From 844558ba56b2b53ad432d2024c41b7f4193972f8 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 10 Apr 2024 14:48:35 -0500 Subject: [PATCH 1/5] add processing mode Signed-off-by: Guy Daich --- api/v1alpha1/ext_proc_types.go | 41 ++++++++++++++- api/v1alpha1/zz_generated.deepcopy.go | 50 +++++++++++++++++++ ....envoyproxy.io_envoyextensionpolicies.yaml | 34 ++++++++++++- site/content/en/latest/api/extension_types.md | 44 +++++++++++++++- .../envoyextensionpolicy_test.go | 38 ++++++++++++++ 5 files changed, 204 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/ext_proc_types.go b/api/v1alpha1/ext_proc_types.go index c94682198b4..e65eca9f9b2 100644 --- a/api/v1alpha1/ext_proc_types.go +++ b/api/v1alpha1/ext_proc_types.go @@ -9,13 +9,52 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) +// +kubebuilder:validation:Enum=Streamed;Buffered;BufferedPartial +type ExtProcBodyProcessingMode string + +const ( + StreamedExtProcBodyProcessingMode ExtProcBodyProcessingMode = "Streamed" + BufferedExtProcBodyProcessingMode ExtProcBodyProcessingMode = "Buffered" + BufferedPartialExtBodyHeaderProcessingMode ExtProcBodyProcessingMode = "BufferedPartial" +) + +// ProcessingModeOptions defines if headers or body should be processed by the external service +type ProcessingModeOptions struct { + // Defines body processing mode + // + // +optional + Body *ExtProcBodyProcessingMode `json:"body,omitempty"` +} + +// ExtProcProcessingMode defines if and how headers and bodies are sent to the service. +// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/processing_mode.proto#envoy-v3-api-msg-extensions-filters-http-ext-proc-v3-processingmode +type ExtProcProcessingMode struct { + // Defines processing mode for requests. If present, request headers are sent. Request body is processed according + // to the specified mode. + // + // +optional + Request *ProcessingModeOptions `json:"request,omitempty"` + + // Defines processing mode for responses. If present, response headers are sent. Response body is processed according + // to the specified mode. + // + // +optional + Response *ProcessingModeOptions `json:"response,omitempty"` +} + // +kubebuilder:validation:XValidation:rule="has(self.backendRef) ? (!has(self.backendRef.group) || self.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported" // +kubebuilder:validation:XValidation:rule="has(self.backendRef) ? (!has(self.backendRef.kind) || self.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported" // // ExtProc defines the configuration for External Processing filter. type ExtProc struct { - // Service defines the configuration of the external processing service + // BackendRef defines the configuration of the external processing service BackendRef ExtProcBackendRef `json:"backendRef"` + + // ProcessingMode defines how request and response body is processed + // Default: header and body are not sent to the external processor + // + // +optional + ProcessingMode *ExtProcProcessingMode `json:"processingMode,omitempty"` } // ExtProcService defines the gRPC External Processing service using the envoy grpc client diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index e82cda7787f..e968e2f4fa6 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1495,6 +1495,11 @@ func (in *ExtAuth) DeepCopy() *ExtAuth { func (in *ExtProc) DeepCopyInto(out *ExtProc) { *out = *in in.BackendRef.DeepCopyInto(&out.BackendRef) + if in.ProcessingMode != nil { + in, out := &in.ProcessingMode, &out.ProcessingMode + *out = new(ExtProcProcessingMode) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProc. @@ -1523,6 +1528,31 @@ func (in *ExtProcBackendRef) DeepCopy() *ExtProcBackendRef { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtProcProcessingMode) DeepCopyInto(out *ExtProcProcessingMode) { + *out = *in + if in.Request != nil { + in, out := &in.Request, &out.Request + *out = new(ProcessingModeOptions) + (*in).DeepCopyInto(*out) + } + if in.Response != nil { + in, out := &in.Response, &out.Response + *out = new(ProcessingModeOptions) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProcProcessingMode. +func (in *ExtProcProcessingMode) DeepCopy() *ExtProcProcessingMode { + if in == nil { + return nil + } + out := new(ExtProcProcessingMode) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtensionAPISettings) DeepCopyInto(out *ExtensionAPISettings) { *out = *in @@ -2813,6 +2843,26 @@ func (in *PerRetryPolicy) DeepCopy() *PerRetryPolicy { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProcessingModeOptions) DeepCopyInto(out *ProcessingModeOptions) { + *out = *in + if in.Body != nil { + in, out := &in.Body, &out.Body + *out = new(ExtProcBodyProcessingMode) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessingModeOptions. +func (in *ProcessingModeOptions) DeepCopy() *ProcessingModeOptions { + if in == nil { + return nil + } + out := new(ProcessingModeOptions) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyAccessLog) DeepCopyInto(out *ProxyAccessLog) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 1207b989e8f..68a618eb30b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -58,7 +58,7 @@ spec: filter. properties: backendRef: - description: Service defines the configuration of the external + description: BackendRef defines the configuration of the external processing service properties: group: @@ -134,6 +134,38 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + processingMode: + description: |- + ProcessingMode defines how request and response body is processed + Default: header and body are not sent to the external processor + properties: + request: + description: |- + Defines processing mode for requests. If present, request headers are sent. Request body is processed according + to the specified mode. + properties: + body: + description: Defines body processing mode + enum: + - Streamed + - Buffered + - BufferedPartial + type: string + type: object + response: + description: |- + Defines processing mode for responses. If present, response headers are sent. Response body is processed according + to the specified mode. + properties: + body: + description: Defines body processing mode + enum: + - Streamed + - Buffered + - BufferedPartial + type: string + type: object + type: object required: - backendRef type: object diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index c3316f67026..ac1b6d2453a 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1018,7 +1018,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[ExtProcBackendRef](#extprocbackendref)_ | true | Service defines the configuration of the external processing service | +| `backendRef` | _[ExtProcBackendRef](#extprocbackendref)_ | true | BackendRef defines the configuration of the external processing service | +| `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor | #### ExtProcBackendRef @@ -1041,6 +1042,33 @@ _Appears in:_ | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | +#### ExtProcBodyProcessingMode + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProcessingModeOptions](#processingmodeoptions) + + + +#### ExtProcProcessingMode + + + +ExtProcProcessingMode defines if and how headers and bodies are sent to the service. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/processing_mode.proto#envoy-v3-api-msg-extensions-filters-http-ext-proc-v3-processingmode + +_Appears in:_ +- [ExtProc](#extproc) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `request` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for requests. If present, request headers are sent. Request body is processed according
to the specified mode. | +| `response` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for responses. If present, response headers are sent. Response body is processed according
to the specified mode. | + + #### ExtensionAPISettings @@ -1944,6 +1972,20 @@ _Appears in:_ | `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries | +#### ProcessingModeOptions + + + +ProcessingModeOptions defines if headers or body should be processed by the external service + +_Appears in:_ +- [ExtProcProcessingMode](#extprocprocessingmode) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | Defines body processing mode | + + #### ProviderType _Underlying type:_ _string_ diff --git a/test/cel-validation/envoyextensionpolicy_test.go b/test/cel-validation/envoyextensionpolicy_test.go index 4a179c84ec3..842990220ef 100644 --- a/test/cel-validation/envoyextensionpolicy_test.go +++ b/test/cel-validation/envoyextensionpolicy_test.go @@ -11,6 +11,8 @@ package celvalidation import ( "context" "fmt" + "k8s.io/utils/ptr" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" "strings" "testing" "time" @@ -151,6 +153,42 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) { "spec.targetRef: Invalid value: \"object\": this policy does not yet support the sectionName field", }, }, + { + desc: "ExtProc with invalid fields", + mutate: func(sp *egv1a1.EnvoyExtensionPolicy) { + sp.Spec = egv1a1.EnvoyExtensionPolicySpec{ + ExtProc: []egv1a1.ExtProc{ + { + BackendRef: egv1a1.ExtProcBackendRef{ + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-proc-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, + }, + ProcessingMode: &egv1a1.ExtProcProcessingMode{ + Request: &egv1a1.ProcessingModeOptions{ + Body: ptr.To(egv1a1.ExtProcBodyProcessingMode("not-a-body-mode")), + }, + Response: &egv1a1.ProcessingModeOptions{ + Body: ptr.To(egv1a1.ExtProcBodyProcessingMode("not-a-body-mode")), + }, + }, + }, + }, + TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{ + PolicyTargetReference: gwapiv1a2.PolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "Gateway", + Name: "eg", + }, + }, + } + }, + wantErrors: []string{ + "spec.extProc[0].processingMode.response.body: Unsupported value: \"not-a-body-mode\": supported values: \"Streamed\", \"Buffered\", \"BufferedPartial\"", + "spec.extProc[0].processingMode.request.body: Unsupported value: \"not-a-body-mode\": supported values: \"Streamed\", \"Buffered\", \"BufferedPartial\"", + }, + }, } for _, tc := range cases { From ec9f5e43955a6528dd15a4b9649e30d6adf3905f Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Fri, 12 Apr 2024 09:42:48 -0500 Subject: [PATCH 2/5] fix lint Signed-off-by: Guy Daich --- test/cel-validation/envoyextensionpolicy_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/cel-validation/envoyextensionpolicy_test.go b/test/cel-validation/envoyextensionpolicy_test.go index 842990220ef..f0a7c0a6941 100644 --- a/test/cel-validation/envoyextensionpolicy_test.go +++ b/test/cel-validation/envoyextensionpolicy_test.go @@ -11,15 +11,16 @@ package celvalidation import ( "context" "fmt" - "k8s.io/utils/ptr" - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" "strings" "testing" "time" + "k8s.io/utils/ptr" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" ) From 4355e67e53805e57a5b61a1da5bf313828f4c0fc Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Fri, 12 Apr 2024 10:45:27 -0500 Subject: [PATCH 3/5] fix gen Signed-off-by: Guy Daich --- site/content/en/latest/api/extension_types.md | 295 +++++++++--------- 1 file changed, 147 insertions(+), 148 deletions(-) diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 1da7390f42c..0a5e6016287 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -52,6 +52,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Timeout defines the time to wait for a health check response. | | `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Interval defines the time between active health checks. | | `unhealthyThreshold` | _integer_ | false | UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. | @@ -60,7 +61,6 @@ _Appears in:_ | `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. | | `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. | - #### ActiveHealthCheckPayload @@ -73,11 +73,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | Type defines the type of the payload. | | `text` | _string_ | false | Text payload in plain text. | | `binary` | _integer array_ | false | Binary payload base64 encoded. | - #### ActiveHealthCheckPayloadType _Underlying type:_ _string_ @@ -111,10 +111,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `baseInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | BaseInterval is the base interval between retries. | | `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval | - #### BackendRef @@ -128,13 +128,13 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `group` | _[Group](#group)_ | false | Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred. | | `kind` | _[Kind](#kind)_ | false | Kind is the Kubernetes resource kind of the referent. For example
"Service".

