diff --git a/api/v1alpha1/jwt_types.go b/api/v1alpha1/jwt_types.go index 4948669a292..f0bdd7d6f75 100644 --- a/api/v1alpha1/jwt_types.go +++ b/api/v1alpha1/jwt_types.go @@ -8,6 +8,10 @@ package v1alpha1 // JWT defines the configuration for JSON Web Token (JWT) authentication. type JWT struct { + // AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented. + // + AllowMissing bool `json:"allowMissing,omitempty"` + // Providers defines the JSON Web Token (JWT) authentication provider type. // When multiple JWT providers are specified, the JWT is considered valid if // any of the providers successfully validate the JWT. For additional details, diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index bad8a8f3533..63678fa69de 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -422,6 +422,10 @@ spec: description: JWT defines the configuration for JSON Web Token (JWT) authentication. properties: + allowMissing: + description: AllowMissing specifies whether a missing JWT is acceptable, + but it will fail if an invalid JWT is presented. + type: boolean providers: description: |- Providers defines the JSON Web Token (JWT) authentication provider type. diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index d0f1c69958d..804c8d42d8a 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -527,7 +527,8 @@ func wildcard2regex(wildcard string) string { func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT { return &ir.JWT{ - Providers: jwt.Providers, + AllowMissing: jwt.AllowMissing, + Providers: jwt.Providers, } } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.in.yaml new file mode 100644 index 00000000000..5567d0b986b --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.in.yaml @@ -0,0 +1,127 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: default + name: grpcroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-2 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + jwt: + providers: + - name: example1 + issuer: https://one.example.com + audiences: + - one.foo.com + remoteJWKS: + uri: https://one.example.com/jwt/public-key/jwks.json + claimToHeaders: + - header: one-route-example-key + claim: claim1 + - name: example2 + issuer: https://two.example.com + audiences: + - two.foo.com + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + claimToHeaders: + - header: two-route-example-key + claim: claim2 +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-route + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + namespace: default + jwt: + providers: + - name: example3 + issuer: https://three.example.com + audiences: + - three.foo.com + remoteJWKS: + uri: https://three.example.com/jwt/public-key/jwks.json + claimToHeaders: + - header: three-route-example-key + claim: claim3 + extractFrom: + headers: + - name: Authorization + valuePrefix: 'Bearer ' + cookies: + - session_access_token + params: + - token + allowMissing: true diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml new file mode 100644 index 00000000000..de595317ec3 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml @@ -0,0 +1,384 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-2 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 + envoy-gateway/gateway-2: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-2/http + ports: + - containerPort: 10080 + name: http + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-2 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-route + namespace: default + spec: + jwt: + allowMissing: true + providers: + - audiences: + - three.foo.com + claimToHeaders: + - claim: claim3 + header: three-route-example-key + extractFrom: + cookies: + - session_access_token + headers: + - name: Authorization + valuePrefix: 'Bearer ' + params: + - token + issuer: https://three.example.com + name: example3 + remoteJWKS: + uri: https://three.example.com/jwt/public-key/jwks.json + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + namespace: default + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + spec: + jwt: + providers: + - audiences: + - one.foo.com + claimToHeaders: + - claim: claim1 + header: one-route-example-key + issuer: https://one.example.com + name: example1 + remoteJWKS: + uri: https://one.example.com/jwt/public-key/jwks.json + - audiences: + - two.foo.com + claimToHeaders: + - claim: claim2 + header: two-route-example-key + issuer: https://two.example.com + name: example2 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: true + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - backendWeights: + invalid: 0 + valid: 0 + destination: + name: grpcroute/default/grpcroute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + hostname: '*' + isHTTP2: true + jwt: + providers: + - audiences: + - one.foo.com + claimToHeaders: + - claim: claim1 + header: one-route-example-key + issuer: https://one.example.com + name: example1 + remoteJWKS: + uri: https://one.example.com/jwt/public-key/jwks.json + - audiences: + - two.foo.com + claimToHeaders: + - claim: claim2 + header: two-route-example-key + issuer: https://two.example.com + name: example2 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + name: grpcroute/default/grpcroute-1/rule/0/match/-1/* + envoy-gateway/gateway-2: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: envoy-gateway/gateway-2/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + jwt: + allowMissing: true + providers: + - audiences: + - three.foo.com + claimToHeaders: + - claim: claim3 + header: three-route-example-key + extractFrom: + cookies: + - session_access_token + headers: + - name: Authorization + valuePrefix: 'Bearer ' + params: + - token + issuer: https://three.example.com + name: example3 + remoteJWKS: + uri: https://three.example.com/jwt/public-key/jwks.json + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 3b330d3fef6..8bd92214e29 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -570,6 +570,10 @@ type CORS struct { // // +k8s:deepcopy-gen=true type JWT struct { + // AllowMissing specifies whether JWT authentication could be optionally required. + // + AllowMissing bool `json:"allowMissing,omitempty" yaml:"allowMissing,omitempty"` + // Providers defines a list of JSON Web Token (JWT) authentication providers. Providers []egv1a1.JWTProvider `json:"providers,omitempty" yaml:"providers,omitempty"` } diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index beb0bebcca4..de5af852a99 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -17,6 +17,7 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/wellknown" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" + "google.golang.org/protobuf/types/known/emptypb" "k8s.io/utils/ptr" "github.com/envoyproxy/gateway/api/v1alpha1" @@ -163,6 +164,15 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, }, }) } + + if route.JWT.AllowMissing { + reqs = append(reqs, &jwtauthnv3.JwtRequirement{ + RequiresType: &jwtauthnv3.JwtRequirement_AllowMissing{ + AllowMissing: &emptypb.Empty{}, + }, + }) + } + if len(reqs) == 1 { reqMap[route.Name] = reqs[0] } else { diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml new file mode 100644 index 00000000000..4104cdefe5f --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml @@ -0,0 +1,37 @@ +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "first-route" + hostname: "*" + pathMatch: + exact: "foo/bar" + jwt: + providers: + - name: example + issuer: https://www.example.com + audiences: + - foo.com + remoteJWKS: + uri: https://localhost/jwt/public-key/jwks.json + extractFrom: + cookies: + - session_access_token + headers: + - name: Authorization + valuePrefix: 'Bearer ' + params: + - token + allowMissing: true + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml new file mode 100644 index 00000000000..8ede70cf99a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml @@ -0,0 +1,53 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: first-route-dest + lbPolicy: LEAST_REQUEST + name: first-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: localhost_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: localhost + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: localhost_443/backend/0 + name: localhost_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: localhost + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.endpoints.yaml new file mode 100644 index 00000000000..3b3f2d09076 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: first-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: first-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml new file mode 100644 index 00000000000..f173f145470 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml @@ -0,0 +1,65 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.jwt_authn + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication + providers: + first-route/example: + audiences: + - foo.com + forward: true + fromCookies: + - session_access_token + fromHeaders: + - name: Authorization + valuePrefix: 'Bearer ' + fromParams: + - token + issuer: https://www.example.com + payloadInMetadata: https://www.example.com + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: localhost_443 + timeout: 10s + uri: https://localhost/jwt/public-key/jwks.json + retryPolicy: {} + requirementMap: + first-route: + requiresAny: + requirements: + - providerName: first-route/example + - allowMissing: {} + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http + useRemoteAddress: true + drainType: MODIFY_ONLY + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.routes.yaml new file mode 100644 index 00000000000..321ecc1ced2 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.routes.yaml @@ -0,0 +1,18 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - match: + path: foo/bar + name: first-route + route: + cluster: first-route-dest + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: first-route diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 367e7741277..a13ee7c8428 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -310,6 +310,9 @@ func TestTranslateXds(t *testing.T) { { name: "ext-proc", }, + { + name: "jwt-optional", + }, } for _, tc := range testCases { diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index a9847ac0645..1167b8a9a39 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -40,9 +40,9 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `http/1.0` | HTTPProtocolVersion1_0 specifies that HTTP/1.0 should be negotiable with ALPN
| -| `http/1.1` | HTTPProtocolVersion1_1 specifies that HTTP/1.1 should be negotiable with ALPN
| -| `h2` | HTTPProtocolVersion2 specifies that HTTP/2 should be negotiable with ALPN
| +| `http/1.0` | HTTPProtocolVersion1_0 specifies that HTTP/1.0 should be negotiable with ALPN
| +| `http/1.1` | HTTPProtocolVersion1_1 specifies that HTTP/1.1 should be negotiable with ALPN
| +| `h2` | HTTPProtocolVersion2 specifies that HTTP/2 should be negotiable with ALPN
| #### ALSEnvoyProxyAccessLog @@ -81,8 +81,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `HTTP` | ALSEnvoyProxyAccessLogTypeHTTP defines the HTTP access log type and will populate StreamAccessLogsMessage.http_logs.
