hash.
+ """
+
+
+ name: str
+
+
+schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsLoadBalancerConsistentHashHeadersItems0:
+ r"""
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+
Attributes
----------
name : str, default is Undefined, required
@@ -5494,6 +5885,8 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsL
force
minEndpointsThreshold : int, default is Undefined, optional
MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+ percentageEnabled : int, default is Undefined, optional
+ Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.
"""
@@ -5501,6 +5894,13 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsL
minEndpointsThreshold?: int
+ percentageEnabled?: int
+
+
+ check:
+ percentageEnabled <= 100 if percentageEnabled not in [None, Undefined]
+ percentageEnabled >= 0 if percentageEnabled not in [None, Undefined]
+
schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsLoadBalancerZoneAwarePreferLocalForce:
r"""
@@ -5638,7 +6038,7 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsR
check:
- all httpStatusCodes in httpStatusCodes { httpStatusCodes < 600 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
+ all httpStatusCodes in httpStatusCodes { httpStatusCodes <= 599 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
all httpStatusCodes in httpStatusCodes { httpStatusCodes >= 100 if httpStatusCodes not in [None, Undefined] } if httpStatusCodes
@@ -5706,6 +6106,11 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsT
maxConnectionDuration : str, default is Undefined, optional
The maximum duration of an HTTP connection.
Default: unlimited.
+ maxStreamDuration : str, default is Undefined, optional
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
requestTimeout : str, default is Undefined, optional
RequestTimeout is the time until which entire response is received from the upstream.
"""
@@ -5715,12 +6120,15 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicySpecOidcProviderBackendSettingsT
maxConnectionDuration?: str
+ maxStreamDuration?: str
+
requestTimeout?: str
check:
_regex_match(str(connectionIdleTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if connectionIdleTimeout
_regex_match(str(maxConnectionDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxConnectionDuration
+ _regex_match(str(maxStreamDuration), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if maxStreamDuration
_regex_match(str(requestTimeout), r"^([0-9]{1,5}(h|m|s|ms)){1,4}$") if requestTimeout
@@ -5997,8 +6405,38 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicyStatusAncestorsItems0:
----------
ancestorRef : GatewayEnvoyproxyIoV1alpha1SecurityPolicyStatusAncestorsItems0AncestorRef, default is Undefined, required
ancestor ref
- conditions : [GatewayEnvoyproxyIoV1alpha1SecurityPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, optional
+ conditions : [GatewayEnvoyproxyIoV1alpha1SecurityPolicyStatusAncestorsItems0ConditionsItems0], default is Undefined, required
Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
controllerName : str, default is Undefined, required
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
@@ -6018,14 +6456,14 @@ schema GatewayEnvoyproxyIoV1alpha1SecurityPolicyStatusAncestorsItems0:
ancestorRef: GatewayEnvoyproxyIoV1alpha1SecurityPolicyStatusAncestorsItems0AncestorRef
- conditions?: [GatewayEnvoyproxyIoV1alpha1SecurityPolicyStatusAncestorsItems0ConditionsItems0]
+ conditions: [GatewayEnvoyproxyIoV1alpha1SecurityPolicyStatusAncestorsItems0ConditionsItems0]
controllerName: str
check:
- len(conditions) >= 1 if conditions
- len(conditions) <= 8 if conditions
+ len(conditions) >= 1
+ len(conditions) <= 8
len(controllerName) <= 253
len(controllerName) >= 1
_regex_match(str(controllerName), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$")