Defaults to "Service" when not specified.

ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.

Support: Core (Services with a type other than ExternalName)

Support: Implementation-specific (Services with type ExternalName) | | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | - #### BackendTrafficPolicy @@ -149,10 +149,10 @@ _Appears in:_ | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`BackendTrafficPolicy` + | `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `spec` | _[BackendTrafficPolicySpec](#backendtrafficpolicyspec)_ | true | spec defines the desired state of BackendTrafficPolicy. | - #### BackendTrafficPolicyList @@ -165,10 +165,10 @@ BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`BackendTrafficPolicyList` + | `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `items` | _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | true | | - #### BackendTrafficPolicySpec @@ -180,6 +180,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | targetRef is the name of the resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway. | | `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | | `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | @@ -190,8 +191,6 @@ _Appears in:_ | `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | | `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | | `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | -| `compression` | _[Compression](#compression) array_ | false | The compression config for the http streams. | - #### BasicAuth @@ -204,8 +203,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:{SHA}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | +| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:{SHA}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | #### BootstrapType @@ -229,6 +228,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `allowOrigins` | _[Origin](#origin) array_ | true | AllowOrigins defines the origins that are allowed to make requests. | | `allowMethods` | _string array_ | true | AllowMethods defines the methods that are allowed to make requests. | | `allowHeaders` | _string array_ | true | AllowHeaders defines the headers that are allowed to be sent with requests. | @@ -236,7 +236,6 @@ _Appears in:_ | `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | MaxAge defines how long the results of a preflight request can be cached. | | `allowCredentials` | _boolean_ | true | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates. | - #### CircuitBreaker @@ -248,13 +247,13 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. | | `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. | | `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. | | `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. | | `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. | - #### ClaimToHeader @@ -266,10 +265,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `header` | _string_ | true | Header defines the name of the HTTP request header that the JWT Claim will be saved into. | | `claim` | _string_ | true | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
(eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
to separate the JSON name path. | - #### ClientIPDetectionSettings @@ -281,10 +280,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `xForwardedFor` | _[XForwardedForSettings](#xforwardedforsettings)_ | false | XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. | | `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ | false | CustomHeader provides configuration for determining the client IP address for a request based on
a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details. | - #### ClientTimeout @@ -296,8 +295,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `http` | _[HTTPClientTimeout](#httpclienttimeout)_ | false | Timeout settings for HTTP. | +| `http` | _[HTTPClientTimeout](#httpclienttimeout)_ | false | Timeout settings for HTTP. | #### ClientTrafficPolicy @@ -313,10 +312,10 @@ _Appears in:_ | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`ClientTrafficPolicy` + | `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `spec` | _[ClientTrafficPolicySpec](#clienttrafficpolicyspec)_ | true | Spec defines the desired state of ClientTrafficPolicy. | - #### ClientTrafficPolicyList @@ -329,10 +328,10 @@ ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`ClientTrafficPolicyList` + | `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `items` | _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | true | | - #### ClientTrafficPolicySpec @@ -344,6 +343,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway.
TargetRef | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the downstream client connection.
If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
Disabled by default. | | `enableProxyProtocol` | _boolean_ | false | EnableProxyProtocol interprets the ProxyProtocol header and adds the
Client Address into the X-Forwarded-For header.
Note Proxy Protocol must be present when this field is set, else the connection
is closed. | @@ -356,7 +356,6 @@ _Appears in:_ | `timeout` | _[ClientTimeout](#clienttimeout)_ | false | Timeout settings for the client connections. | | `connection` | _[Connection](#connection)_ | false | Connection includes client connection settings. | - #### ClientValidationContext @@ -370,8 +369,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.