| -| `TCP` | ALSEnvoyProxyAccessLogTypeTCP defines the TCP access log type and will populate StreamAccessLogsMessage.tcp_logs.
| +| `HTTP` | ALSEnvoyProxyAccessLogTypeHTTP defines the HTTP access log type and will populate StreamAccessLogsMessage.http_logs.
| +| `TCP` | ALSEnvoyProxyAccessLogTypeTCP defines the TCP access log type and will populate StreamAccessLogsMessage.tcp_logs.
| #### ALSEnvoyProxyHTTPAccessLogConfig @@ -150,8 +150,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Text` | ActiveHealthCheckPayloadTypeText defines the Text type payload.
| -| `Binary` | ActiveHealthCheckPayloadTypeBinary defines the Binary type payload.
| +| `Text` | ActiveHealthCheckPayloadTypeText defines the Text type payload.
| +| `Binary` | ActiveHealthCheckPayloadTypeBinary defines the Binary type payload.
| #### ActiveHealthCheckerType @@ -165,8 +165,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `HTTP` | ActiveHealthCheckerTypeHTTP defines the HTTP type of health checking.
| -| `TCP` | ActiveHealthCheckerTypeTCP defines the TCP type of health checking.
| +| `HTTP` | ActiveHealthCheckerTypeHTTP defines the HTTP type of health checking.
| +| `TCP` | ActiveHealthCheckerTypeTCP defines the TCP type of health checking.
| #### BackOffPolicy @@ -288,8 +288,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Merge` | Merge merges the provided bootstrap with the default one. The provided bootstrap can add or override a value
within a map, or add a new value to a list.
Please note that the provided bootstrap can't override a value within a list.
| -| `Replace` | Replace replaces the default bootstrap with the provided one.
| +| `Merge` | Merge merges the provided bootstrap with the default one. The provided bootstrap can add or override a value
within a map, or add a new value to a list.
Please note that the provided bootstrap can't override a value within a list.
| +| `Replace` | Replace replaces the default bootstrap with the provided one.
| #### CORS @@ -530,7 +530,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `SourceIP` | SourceIPConsistentHashType hashes based on the source IP address.
| +| `SourceIP` | SourceIPConsistentHashType hashes based on the source IP address.
| #### CustomHeaderExtensionSettings @@ -579,9 +579,9 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Literal` | CustomTagTypeLiteral adds hard-coded value to each span.
| -| `Environment` | CustomTagTypeEnvironment adds value from environment variable to each span.
| -| `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| +| `Literal` | CustomTagTypeLiteral adds hard-coded value to each span.
| +| `Environment` | CustomTagTypeEnvironment adds value from environment variable to each span.
| +| `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| #### EnvironmentCustomTag @@ -786,13 +786,13 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `default` | LogComponentGatewayDefault defines the "default"-wide logging component. When specified,
all other logging components are ignored.
| -| `provider` | LogComponentProviderRunner defines the "provider" runner component.
| -| `gateway-api` | LogComponentGatewayAPIRunner defines the "gateway-api" runner component.
| -| `xds-translator` | LogComponentXdsTranslatorRunner defines the "xds-translator" runner component.
| -| `xds-server` | LogComponentXdsServerRunner defines the "xds-server" runner component.
| -| `infrastructure` | LogComponentInfrastructureRunner defines the "infrastructure" runner component.
| -| `global-ratelimit` | LogComponentGlobalRateLimitRunner defines the "global-ratelimit" runner component.
| +| `default` | LogComponentGatewayDefault defines the "default"-wide logging component. When specified,
all other logging components are ignored.
