diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index fb136b62892..316a1201c8a 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -57,14 +57,14 @@ stream is established.
_Appears in:_
- [ProxyAccessLogSink](#proxyaccesslogsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `logName` | _string_ | false | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. |
-| `type` | _[ALSEnvoyProxyAccessLogType](#alsenvoyproxyaccesslogtype)_ | true | Type defines the type of accesslog. Supported types are "HTTP" and "TCP". |
-| `http` | _[ALSEnvoyProxyHTTPAccessLogConfig](#alsenvoyproxyhttpaccesslogconfig)_ | false | HTTP defines additional configuration specific to HTTP access logs. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `logName` | _string_ | false | | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. |
+| `type` | _[ALSEnvoyProxyAccessLogType](#alsenvoyproxyaccesslogtype)_ | true | | Type defines the type of accesslog. Supported types are "HTTP" and "TCP". |
+| `http` | _[ALSEnvoyProxyHTTPAccessLogConfig](#alsenvoyproxyhttpaccesslogconfig)_ | false | | HTTP defines additional configuration specific to HTTP access logs. |
#### ALSEnvoyProxyAccessLogType
@@ -91,11 +91,11 @@ _Appears in:_
_Appears in:_
- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `requestHeaders` | _string array_ | false | RequestHeaders defines request headers to include in log entries sent to the access log service. |
-| `responseHeaders` | _string array_ | false | ResponseHeaders defines response headers to include in log entries sent to the access log service. |
-| `responseTrailers` | _string array_ | false | ResponseTrailers defines response trailers to include in log entries sent to the access log service. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `requestHeaders` | _string array_ | false | | RequestHeaders defines request headers to include in log entries sent to the access log service. |
+| `responseHeaders` | _string array_ | false | | ResponseHeaders defines response headers to include in log entries sent to the access log service. |
+| `responseTrailers` | _string array_ | false | | ResponseTrailers defines response trailers to include in log entries sent to the access log service. |
#### ActiveHealthCheck
@@ -108,16 +108,16 @@ EG supports various types of active health checking including HTTP, TCP.
_Appears in:_
- [HealthCheck](#healthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout defines the time to wait for a health check response. |
-| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Interval defines the time between active health checks. |
-| `unhealthyThreshold` | _integer_ | false | UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. |
-| `healthyThreshold` | _integer_ | false | HealthyThreshold defines the number of healthy health checks required before a backend host is marked healthy. |
-| `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | Type defines the type of health checker. |
-| `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. |
-| `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. |
-| `grpc` | _[GRPCActiveHealthChecker](#grpcactivehealthchecker)_ | false | GRPC defines the configuration of the GRPC health checker.
It's optional, and can only be used if the specified type is GRPC. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 1s | Timeout defines the time to wait for a health check response. |
+| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 3s | Interval defines the time between active health checks. |
+| `unhealthyThreshold` | _integer_ | false | 3 | UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. |
+| `healthyThreshold` | _integer_ | false | 1 | HealthyThreshold defines the number of healthy health checks required before a backend host is marked healthy. |
+| `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | | Type defines the type of health checker. |
+| `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. |
+| `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. |
+| `grpc` | _[GRPCActiveHealthChecker](#grpcactivehealthchecker)_ | false | | GRPC defines the configuration of the GRPC health checker.
It's optional, and can only be used if the specified type is GRPC. |
#### ActiveHealthCheckPayload
@@ -130,11 +130,11 @@ _Appears in:_
- [HTTPActiveHealthChecker](#httpactivehealthchecker)
- [TCPActiveHealthChecker](#tcpactivehealthchecker)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | Type defines the type of the payload. |
-| `text` | _string_ | false | Text payload in plain text. |
-| `binary` | _integer array_ | false | Binary payload base64 encoded. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | | Type defines the type of the payload. |
+| `text` | _string_ | false | | Text payload in plain text. |
+| `binary` | _integer array_ | false | | Binary payload base64 encoded. |
#### ActiveHealthCheckPayloadType
@@ -196,10 +196,10 @@ Note: if neither `Rules` nor `DefaultAction` is specified, the default action is
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `rules` | _[AuthorizationRule](#authorizationrule) array_ | false | Rules defines a list of authorization rules.
These rules are evaluated in order, the first matching rule will be applied,
and the rest will be skipped.
For example, if there are two rules: the first rule allows the request
and the second rule denies it, when a request matches both rules, it will be allowed. |
-| `defaultAction` | _[AuthorizationAction](#authorizationaction)_ | false | DefaultAction defines the default action to be taken if no rules match.