A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. | +| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.

A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. | #### Compression @@ -385,10 +384,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[CompressorType](#compressortype)_ | true | CompressorType defines the compressor type to use for compression. | | `gzip` | _[GzipCompressor](#gzipcompressor)_ | false | The configuration for GZIP compressor. | - #### CompressorType _Underlying type:_ _string_ @@ -411,10 +410,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | ConnectionLimit defines limits related to connections | | `bufferLimit` | _[Quantity](#quantity)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. | - #### ConnectionLimit @@ -426,10 +425,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration.
Default: unlimited. | | `closeDelay` | _[Duration](#duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. | - #### ConsistentHash @@ -442,8 +441,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[ConsistentHashType](#consistenthashtype)_ | true | | +| `type` | _[ConsistentHashType](#consistenthashtype)_ | true | | #### ConsistentHashType @@ -470,10 +469,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `name` | _string_ | true | Name of the header containing the original downstream remote address, if present. | | `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. | - #### CustomTag @@ -485,12 +484,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[CustomTagType](#customtagtype)_ | true | Type defines the type of custom tag. | | `literal` | _[LiteralCustomTag](#literalcustomtag)_ | true | Literal adds hard-coded value to each span.
It's required when the type is "Literal". | | `environment` | _[EnvironmentCustomTag](#environmentcustomtag)_ | true | Environment adds value from environment variable to each span.
It's required when the type is "Environment". | | `requestHeader` | _[RequestHeaderCustomTag](#requestheadercustomtag)_ | true | RequestHeader adds value from request header to each span.
It's required when the type is "RequestHeader". | - #### CustomTagType _Underlying type:_ _string_ @@ -513,10 +512,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `name` | _string_ | true | Name defines the name of the environment variable which to extract the value from. | | `defaultValue` | _string_ | false | DefaultValue defines the default value to use if the environment variable is not set. | - #### EnvoyExtensionPolicy @@ -530,10 +529,10 @@ _Appears in:_ | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`EnvoyExtensionPolicy` + | `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `spec` | _[EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)_ | true | Spec defines the desired state of EnvoyExtensionPolicy. | - #### EnvoyExtensionPolicyList @@ -546,10 +545,10 @@ EnvoyExtensionPolicyList contains a list of EnvoyExtensionPolicy resources. | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`EnvoyExtensionPolicyList` + | `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `items` | _[EnvoyExtensionPolicy](#envoyextensionpolicy) array_ | true | | - #### EnvoyExtensionPolicySpec @@ -561,11 +560,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway.
TargetRef | | `wasm` | _[Wasm](#wasm) array_ | false | WASM is a list of Wasm extensions to be loaded by the Gateway.
Order matters, as the extensions will be loaded in the order they are
defined in this list. | | `extProc` | _[ExtProc](#extproc) array_ | true | ExtProc is an ordered list of external processing filters
that should added to the envoy filter chain | - #### EnvoyGateway @@ -578,6 +577,7 @@ EnvoyGateway is the schema for the envoygateways API. | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`EnvoyGateway` + | `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. | | `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. | | `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. | @@ -587,7 +587,6 @@ EnvoyGateway is the schema for the envoygateways API. | `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. | | `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway | - #### EnvoyGatewayAdmin @@ -600,11 +599,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `address` | _[EnvoyGatewayAdminAddress](#envoygatewayadminaddress)_ | false | Address defines the address of Envoy Gateway Admin Server. | | `enableDumpConfig` | _boolean_ | false | EnableDumpConfig defines if enable dump config in Envoy Gateway logs. | | `enablePprof` | _boolean_ | false | EnablePprof defines if enable pprof in Envoy Gateway Admin Server. | - #### EnvoyGatewayAdminAddress @@ -616,10 +615,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `port` | _integer_ | false | Port defines the port the admin server is exposed on. | | `host` | _string_ | false | Host defines the admin server hostname. | - #### EnvoyGatewayCustomProvider @@ -631,10 +630,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources | | `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | true | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane. | - #### EnvoyGatewayFileResourceProvider @@ -646,8 +645,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive sub directories are not currently supported. | +| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive sub directories are not currently supported. | #### EnvoyGatewayHostInfrastructureProvider @@ -671,10 +670,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[InfrastructureProviderType](#infrastructureprovidertype)_ | true | Type is the type of infrastructure providers to use. Supported types are "Host". | | `host` | _[EnvoyGatewayHostInfrastructureProvider](#envoygatewayhostinfrastructureprovider)_ | false | Host defines the configuration of the Host provider. Host provides runtime
deployment of the data plane as a child process on the host environment. | - #### EnvoyGatewayKubernetesProvider @@ -686,13 +685,13 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. | | `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. | | `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed | | `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. | | `leaderElection` | _[LeaderElection](#leaderelection)_ | false | LeaderElection specifies the configuration for leader election.
If it's not set up, leader election will be active by default, using Kubernetes' standard settings. | - #### EnvoyGatewayLogComponent _Underlying type:_ _string_ @@ -716,8 +715,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is the logging level. If unspecified, defaults to "info".
EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit.
LogLevel options: debug/info/error/warn. | +| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is the logging level. If unspecified, defaults to "info".
EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit.
LogLevel options: debug/info/error/warn. | #### EnvoyGatewayMetricSink @@ -731,10 +730,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG control plane currently supports OpenTelemetry. | | `openTelemetry` | _[EnvoyGatewayOpenTelemetrySink](#envoygatewayopentelemetrysink)_ | true | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. | - #### EnvoyGatewayMetrics @@ -746,10 +745,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `sinks` | _[EnvoyGatewayMetricSink](#envoygatewaymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | | `prometheus` | _[EnvoyGatewayPrometheusProvider](#envoygatewayprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. | - #### EnvoyGatewayOpenTelemetrySink @@ -761,11 +760,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `host` | _string_ | true | Host define the sink service hostname. | | `protocol` | _string_ | true | Protocol define the sink service protocol. | | `port` | _integer_ | false | Port defines the port the sink service is exposed on. | - #### EnvoyGatewayPrometheusProvider @@ -777,8 +776,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `disable` | _boolean_ | true | Disable defines if disables the prometheus metrics in pull mode. | +| `disable` | _boolean_ | true | Disable defines if disables the prometheus metrics in pull mode. | #### EnvoyGatewayProvider @@ -792,11 +791,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes". | | `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. | | `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and a infrastructure
provider. | - #### EnvoyGatewayResourceProvider @@ -808,10 +807,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[ResourceProviderType](#resourceprovidertype)_ | true | Type is the type of resource provider to use. Supported types are "File". | | `file` | _[EnvoyGatewayFileResourceProvider](#envoygatewayfileresourceprovider)_ | false | File defines the configuration of the File provider. File provides runtime
configuration defined by one or more files. | - #### EnvoyGatewaySpec @@ -823,6 +822,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. | | `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. | | `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. | @@ -832,7 +832,6 @@ _Appears in:_ | `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. | | `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway | - #### EnvoyGatewayTelemetry @@ -846,8 +845,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `metrics` | _[EnvoyGatewayMetrics](#envoygatewaymetrics)_ | true | Metrics defines metrics configuration for envoy gateway. | +| `metrics` | _[EnvoyGatewayMetrics](#envoygatewaymetrics)_ | true | Metrics defines metrics configuration for envoy gateway. | #### EnvoyJSONPatchConfig @@ -861,11 +860,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[EnvoyResourceType](#envoyresourcetype)_ | true | Type is the typed URL of the Envoy xDS Resource | | `name` | _string_ | true | Name is the name of the resource | | `operation` | _[JSONPatchOperation](#jsonpatchoperation)_ | true | Patch defines the JSON Patch Operation | - #### EnvoyPatchPolicy @@ -880,10 +879,10 @@ _Appears in:_ | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`EnvoyPatchPolicy` + | `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `spec` | _[EnvoyPatchPolicySpec](#envoypatchpolicyspec)_ | true | Spec defines the desired state of EnvoyPatchPolicy. | - #### EnvoyPatchPolicyList @@ -896,10 +895,10 @@ EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources. | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`EnvoyPatchPolicyList` + | `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `items` | _[EnvoyPatchPolicy](#envoypatchpolicy) array_ | true | | - #### EnvoyPatchPolicySpec @@ -911,12 +910,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[EnvoyPatchType](#envoypatchtype)_ | true | Type decides the type of patch.
Valid EnvoyPatchType values are "JSONPatch". | | `jsonPatches` | _[EnvoyJSONPatchConfig](#envoyjsonpatchconfig) array_ | false | JSONPatch defines the JSONPatch configuration. | | `targetRef` | _[PolicyTargetReference](#policytargetreference)_ | true | TargetRef is the name of the Gateway API resource this policy
is being attached to.
By default attaching to Gateway is supported and
when mergeGateways is enabled it should attach to GatewayClass.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway
TargetRef | | `priority` | _integer_ | true | Priority of the EnvoyPatchPolicy.
If multiple EnvoyPatchPolicies are applied to the same
TargetRef, they will be applied in the ascending order of
the priority i.e. int32.min has the highest priority and
int32.max has the lowest priority.
Defaults to 0. | - #### EnvoyPatchType _Underlying type:_ _string_ @@ -940,10 +939,10 @@ EnvoyProxy is the schema for the envoyproxies API. | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`EnvoyProxy` + | `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `spec` | _[EnvoyProxySpec](#envoyproxyspec)_ | true | EnvoyProxySpec defines the desired state of EnvoyProxy. | - #### EnvoyProxyKubernetesProvider @@ -956,11 +955,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `envoyDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | EnvoyDeployment defines the desired state of the Envoy deployment resource.
If unspecified, default settings for the managed Envoy deployment resource
are applied. | | `envoyService` | _[KubernetesServiceSpec](#kubernetesservicespec)_ | false | EnvoyService defines the desired state of the Envoy service resource.
If unspecified, default settings for the managed Envoy service resource
are applied. | | `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored. | - #### EnvoyProxyProvider @@ -972,10 +971,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[ProviderType](#providertype)_ | true | Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
optional auxiliary control planes. Supported types are "Kubernetes". | | `kubernetes` | _[EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)_ | false | Kubernetes defines the desired state of the Kubernetes resource provider.
Kubernetes provides infrastructure resources for running the data plane,
e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
for managed Kubernetes resources are applied. | - #### EnvoyProxySpec @@ -987,6 +986,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `provider` | _[EnvoyProxyProvider](#envoyproxyprovider)_ | false | Provider defines the desired resource provider and provider-specific configuration.
If unspecified, the "Kubernetes" resource provider is used with default configuration
parameters. | | `logging` | _[ProxyLogging](#proxylogging)_ | true | Logging defines logging parameters for managed proxies. | | `telemetry` | _[ProxyTelemetry](#proxytelemetry)_ | false | Telemetry defines telemetry parameters for managed proxies. | @@ -998,7 +998,6 @@ _Appears in:_ - #### EnvoyResourceType _Underlying type:_ _string_ @@ -1021,12 +1020,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | - #### ExtProc @@ -1038,10 +1037,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `backendRef` | _[ExtProcBackendRef](#extprocbackendref)_ | true | BackendRef defines the configuration of the external processing service | | `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor | - #### ExtProcBackendRef @@ -1055,13 +1054,13 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `group` | _[Group](#group)_ | false | Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred. | | `kind` | _[Kind](#kind)_ | false | Kind is the Kubernetes resource kind of the referent. For example
"Service".