| +| `provider` | LogComponentProviderRunner defines the "provider" runner component.
| +| `gateway-api` | LogComponentGatewayAPIRunner defines the "gateway-api" runner component.
| +| `xds-translator` | LogComponentXdsTranslatorRunner defines the "xds-translator" runner component.
| +| `xds-server` | LogComponentXdsServerRunner defines the "xds-server" runner component.
| +| `infrastructure` | LogComponentInfrastructureRunner defines the "infrastructure" runner component.
| +| `global-ratelimit` | LogComponentGlobalRateLimitRunner defines the "global-ratelimit" runner component.
| #### EnvoyGatewayLogging @@ -1019,7 +1019,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `JSONPatch` | JSONPatchEnvoyPatchType allows the user to patch the generated xDS resources using JSONPatch semantics.
For more details on the semantics, please refer to https://datatracker.ietf.org/doc/html/rfc6902
| +| `JSONPatch` | JSONPatchEnvoyPatchType allows the user to patch the generated xDS resources using JSONPatch semantics.
For more details on the semantics, please refer to https://datatracker.ietf.org/doc/html/rfc6902
| #### EnvoyProxy @@ -1104,10 +1104,10 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `type.googleapis.com/envoy.config.listener.v3.Listener` | ListenerEnvoyResourceType defines the Type URL of the Listener resource
| -| `type.googleapis.com/envoy.config.route.v3.RouteConfiguration` | RouteConfigurationEnvoyResourceType defines the Type URL of the RouteConfiguration resource
| -| `type.googleapis.com/envoy.config.cluster.v3.Cluster` | ClusterEnvoyResourceType defines the Type URL of the Cluster resource
| -| `type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment` | ClusterLoadAssignmentEnvoyResourceType defines the Type URL of the ClusterLoadAssignment resource
| +| `type.googleapis.com/envoy.config.listener.v3.Listener` | ListenerEnvoyResourceType defines the Type URL of the Listener resource
| +| `type.googleapis.com/envoy.config.route.v3.RouteConfiguration` | RouteConfigurationEnvoyResourceType defines the Type URL of the RouteConfiguration resource
| +| `type.googleapis.com/envoy.config.cluster.v3.Cluster` | ClusterEnvoyResourceType defines the Type URL of the Cluster resource
| +| `type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment` | ClusterLoadAssignmentEnvoyResourceType defines the Type URL of the ClusterLoadAssignment resource
| #### ExtAuth @@ -1521,9 +1521,9 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Exact` | HeaderMatchExact matches the exact value of the Value field against the value of
the specified HTTP Header.
| -| `RegularExpression` | HeaderMatchRegularExpression matches a regular expression against the value of the
specified HTTP Header. The regex string must adhere to the syntax documented in
https://github.com/google/re2/wiki/Syntax.
| -| `Distinct` | HeaderMatchDistinct matches any and all possible unique values encountered in the
specified HTTP Header. Note that each unique value will receive its own rate limit
bucket.
Note: This is only supported for Global Rate Limits.
| +| `Exact` | HeaderMatchExact matches the exact value of the Value field against the value of
the specified HTTP Header.
| +| `RegularExpression` | HeaderMatchRegularExpression matches a regular expression against the value of the
specified HTTP Header. The regex string must adhere to the syntax documented in
https://github.com/google/re2/wiki/Syntax.
| +| `Distinct` | HeaderMatchDistinct matches any and all possible unique values encountered in the
specified HTTP Header. Note that each unique value will receive its own rate limit
bucket.
Note: This is only supported for Global Rate Limits.
| #### HeaderSettings @@ -1583,7 +1583,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Host` | InfrastructureProviderTypeHost defines the "Host" provider.
| +| `Host` | InfrastructureProviderTypeHost defines the "Host" provider.
| #### JSONPatchOperation @@ -1626,6 +1626,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `allowMissing` | _boolean_ | true | AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented. | +| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | + | `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | @@ -1895,10 +1898,10 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `ConsistentHash` | ConsistentHashLoadBalancerType load balancer policy.
| -| `LeastRequest` | LeastRequestLoadBalancerType load balancer policy.
| -| `Random` | RandomLoadBalancerType load balancer policy.
| -| `RoundRobin` | RoundRobinLoadBalancerType load balancer policy.
| +| `ConsistentHash` | ConsistentHashLoadBalancerType load balancer policy.
| +| `LeastRequest` | LeastRequestLoadBalancerType load balancer policy.
| +| `Random` | RandomLoadBalancerType load balancer policy.
| +| `RoundRobin` | RoundRobinLoadBalancerType load balancer policy.
| #### LocalRateLimit @@ -1927,10 +1930,10 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `debug` | LogLevelDebug defines the "debug" logging level.
| -| `info` | LogLevelInfo defines the "Info" logging level.
| -| `warn` | LogLevelWarn defines the "Warn" logging level.
| -| `error` | LogLevelError defines the "Error" logging level.
| +| `debug` | LogLevelDebug defines the "debug" logging level.
| +| `info` | LogLevelInfo defines the "Info" logging level.
| +| `warn` | LogLevelWarn defines the "Warn" logging level.
| +| `error` | LogLevelError defines the "Error" logging level.
| @@ -1947,7 +1950,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `OpenTelemetry` | | +| `OpenTelemetry` | | #### OIDC @@ -2060,10 +2063,10 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `KeepUnchanged` | KeepUnchangedAction keeps escaped slashes as they arrive without changes
| -| `RejectRequest` | RejectRequestAction rejects client requests containing escaped slashes
with a 400 status. gRPC requests will be rejected with the INTERNAL (13)
error code.
The "httpN.downstream_rq_failed_path_normalization" counter is incremented
for each rejected request.
| -| `UnescapeAndRedirect` | UnescapeAndRedirect unescapes %2F and %5C sequences and redirects to the new path
if these sequences were present.
Redirect occurs after path normalization and merge slashes transformations if
they were configured. gRPC requests will be rejected with the INTERNAL (13)
error code.
This option minimizes possibility of path confusion exploits by forcing request
with unescaped slashes to traverse all parties: downstream client, intermediate
proxies, Envoy and upstream server.
The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented
for each redirected request.
| -| `UnescapeAndForward` | UnescapeAndForward unescapes %2F and %5C sequences and forwards the request.
Note: this option should not be enabled if intermediaries perform path based access
control as it may lead to path confusion vulnerabilities.
| +| `KeepUnchanged` | KeepUnchangedAction keeps escaped slashes as they arrive without changes
| +| `RejectRequest` | RejectRequestAction rejects client requests containing escaped slashes
with a 400 status. gRPC requests will be rejected with the INTERNAL (13)
error code.
The "httpN.downstream_rq_failed_path_normalization" counter is incremented
for each rejected request.
| +| `UnescapeAndRedirect` | UnescapeAndRedirect unescapes %2F and %5C sequences and redirects to the new path
if these sequences were present.
Redirect occurs after path normalization and merge slashes transformations if
they were configured. gRPC requests will be rejected with the INTERNAL (13)
error code.
This option minimizes possibility of path confusion exploits by forcing request
with unescaped slashes to traverse all parties: downstream client, intermediate
proxies, Envoy and upstream server.
The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented
for each redirected request.
| +| `UnescapeAndForward` | UnescapeAndForward unescapes %2F and %5C sequences and forwards the request.
Note: this option should not be enabled if intermediaries perform path based access
control as it may lead to path confusion vulnerabilities.
| #### PathSettings @@ -2108,8 +2111,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Kubernetes` | ProviderTypeKubernetes defines the "Kubernetes" provider.
| -| `File` | ProviderTypeFile defines the "File" provider. This type is not implemented
until https://github.com/envoyproxy/gateway/issues/1001 is fixed.
| +| `Kubernetes` | ProviderTypeKubernetes defines the "Kubernetes" provider.
| +| `File` | ProviderTypeFile defines the "File" provider. This type is not implemented
until https://github.com/envoyproxy/gateway/issues/1001 is fixed.
| #### ProxyAccessLog @@ -2155,8 +2158,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Text` | ProxyAccessLogFormatTypeText defines the text accesslog format.
| -| `JSON` | ProxyAccessLogFormatTypeJSON defines the JSON accesslog format.
| +| `Text` | ProxyAccessLogFormatTypeText defines the text accesslog format.
| +| `JSON` | ProxyAccessLogFormatTypeJSON defines the JSON accesslog format.
| #### ProxyAccessLogSetting @@ -2202,9 +2205,9 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `ALS` | ProxyAccessLogSinkTypeALS defines the gRPC Access Log Service (ALS) sink.