Defaults to "Service" when not specified.

ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.

Support: Core (Services with a type other than ExternalName)

Support: Implementation-specific (Services with type ExternalName) | | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | - #### ExtProcBodyProcessingMode _Underlying type:_ _string_ @@ -1085,10 +1084,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `request` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for requests. If present, request headers are sent. Request body is processed according
to the specified mode. | | `response` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for responses. If present, response headers are sent. Response body is processed according
to the specified mode. | - #### ExtensionAPISettings @@ -1101,8 +1100,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `enableEnvoyPatchPolicy` | _boolean_ | true | EnableEnvoyPatchPolicy enables Envoy Gateway to
reconcile and implement the EnvoyPatchPolicy resources. | +| `enableEnvoyPatchPolicy` | _boolean_ | true | EnableEnvoyPatchPolicy enables Envoy Gateway to
reconcile and implement the EnvoyPatchPolicy resources. | #### ExtensionHooks @@ -1115,8 +1114,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `xdsTranslator` | _[XDSTranslatorHooks](#xdstranslatorhooks)_ | true | XDSTranslator defines all the supported extension hooks for the xds-translator runner | +| `xdsTranslator` | _[XDSTranslatorHooks](#xdstranslatorhooks)_ | true | XDSTranslator defines all the supported extension hooks for the xds-translator runner | #### ExtensionManager @@ -1131,11 +1130,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `resources` | _[GroupVersionKind](#groupversionkind) array_ | false | Resources defines the set of K8s resources the extension will handle. | | `hooks` | _[ExtensionHooks](#extensionhooks)_ | true | Hooks defines the set of hooks the extension supports | | `service` | _[ExtensionService](#extensionservice)_ | true | Service defines the configuration of the extension service that the Envoy
Gateway Control Plane will call through extension hooks. | - #### ExtensionService @@ -1147,11 +1146,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `host` | _string_ | true | Host define the extension service hostname. | | `port` | _integer_ | false | Port defines the port the extension service is exposed on. | | `tls` | _[ExtensionTLS](#extensiontls)_ | false | TLS defines TLS configuration for communication between Envoy Gateway and
the extension service. | - #### ExtensionTLS @@ -1163,8 +1162,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that
contains a TLS certificate and private keys. These certificates are used to
establish a TLS handshake to the extension server.

CertificateRef can only reference a Kubernetes Secret at this time. | +| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that
contains a TLS certificate and private keys. These certificates are used to
establish a TLS handshake to the extension server.

CertificateRef can only reference a Kubernetes Secret at this time. | #### FaultInjection @@ -1178,10 +1177,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `delay` | _[FaultInjectionDelay](#faultinjectiondelay)_ | false | If specified, a delay will be injected into the request. | | `abort` | _[FaultInjectionAbort](#faultinjectionabort)_ | false | If specified, the request will be aborted if it meets the configuration criteria. | - #### FaultInjectionAbort @@ -1193,11 +1192,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `httpStatus` | _integer_ | false | StatusCode specifies the HTTP status code to be returned | | `grpcStatus` | _integer_ | false | GrpcStatus specifies the GRPC status code to be returned | | `percentage` | _float_ | false | Percentage specifies the percentage of requests to be aborted. Default 100%, if set 0, no requests will be aborted. Accuracy to 0.0001%. | - #### FaultInjectionDelay @@ -1209,10 +1208,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `fixedDelay` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | FixedDelay specifies the fixed delay duration | | `percentage` | _float_ | false | Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%. | - #### FileEnvoyProxyAccessLog @@ -1224,8 +1223,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `path` | _string_ | true | Path defines the file path used to expose envoy access log(e.g. /dev/stdout). | +| `path` | _string_ | true | Path defines the file path used to expose envoy access log(e.g. /dev/stdout). | #### GRPCExtAuthService @@ -1240,8 +1239,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only service Kind is supported for now. | +| `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only service Kind is supported for now. | #### Gateway @@ -1255,8 +1254,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `controllerName` | _string_ | false | ControllerName defines the name of the Gateway API controller. If unspecified,
defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
for additional details:
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass | +| `controllerName` | _string_ | false | ControllerName defines the name of the Gateway API controller. If unspecified,
defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
for additional details:
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass | #### GlobalRateLimit @@ -1269,8 +1268,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | Rules are a list of RateLimit selectors and limits. Each rule and its
associated limit is applied in a mutually exclusive way. If a request
matches multiple rules, each of their associated limits get applied, so a
single request might increase the rate limit counters for multiple rules
if selected. The rate limit service will return a logical OR of the individual
rate limit decisions of all matching rules. For example, if a request
matches two rules, one rate limited and one not, the final decision will be
to rate limit the request. | +| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | Rules are a list of RateLimit selectors and limits. Each rule and its
associated limit is applied in a mutually exclusive way. If a request
matches multiple rules, each of their associated limits get applied, so a
single request might increase the rate limit counters for multiple rules
if selected. The rate limit service will return a logical OR of the individual
rate limit decisions of all matching rules. For example, if a request
matches two rules, one rate limited and one not, the final decision will be
to rate limit the request. | #### GroupVersionKind @@ -1284,11 +1283,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `group` | _string_ | true | | | `version` | _string_ | true | | | `kind` | _string_ | true | | - #### GzipCompressor @@ -1313,8 +1312,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `useDefaultHost` | _boolean_ | false | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
then the hostname associated with the listener should be injected into the
request.
If this is not set and an HTTP/1.0 request arrives without a host, then
it will be rejected. | +| `useDefaultHost` | _boolean_ | false | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
then the hostname associated with the listener should be injected into the
request.
If this is not set and an HTTP/1.0 request arrives without a host, then
it will be rejected. | #### HTTP1Settings @@ -1327,11 +1326,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `enableTrailers` | _boolean_ | false | EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy. | | `preserveHeaderCase` | _boolean_ | false | PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
By default, Envoy will lowercase all the headers. | | `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | - #### HTTP3Settings @@ -1354,12 +1353,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `path` | _string_ | true | Path defines the HTTP path that will be requested during health checking. | | `method` | _string_ | false | Method defines the HTTP method used for health checking.
Defaults to GET | | `expectedStatuses` | _[HTTPStatus](#httpstatus) array_ | false | ExpectedStatuses defines a list of HTTP response statuses considered healthy.
Defaults to 200 only | | `expectedResponse` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | ExpectedResponse defines a list of HTTP expected responses to match. | - #### HTTPClientTimeout @@ -1371,10 +1370,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `requestReceivedTimeout` | _[Duration](#duration)_ | false | RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
initiation and stops when either the last byte of the request is sent upstream or when the response begins. | | `idleTimeout` | _[Duration](#duration)_ | false | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | - #### HTTPExtAuthService @@ -1386,11 +1385,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `backendRef` | _[BackendObjectReference](#backendobjectreference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only service Kind is supported for now. | | `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. | | `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | - #### HTTPStatus _Underlying type:_ _integer_ @@ -1414,10 +1413,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `connectionIdleTimeout` | _[Duration](#duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | | `maxConnectionDuration` | _[Duration](#duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. | - #### HTTPWasmCodeSource @@ -1429,8 +1428,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `url` | _string_ | true | URL is the URL containing the wasm code. | +| `url` | _string_ | true | URL is the URL containing the wasm code. | @@ -1457,10 +1456,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `enableEnvoyHeaders` | _boolean_ | false | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses. | | `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. | - #### HealthCheck @@ -1473,10 +1472,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration | | `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration | - #### ImageWasmCodeSource @@ -1488,10 +1487,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `url` | _string_ | true | URL is the URL of the OCI image. | | `pullSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | PullSecretRef is a reference to the secret containing the credentials to pull the image. | - #### InfrastructureProviderType _Underlying type:_ _string_ @@ -1515,12 +1514,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform | | `path` | _string_ | true | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | | `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | | `value` | _[JSON](#json)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. | - #### JSONPatchOperationType _Underlying type:_ _string_ @@ -1543,8 +1542,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | +| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | #### JWTExtractor @@ -1559,11 +1558,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `headers` | _[JWTHeaderExtractor](#jwtheaderextractor) array_ | false | Headers represents a list of HTTP request headers to extract the JWT token from. | | `cookies` | _string array_ | false | Cookies represents a list of cookie names to extract the JWT token from. | | `params` | _string array_ | false | Params represents a list of query parameters to extract the JWT token from. | - #### JWTHeaderExtractor @@ -1575,10 +1574,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `name` | _string_ | true | Name is the HTTP header name to retrieve the token | | `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "{ValuePrefix}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. | - #### JWTProvider @@ -1590,6 +1589,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `name` | _string_ | true | Name defines a unique name for the JWT provider. A name can have a variety of forms,
including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. | | `issuer` | _string_ | false | Issuer is the principal that issued the JWT and takes the form of a URL or email address.
For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
the JWT issuer is not checked. | | `audiences` | _string array_ | false | Audiences is a list of JWT audiences allowed access. For additional details, see
https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
are not checked. | @@ -1598,7 +1598,6 @@ _Appears in:_ | `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers generated from the claim are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | | `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. | - #### KubernetesContainerSpec @@ -1610,13 +1609,13 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `env` | _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#envvar-v1-core) array_ | false | List of environment variables to set in the container. | | `resources` | _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#resourcerequirements-v1-core)_ | false | Resources required by this container.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | `securityContext` | _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core)_ | false | SecurityContext defines the security options the container should be run with.
If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | | `image` | _string_ | false | Image specifies the EnvoyProxy container image to be used, instead of the default image. | | `volumeMounts` | _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volumemount-v1-core) array_ | false | VolumeMounts are volumes to mount into the container's filesystem.
Cannot be updated. | - #### KubernetesDeployMode @@ -1641,6 +1640,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to deployment | | `replicas` | _integer_ | false | Replicas is the number of desired pods. Defaults to 1. | | `strategy` | _[DeploymentStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#deploymentstrategy-v1-apps)_ | false | The deployment strategy to use to replace existing pods with new ones. | @@ -1648,7 +1648,6 @@ _Appears in:_ | `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | Container defines the desired specification of main container. | | `initContainers` | _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#container-v1-core) array_ | false | List of initialization containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ | - #### KubernetesHorizontalPodAutoscalerSpec @@ -1663,12 +1662,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `minReplicas` | _integer_ | false | minReplicas is the lower limit for the number of replicas to which the autoscaler
can scale down. It defaults to 1 replica. | | `maxReplicas` | _integer_ | true | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. | | `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#metricspec-v2-autoscaling) array_ | false | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. | | `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. | - #### KubernetesPatchSpec @@ -1681,10 +1680,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[MergeType](#mergetype)_ | false | Type is the type of merge operation to perform