The service must implement the Envoy gRPC Access Log Service streaming API:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto
| -| `File` | ProxyAccessLogSinkTypeFile defines the file accesslog sink.
| -| `OpenTelemetry` | ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
When the provider is Kubernetes, EnvoyGateway always sends `k8s.namespace.name`
and `k8s.pod.name` as additional attributes.
| +| `ALS` | ProxyAccessLogSinkTypeALS defines the gRPC Access Log Service (ALS) sink.
The service must implement the Envoy gRPC Access Log Service streaming API:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto
| +| `File` | ProxyAccessLogSinkTypeFile defines the file accesslog sink.
| +| `OpenTelemetry` | ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
When the provider is Kubernetes, EnvoyGateway always sends `k8s.namespace.name`
and `k8s.pod.name` as additional attributes.
| #### ProxyBootstrap @@ -2233,16 +2236,16 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `default` | LogComponentDefault defines the default logging component.
See more details: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-l
| -| `upstream` | LogComponentUpstream defines the "upstream" logging component.
| -| `http` | LogComponentHTTP defines the "http" logging component.
| -| `connection` | LogComponentConnection defines the "connection" logging component.
| -| `admin` | LogComponentAdmin defines the "admin" logging component.
| -| `client` | LogComponentClient defines the "client" logging component.
| -| `filter` | LogComponentFilter defines the "filter" logging component.
| -| `main` | LogComponentMain defines the "main" logging component.
| -| `router` | LogComponentRouter defines the "router" logging component.
| -| `runtime` | LogComponentRuntime defines the "runtime" logging component.
| +| `default` | LogComponentDefault defines the default logging component.
See more details: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-l
| +| `upstream` | LogComponentUpstream defines the "upstream" logging component.
| +| `http` | LogComponentHTTP defines the "http" logging component.
| +| `connection` | LogComponentConnection defines the "connection" logging component.
| +| `admin` | LogComponentAdmin defines the "admin" logging component.
| +| `client` | LogComponentClient defines the "client" logging component.
| +| `filter` | LogComponentFilter defines the "filter" logging component.
| +| `main` | LogComponentMain defines the "main" logging component.
| +| `router` | LogComponentRouter defines the "router" logging component.
| +| `runtime` | LogComponentRuntime defines the "runtime" logging component.
| #### ProxyLogging @@ -2348,8 +2351,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `V1` | ProxyProtocolVersionV1 is the PROXY protocol version 1 (human readable format).
| -| `V2` | ProxyProtocolVersionV2 is the PROXY protocol version 2 (binary format).
| +| `V1` | ProxyProtocolVersionV1 is the PROXY protocol version 1 (human readable format).
| +| `V2` | ProxyProtocolVersionV2 is the PROXY protocol version 2 (binary format).
| #### ProxyTelemetry @@ -2431,7 +2434,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Redis` | RedisBackendType uses a redis database for the rate limit service.
| +| `Redis` | RedisBackendType uses a redis database for the rate limit service.
| #### RateLimitMetrics @@ -2585,8 +2588,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Global` | GlobalRateLimitType allows the rate limits to be applied across all Envoy
proxy instances.
| -| `Local` | LocalRateLimitType allows the rate limits to be applied on a per Envoy
proxy instance basis.
| +| `Global` | GlobalRateLimitType allows the rate limits to be applied across all Envoy
proxy instances.
| +| `Local` | LocalRateLimitType allows the rate limits to be applied on a per Envoy
proxy instance basis.
| #### RateLimitUnit @@ -2601,10 +2604,10 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Second` | RateLimitUnitSecond specifies the rate limit interval to be 1 second.
| -| `Minute` | RateLimitUnitMinute specifies the rate limit interval to be 1 minute.
| -| `Hour` | RateLimitUnitHour specifies the rate limit interval to be 1 hour.
| -| `Day` | RateLimitUnitDay specifies the rate limit interval to be 1 day.