By default, StrategicMerge is used as the patch type. | | `value` | _[JSON](#json)_ | true | Object contains the raw configuration for merged object | - #### KubernetesPodSpec @@ -1696,6 +1695,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `annotations` | _object (keys:string, values:string)_ | false | Annotations are the annotations that should be appended to the pods.
By default, no pod annotations are appended. | | `labels` | _object (keys:string, values:string)_ | false | Labels are the additional labels that should be tagged to the pods.
By default, no additional pod labels are tagged. | | `securityContext` | _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core)_ | false | SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field. | @@ -1706,7 +1706,6 @@ _Appears in:_ | `nodeSelector` | _object (keys:string, values:string)_ | false | NodeSelector is a selector which must be true for the pod to fit on a node.
Selector which must match a node's labels for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | | `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#topologyspreadconstraint-v1-core) array_ | false | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. | - #### KubernetesServiceSpec @@ -1718,6 +1717,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service.
By default, no annotations are appended. | | `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. | | `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified | @@ -1726,7 +1726,6 @@ _Appears in:_ | `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. | | `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the service | - #### KubernetesWatchMode @@ -1738,11 +1737,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | true | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
KubernetesWatchModeTypeNamespaceSelector are currently supported
By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
from all namespaces. | | `namespaces` | _string array_ | true | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
resources such as Gateway, HTTPRoute and Service.
Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set. | | `namespaceSelector` | _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#labelselector-v1-meta)_ | true | NamespaceSelector holds the label selector used to dynamically select namespaces.
Envoy Gateway will watch for namespaces matching the specified label selector.
Precisely one of Namespaces and NamespaceSelector must be set. | - #### KubernetesWatchModeType _Underlying type:_ _string_ @@ -1765,12 +1764,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `leaseDuration` | _[Duration](#duration)_ | true | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. | | `renewDeadline` | _[Duration](#duration)_ | true | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position. The default setting is 10 seconds. | | `retryPeriod` | _[Duration](#duration)_ | true | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. | | `disable` | _boolean_ | true | Disable provides the option to turn off leader election, which is enabled by default. | - #### LiteralCustomTag @@ -1782,8 +1781,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `value` | _string_ | true | Value defines the hard-coded value to add to each span. | +| `value` | _string_ | true | Value defines the hard-coded value to add to each span. | #### LoadBalancer @@ -1796,11 +1795,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin", | | `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | | `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | - #### LoadBalancerType _Underlying type:_ _string_ @@ -1823,8 +1822,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | Rules are a list of RateLimit selectors and limits. If a request matches
multiple rules, the strictest limit is applied. For example, if a request
matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps. | +| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | Rules are a list of RateLimit selectors and limits. If a request matches
multiple rules, the strictest limit is applied. For example, if a request
matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps. | #### LogLevel @@ -1863,6 +1862,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `provider` | _[OIDCProvider](#oidcprovider)_ | true | The OIDC Provider configuration. | | `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

This is an Opaque secret. The client secret should be stored in the key
"client-secret". | @@ -1871,7 +1871,6 @@ _Appears in:_ | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | | `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" | - #### OIDCProvider @@ -1883,11 +1882,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. | | `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | | `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | - #### OpenTelemetryEnvoyProxyAccessLog @@ -1899,12 +1898,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRef instead. | | `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRef instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the accesslog will be sent.
Only service Kind is supported for now. | | `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). | - #### Origin _Underlying type:_ _string_ @@ -1941,6 +1940,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `splitExternalLocalOriginErrors` | _boolean_ | false | SplitExternalLocalOriginErrors enables splitting of errors between external and local origin. | | `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Interval defines the time between passive health checks. | | `consecutiveLocalOriginFailures` | _integer_ | false | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true. | @@ -1949,7 +1949,6 @@ _Appears in:_ | `baseEjectionTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. | | `maxEjectionPercent` | _integer_ | false | MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. | - #### PathEscapedSlashAction _Underlying type:_ _string_ @@ -1973,10 +1972,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `escapedSlashesAction` | _[PathEscapedSlashAction](#pathescapedslashaction)_ | false | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
should be handled.
The default is UnescapeAndRedirect. | | `disableMergeSlashes` | _boolean_ | false | DisableMergeSlashes allows disabling the default configuration of merging adjacent
slashes in the path.
Note that slash merging is not part of the HTTP spec and is provided for convenience. | - #### PerRetryPolicy @@ -1988,10 +1987,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Timeout is the timeout per retry attempt. | | `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries | - #### ProcessingModeOptions @@ -2003,8 +2002,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | Defines body processing mode | +| `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | Defines body processing mode | #### ProviderType @@ -2029,10 +2028,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `disable` | _boolean_ | true | Disable disables access logging for managed proxies if set to true. | | `settings` | _[ProxyAccessLogSetting](#proxyaccesslogsetting) array_ | false | Settings defines accesslog settings for managed proxies.
If unspecified, will send default format to stdout. | - #### ProxyAccessLogFormat @@ -2045,11 +2044,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[ProxyAccessLogFormatType](#proxyaccesslogformattype)_ | true | Type defines the type of accesslog format. | | `text` | _string_ | false | Text defines the text accesslog format, following Envoy accesslog formatting,
It's required when the format type is "Text".
Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. | | `json` | _object (keys:string, values:string)_ | false | JSON is additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON". | - #### ProxyAccessLogFormatType _Underlying type:_ _string_ @@ -2072,10 +2071,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | true | Format defines the format of accesslog. | | `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | - #### ProxyAccessLogSink @@ -2087,11 +2086,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[ProxyAccessLogSinkType](#proxyaccesslogsinktype)_ | true | Type defines the type of accesslog sink. | | `file` | _[FileEnvoyProxyAccessLog](#fileenvoyproxyaccesslog)_ | false | File defines the file accesslog sink. | | `openTelemetry` | _[OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog)_ | false | OpenTelemetry defines the OpenTelemetry accesslog sink. | - #### ProxyAccessLogSinkType _Underlying type:_ _string_ @@ -2114,10 +2113,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace or Merge.
If unspecified, it defaults to Replace. | | `value` | _string_ | true | Value is a YAML string of the bootstrap. | - #### ProxyLogComponent _Underlying type:_ _string_ @@ -2140,8 +2139,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is a map of logging level per component, where the component is the key
and the log level is the value. If unspecified, defaults to "default: warn". | +| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is a map of logging level per component, where the component is the key
and the log level is the value. If unspecified, defaults to "default: warn". | #### ProxyMetricSink @@ -2155,10 +2154,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG currently only supports OpenTelemetry. | | `openTelemetry` | _[ProxyOpenTelemetrySink](#proxyopentelemetrysink)_ | false | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. | - #### ProxyMetrics @@ -2170,12 +2169,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. | | `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | | `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 | | `enableVirtualHostStats` | _boolean_ | true | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | - #### ProxyOpenTelemetrySink @@ -2187,11 +2186,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRef instead. | | `port` | _integer_ | false | Port defines the port the service is exposed on.
Deprecated: Use BackendRef instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the metric will be sent.
Only service Kind is supported for now. | - #### ProxyPrometheusProvider @@ -2203,8 +2202,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `disable` | _boolean_ | true | Disable the Prometheus endpoint. | +| `disable` | _boolean_ | true | Disable the Prometheus endpoint. | #### ProxyProtocol @@ -2218,8 +2217,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | +| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | #### ProxyProtocolVersion @@ -2243,11 +2242,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `accessLog` | _[ProxyAccessLog](#proxyaccesslog)_ | false | AccessLogs defines accesslog parameters for managed proxies.
If unspecified, will send default format to stdout. | | `tracing` | _[ProxyTracing](#proxytracing)_ | false | Tracing defines tracing configuration for managed proxies.
If unspecified, will not send tracing data. | | `metrics` | _[ProxyMetrics](#proxymetrics)_ | true | Metrics defines metrics configuration for managed proxies. | - #### ProxyTracing @@ -2259,11 +2258,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. | | `customTags` | _object (keys:string, values:[CustomTag](#customtag))_ | true | CustomTags defines the custom tags to add to each span.
If provider is kubernetes, pod name and namespace are added by default. | | `provider` | _[TracingProvider](#tracingprovider)_ | true | Provider defines the tracing provider.
Only OpenTelemetry is supported currently. | - #### RateLimit @@ -2277,12 +2276,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | Backend holds the configuration associated with the
database backend used by the rate limit service to store
state associated with global ratelimiting. | | `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. | | `failClosed` | _boolean_ | true | FailClosed is a switch used to control the flow of traffic
when the response from the ratelimit server cannot be obtained.
If FailClosed is false, let the traffic pass,
otherwise, don't let the traffic pass and return 500.
If not set, FailClosed is False. | | `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | Telemetry defines telemetry configuration for RateLimit. | - #### RateLimitDatabaseBackend @@ -2295,10 +2294,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | true | Type is the type of database backend to use. Supported types are:
* Redis: Connects to a Redis database. | | `redis` | _[RateLimitRedisSettings](#ratelimitredissettings)_ | false | Redis defines the settings needed to connect to a Redis database. | - #### RateLimitDatabaseBackendType _Underlying type:_ _string_ @@ -2322,8 +2321,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. | +| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. | #### RateLimitMetricsPrometheusProvider @@ -2336,8 +2335,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `disable` | _boolean_ | true | Disable the Prometheus endpoint. | +| `disable` | _boolean_ | true | Disable the Prometheus endpoint. | #### RateLimitRedisSettings @@ -2350,10 +2349,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `url` | _string_ | true | URL of the Redis Database. | | `tls` | _[RedisTLSSettings](#redistlssettings)_ | false | TLS defines TLS configuration for connecting to redis database. | - #### RateLimitRule @@ -2367,10 +2366,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `clientSelectors` | _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | false | ClientSelectors holds the list of select conditions to select
specific clients using attributes from the traffic flow.
All individual select conditions must hold True for this rule
and its limit to be applied.