| +| `Second` | RateLimitUnitSecond specifies the rate limit interval to be 1 second.
| +| `Minute` | RateLimitUnitMinute specifies the rate limit interval to be 1 minute.
| +| `Hour` | RateLimitUnitHour specifies the rate limit interval to be 1 hour.
| +| `Day` | RateLimitUnitDay specifies the rate limit interval to be 1 day.
| #### RateLimitValue @@ -2677,7 +2680,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `File` | ResourceProviderTypeFile defines the "File" provider.
| +| `File` | ResourceProviderTypeFile defines the "File" provider.
| #### Retry @@ -2779,8 +2782,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Cluster` | ServiceExternalTrafficPolicyCluster routes traffic to all endpoints.
| -| `Local` | ServiceExternalTrafficPolicyLocal preserves the source IP of the traffic by
routing only to endpoints on the same node as the traffic was received on
(dropping the traffic if there are no local endpoints).
| +| `Cluster` | ServiceExternalTrafficPolicyCluster routes traffic to all endpoints.
| +| `Local` | ServiceExternalTrafficPolicyLocal preserves the source IP of the traffic by
routing only to endpoints on the same node as the traffic was received on
(dropping the traffic if there are no local endpoints).
| #### ServiceType @@ -2794,9 +2797,9 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `ClusterIP` | ServiceTypeClusterIP means a service will only be accessible inside the
cluster, via the cluster IP.
| -| `LoadBalancer` | ServiceTypeLoadBalancer means a service will be exposed via an
external load balancer (if the cloud provider supports it).
| -| `NodePort` | ServiceTypeNodePort means a service will be exposed on each Kubernetes Node
at a static Port, common across all Nodes.
| +| `ClusterIP` | ServiceTypeClusterIP means a service will only be accessible inside the
cluster, via the cluster IP.
| +| `LoadBalancer` | ServiceTypeLoadBalancer means a service will be exposed via an
external load balancer (if the cloud provider supports it).
| +| `NodePort` | ServiceTypeNodePort means a service will be exposed on each Kubernetes Node
at a static Port, common across all Nodes.
| #### ShutdownConfig @@ -2841,8 +2844,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Exact` | SourceMatchExact All IP Addresses within the specified Source IP CIDR are treated as a single client selector
and share the same rate limit bucket.
| -| `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| +| `Exact` | SourceMatchExact All IP Addresses within the specified Source IP CIDR are treated as a single client selector
and share the same rate limit bucket.
| +| `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| #### StringMatch @@ -2874,10 +2877,10 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Exact` | StringMatchExact :the input string must match exactly the match value.
| -| `Prefix` | StringMatchPrefix :the input string must start with the match value.
| -| `Suffix` | StringMatchSuffix :the input string must end with the match value.
| -| `RegularExpression` | StringMatchRegularExpression :The input string must match the regular expression
specified in the match value.
The regex string must adhere to the syntax documented in
https://github.com/google/re2/wiki/Syntax.
| +| `Exact` | StringMatchExact :the input string must match exactly the match value.
| +| `Prefix` | StringMatchPrefix :the input string must start with the match value.
| +| `Suffix` | StringMatchSuffix :the input string must end with the match value.
| +| `RegularExpression` | StringMatchRegularExpression :The input string must match the regular expression
specified in the match value.
The regex string must adhere to the syntax documented in
https://github.com/google/re2/wiki/Syntax.
| #### TCPActiveHealthChecker @@ -2957,11 +2960,11 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Auto` | TLSAuto allows Envoy to choose the optimal TLS Version
| -| `1.0` | TLS1.0 specifies TLS version 1.0
| -| `1.1` | TLS1.1 specifies TLS version 1.1
| -| `1.2` | TLSv1.2 specifies TLS version 1.2
| -| `1.3` | TLSv1.3 specifies TLS version 1.3
| +| `Auto` | TLSAuto allows Envoy to choose the optimal TLS Version
| +| `1.0` | TLS1.0 specifies TLS version 1.0
| +| `1.1` | TLS1.1 specifies TLS version 1.1
| +| `1.2` | TLSv1.2 specifies TLS version 1.2
| +| `1.3` | TLSv1.3 specifies TLS version 1.3
| #### Timeout @@ -3007,8 +3010,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `OpenTelemetry` | | -| `OpenTelemetry` | | +| `OpenTelemetry` | | +| `OpenTelemetry` | | #### TriggerEnum @@ -3022,18 +3025,18 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `5xx` | The upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout).
Includes connect-failure and refused-stream.
| -| `gateway-error` | The response is a gateway error (502,503 or 504).
| -| `reset` | The upstream server does not respond at all (disconnect/reset/read timeout.)
| -| `connect-failure` | Connection failure to the upstream server (connect timeout, etc.). (Included in *5xx*)
| -| `retriable-4xx` | The upstream server responds with a retriable 4xx response code.
Currently, the only response code in this category is 409.
| -| `refused-stream` | The upstream server resets the stream with a REFUSED_STREAM error code.
| -| `retriable-status-codes` | The upstream server responds with any response code matching one defined in the RetriableStatusCodes.
| -| `cancelled` | The gRPC status code in the response headers is “cancelled”.
| -| `deadline-exceeded` | The gRPC status code in the response headers is “deadline-exceeded”.
| -| `internal` | The gRPC status code in the response headers is “internal”.
| -| `resource-exhausted` | The gRPC status code in the response headers is “resource-exhausted”.
| -| `unavailable` | The gRPC status code in the response headers is “unavailable”.
| +| `5xx` | The upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout).
Includes connect-failure and refused-stream.
| +| `gateway-error` | The response is a gateway error (502,503 or 504).
| +| `reset` | The upstream server does not respond at all (disconnect/reset/read timeout.)
| +| `connect-failure` | Connection failure to the upstream server (connect timeout, etc.). (Included in *5xx*)
| +| `retriable-4xx` | The upstream server responds with a retriable 4xx response code.
Currently, the only response code in this category is 409.
| +| `refused-stream` | The upstream server resets the stream with a REFUSED_STREAM error code.
| +| `retriable-status-codes` | The upstream server responds with any response code matching one defined in the RetriableStatusCodes.
| +| `cancelled` | The gRPC status code in the response headers is “cancelled”.
| +| `deadline-exceeded` | The gRPC status code in the response headers is “deadline-exceeded”.
| +| `internal` | The gRPC status code in the response headers is “internal”.
| +| `resource-exhausted` | The gRPC status code in the response headers is “resource-exhausted”.
| +| `unavailable` | The gRPC status code in the response headers is “unavailable”.
| #### Wasm @@ -3084,8 +3087,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `HTTP` | HTTPWasmCodeSourceType allows the user to specify the wasm code in an HTTP URL.
| -| `Image` | ImageWasmCodeSourceType allows the user to specify the wasm code in an OCI image.
| +| `HTTP` | HTTPWasmCodeSourceType allows the user to specify the wasm code in an HTTP URL.
| +| `Image` | ImageWasmCodeSourceType allows the user to specify the wasm code in an OCI image.
| #### WithUnderscoresAction @@ -3100,9 +3103,9 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Allow` | WithUnderscoresActionAllow allows headers with underscores to be passed through.
| -| `RejectRequest` | WithUnderscoresActionRejectRequest rejects the client request. HTTP/1 requests are rejected with
the 400 status. HTTP/2 requests end with the stream reset.
| -| `DropHeader` | WithUnderscoresActionDropHeader drops the client header with name containing underscores. The header
is dropped before the filter chain is invoked and as such filters will not see
dropped headers.
| +| `Allow` | WithUnderscoresActionAllow allows headers with underscores to be passed through.
| +| `RejectRequest` | WithUnderscoresActionRejectRequest rejects the client request. HTTP/1 requests are rejected with
the 400 status. HTTP/2 requests end with the stream reset.
| +| `DropHeader` | WithUnderscoresActionDropHeader drops the client header with name containing underscores. The header
is dropped before the filter chain is invoked and as such filters will not see
dropped headers.
| #### XDSTranslatorHook @@ -3117,10 +3120,10 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `VirtualHost` | | -| `Route` | | -| `HTTPListener` | | -| `Translation` | | +| `VirtualHost` | | +| `Route` | | +| `HTTPListener` | | +| `Translation` | | #### XDSTranslatorHooks