If no client selectors are specified, the rule applies to all traffic of
the targeted Route.

If the policy targets a Gateway, the rule applies to each Route of the Gateway.
Please note that each Route has its own rate limit counters. For example,
if a Gateway has two Routes, and the policy has a rule with limit 10rps,
each Route will have its own 10rps limit. | | `limit` | _[RateLimitValue](#ratelimitvalue)_ | true | Limit holds the rate limit values.
This limit is applied for traffic flows when the selectors
compute to True, causing the request to be counted towards the limit.
The limit is enforced and the request is ratelimited, i.e. a response with
429 HTTP status code is sent back to the client when
the selected requests have reached the limit. | - #### RateLimitSelectCondition @@ -2384,10 +2383,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `headers` | _[HeaderMatch](#headermatch) array_ | false | Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
At least one of headers or sourceCIDR condition must be specified. | | `sourceCIDR` | _[SourceMatch](#sourcematch)_ | false | SourceCIDR is the client IP Address range to match on.
At least one of headers or sourceCIDR condition must be specified. | - #### RateLimitSpec @@ -2399,11 +2398,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[RateLimitType](#ratelimittype)_ | true | Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local". | | `global` | _[GlobalRateLimit](#globalratelimit)_ | false | Global defines global rate limit configuration. | | `local` | _[LocalRateLimit](#localratelimit)_ | false | Local defines local rate limit configuration. | - #### RateLimitTelemetry @@ -2415,10 +2414,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `metrics` | _[RateLimitMetrics](#ratelimitmetrics)_ | true | Metrics defines metrics configuration for RateLimit. | | `tracing` | _[RateLimitTracing](#ratelimittracing)_ | true | Tracing defines traces configuration for RateLimit. | - #### RateLimitTracing @@ -2430,10 +2429,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. | | `provider` | _[RateLimitTracingProvider](#ratelimittracingprovider)_ | true | Provider defines the rateLimit tracing provider.
Only OpenTelemetry is supported currently. | - #### RateLimitTracingProvider @@ -2445,12 +2444,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[RateLimitTracingProviderType](#ratelimittracingprovidertype)_ | true | Type defines the tracing provider type.
Since to RateLimit Exporter currently using OpenTelemetry, only OpenTelemetry is supported | | `url` | _string_ | true | URL is the endpoint of the trace collector that supports the OTLP protocol | - #### RateLimitType _Underlying type:_ _string_ @@ -2485,10 +2484,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `requests` | _integer_ | true | | | `unit` | _[RateLimitUnit](#ratelimitunit)_ | true | | - #### RedisTLSSettings @@ -2500,8 +2499,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | CertificateRef defines the client certificate reference for TLS connections.
Currently only a Kubernetes Secret of type TLS is supported. | +| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | CertificateRef defines the client certificate reference for TLS connections.
Currently only a Kubernetes Secret of type TLS is supported. | #### RemoteJWKS @@ -2515,8 +2514,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. | +| `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. | #### RequestHeaderCustomTag @@ -2529,10 +2528,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `name` | _string_ | true | Name defines the name of the request header which to extract the value from. | | `defaultValue` | _string_ | false | DefaultValue defines the default value to use if the request header is not set. | - #### ResourceProviderType _Underlying type:_ _string_ @@ -2555,11 +2554,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. | | `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.

If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). | | `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. | - #### RetryOn @@ -2571,10 +2570,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `triggers` | _[TriggerEnum](#triggerenum) array_ | false | Triggers specifies the retry trigger condition(Http/Grpc). | | `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ | false | HttpStatusCodes specifies the http status codes to be retried.
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. | - #### SecurityPolicy @@ -2589,10 +2588,10 @@ _Appears in:_ | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`SecurityPolicy` + | `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `spec` | _[SecurityPolicySpec](#securitypolicyspec)_ | true | Spec defines the desired state of SecurityPolicy. | - #### SecurityPolicyList @@ -2605,10 +2604,10 @@ SecurityPolicyList contains a list of SecurityPolicy resources. | --- | --- | --- | --- | | `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` | `kind` | _string_ | |`SecurityPolicyList` + | `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | | `items` | _[SecurityPolicy](#securitypolicy) array_ | true | | - #### SecurityPolicySpec @@ -2620,6 +2619,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy
is being attached to.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway. | | `cors` | _[CORS](#cors)_ | false | CORS defines the configuration for Cross-Origin Resource Sharing (CORS). | | `basicAuth` | _[BasicAuth](#basicauth)_ | false | BasicAuth defines the configuration for the HTTP Basic Authentication. | @@ -2629,7 +2629,6 @@ _Appears in:_ - #### ServiceExternalTrafficPolicy _Underlying type:_ _string_ @@ -2665,10 +2664,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 600 seconds. | | `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 5 seconds. | - #### SlowStart @@ -2680,8 +2679,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | +| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | @@ -2709,10 +2708,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[StringMatchType](#stringmatchtype)_ | false | Type specifies how to match against a string. | | `value` | _string_ | true | Value specifies the string value that the match must have. | - #### StringMatchType _Underlying type:_ _string_ @@ -2736,10 +2735,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `send` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | Send defines the request payload. | | `receive` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | Receive defines the expected response payload. | - #### TCPKeepalive @@ -2752,11 +2751,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. | | `idleTime` | _[Duration](#duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. | | `interval` | _[Duration](#duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. | - #### TCPTimeout @@ -2768,8 +2767,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `connectTimeout` | _[Duration](#duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. | +| `connectTimeout` | _[Duration](#duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. | #### TLSSettings @@ -2782,6 +2781,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. | | `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. | | `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | @@ -2790,7 +2790,6 @@ _Appears in:_ | `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | | `clientValidation` | _[ClientValidationContext](#clientvalidationcontext)_ | false | ClientValidation specifies the configuration to validate the client
initiating the TLS connection to the Gateway listener. | - #### TLSVersion _Underlying type:_ _string_ @@ -2813,10 +2812,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. | | `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. | - #### TracingProvider @@ -2828,12 +2827,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type.
EG currently only supports OpenTelemetry. | | `host` | _string_ | false | Host define the provider service hostname.
Deprecated: Use BackendRef instead. | | `port` | _integer_ | false | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRef instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the accesslog will be sent.
Only service Kind is supported for now. | - #### TracingProviderType _Underlying type:_ _string_ @@ -2871,12 +2870,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `name` | _string_ | true | Name is a unique name for this Wasm extension. It is used to identify the
Wasm extension if multiple extensions are handled by the same vm_id and root_id.
It's also used for logging/debugging. | | `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the wasm code for the extension. | | `config` | _[JSON](#json)_ | true | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. | - #### WasmCodeSource @@ -2888,11 +2887,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `type` | _[WasmCodeSourceType](#wasmcodesourcetype)_ | true | Type is the type of the source of the wasm code.
Valid WasmCodeSourceType values are "HTTP" or "Image". | | `http` | _[HTTPWasmCodeSource](#httpwasmcodesource)_ | false | HTTP is the HTTP URL containing the wasm code.

Note that the HTTP server must be accessible from the Envoy proxy. | | `image` | _[ImageWasmCodeSource](#imagewasmcodesource)_ | false | Image is the OCI image containing the wasm code.

Note that the image must be accessible from the Envoy Gateway. | - #### WasmCodeSourceType _Underlying type:_ _string_ @@ -2939,10 +2938,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | + | `pre` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | | | `post` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | | - #### XForwardedForSettings @@ -2954,6 +2953,6 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | From 414c66d3459850299b50be6a747825db6637ef4c Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Thu, 18 Apr 2024 11:42:12 -0500 Subject: [PATCH 4/5] add enum docs Signed-off-by: Guy Daich --- api/v1alpha1/ext_proc_types.go | 3 +++ site/content/en/latest/api/extension_types.md | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/ext_proc_types.go b/api/v1alpha1/ext_proc_types.go index 001dceb4faf..408dec4397f 100644 --- a/api/v1alpha1/ext_proc_types.go +++ b/api/v1alpha1/ext_proc_types.go @@ -13,8 +13,11 @@ import ( type ExtProcBodyProcessingMode string const ( + // StreamedExtProcBodyProcessingMode will stream the body to the server in pieces as they arrive at the proxy. StreamedExtProcBodyProcessingMode ExtProcBodyProcessingMode = "Streamed" + // BufferedExtProcBodyProcessingMode will buffer the message body in memory and send the entire body at once. If the body exceeds the configured buffer limit, then the downstream system will receive an error. BufferedExtProcBodyProcessingMode ExtProcBodyProcessingMode = "Buffered" + // BufferedPartialExtBodyHeaderProcessingMode will buffer the message body in memory and send the entire body in one chunk. If the body exceeds the configured buffer limit, then the body contents up to the buffer limit will be sent. BufferedPartialExtBodyHeaderProcessingMode ExtProcBodyProcessingMode = "BufferedPartial" ) diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index c1e5d28a4b2..82d7de15e7f 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1200,9 +1200,9 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `Streamed` | | -| `Buffered` | | -| `BufferedPartial` | | +| `Streamed` | StreamedExtProcBodyProcessingMode will stream the body to the server in pieces as they arrive at the proxy.
| +| `Buffered` | BufferedExtProcBodyProcessingMode will buffer the message body in memory and send the entire body at once. If the body exceeds the configured buffer limit, then the downstream system will receive an error.
| +| `BufferedPartial` | BufferedPartialExtBodyHeaderProcessingMode will buffer the message body in memory and send the entire body in one chunk. If the body exceeds the configured buffer limit, then the body contents up to the buffer limit will be sent.
| #### ExtProcProcessingMode From 3788ba7d20e4cce28f0bc9cd9a1bdab5073b2b1f Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Thu, 18 Apr 2024 11:50:21 -0500 Subject: [PATCH 5/5] fix lint Signed-off-by: Guy Daich --- api/v1alpha1/ext_proc_types.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/v1alpha1/ext_proc_types.go b/api/v1alpha1/ext_proc_types.go index 408dec4397f..ef5e409d9db 100644 --- a/api/v1alpha1/ext_proc_types.go +++ b/api/v1alpha1/ext_proc_types.go @@ -14,9 +14,9 @@ type ExtProcBodyProcessingMode string const ( // StreamedExtProcBodyProcessingMode will stream the body to the server in pieces as they arrive at the proxy. - StreamedExtProcBodyProcessingMode ExtProcBodyProcessingMode = "Streamed" + StreamedExtProcBodyProcessingMode ExtProcBodyProcessingMode = "Streamed" // BufferedExtProcBodyProcessingMode will buffer the message body in memory and send the entire body at once. If the body exceeds the configured buffer limit, then the downstream system will receive an error. - BufferedExtProcBodyProcessingMode ExtProcBodyProcessingMode = "Buffered" + BufferedExtProcBodyProcessingMode ExtProcBodyProcessingMode = "Buffered" // BufferedPartialExtBodyHeaderProcessingMode will buffer the message body in memory and send the entire body in one chunk. If the body exceeds the configured buffer limit, then the body contents up to the buffer limit will be sent. BufferedPartialExtBodyHeaderProcessingMode ExtProcBodyProcessingMode = "BufferedPartial" )