If not specified, the default action is Deny. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `rules` | _[AuthorizationRule](#authorizationrule) array_ | false | | Rules defines a list of authorization rules.
These rules are evaluated in order, the first matching rule will be applied,
and the rest will be skipped.
For example, if there are two rules: the first rule allows the request
and the second rule denies it, when a request matches both rules, it will be allowed. |
+| `defaultAction` | _[AuthorizationAction](#authorizationaction)_ | false | | DefaultAction defines the default action to be taken if no rules match.
If not specified, the default action is Deny. |
#### AuthorizationAction
@@ -227,11 +227,11 @@ AuthorizationRule defines a single authorization rule.
_Appears in:_
- [Authorization](#authorization)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. |
-| `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. |
-| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | false | | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. |
+| `action` | _[AuthorizationAction](#authorizationaction)_ | true | | Action defines the action to be taken if the rule matches. |
+| `principal` | _[Principal](#principal)_ | true | | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. |
#### BackOffPolicy
@@ -243,10 +243,10 @@ _Appears in:_
_Appears in:_
- [PerRetryPolicy](#perretrypolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `baseInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | BaseInterval is the base interval between retries. |
-| `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `baseInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | BaseInterval is the base interval between retries. |
+| `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval |
#### Backend
@@ -258,13 +258,13 @@ the behavior of the connection from Envoy Proxy to the backend.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`Backend`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[BackendSpec](#backendspec)_ | true | Spec defines the desired state of Backend. |
-| `status` | _[BackendStatus](#backendstatus)_ | true | Status defines the current status of Backend. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[BackendSpec](#backendspec)_ | true | | Spec defines the desired state of Backend. |
+| `status` | _[BackendStatus](#backendstatus)_ | true | | Status defines the current status of Backend. |
#### BackendCluster
@@ -285,11 +285,11 @@ _Appears in:_
- [ProxyOpenTelemetrySink](#proxyopentelemetrysink)
- [TracingProvider](#tracingprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
@@ -306,9 +306,9 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. |
#### BackendEndpoint
@@ -322,11 +322,11 @@ _Appears in:_
- [BackendSpec](#backendspec)
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint |
-| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. |
-| `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | | FQDN defines a FQDN endpoint |
+| `ip` | _[IPEndpoint](#ipendpoint)_ | false | | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. |
+| `unix` | _[UnixSocket](#unixsocket)_ | false | | Unix defines the unix domain socket endpoint |
#### BackendRef
@@ -346,14 +346,14 @@ _Appears in:_
- [ProxyOpenTelemetrySink](#proxyopentelemetrysink)
- [TracingProvider](#tracingprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `group` | _[Group](#group)_ | false | Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred. |
-| `kind` | _[Kind](#kind)_ | false | Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName) |
-| `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. |
-| `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core |
-| `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. |
-| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
Multiple fallback backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `group` | _[Group](#group)_ | false | | Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred. |
+| `kind` | _[Kind](#kind)_ | false | Service | Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName) |
+| `name` | _[ObjectName](#objectname)_ | true | | Name is the name of the referent. |
+| `namespace` | _[Namespace](#namespace)_ | false | | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core |
+| `port` | _[PortNumber](#portnumber)_ | false | | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. |
+| `fallback` | _boolean_ | false | | Fallback indicates whether the backend is designated as a fallback.
Multiple fallback backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. |
#### BackendSpec
@@ -365,11 +365,11 @@ BackendSpec describes the desired state of BackendSpec.
_Appears in:_
- [Backend](#backend)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `endpoints` | _[BackendEndpoint](#backendendpoint) array_ | true | Endpoints defines the endpoints to be used when connecting to the backend. |
-| `appProtocols` | _[AppProtocolType](#appprotocoltype) array_ | false | AppProtocols defines the application protocols to be supported when connecting to the backend. |
-| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `endpoints` | _[BackendEndpoint](#backendendpoint) array_ | true | | Endpoints defines the endpoints to be used when connecting to the backend. |
+| `appProtocols` | _[AppProtocolType](#appprotocoltype) array_ | false | | AppProtocols defines the application protocols to be supported when connecting to the backend. |
+| `fallback` | _boolean_ | false | | Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. |
#### BackendStatus
@@ -381,9 +381,9 @@ BackendStatus defines the state of Backend
_Appears in:_
- [Backend](#backend)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `conditions` | _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta) array_ | false | Conditions describe the current conditions of the Backend. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `conditions` | _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta) array_ | false | | Conditions describe the current conditions of the Backend. |
#### BackendTLSConfig
@@ -395,15 +395,15 @@ BackendTLSConfig describes the BackendTLS configuration for Envoy Proxy.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `clientCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | ClientCertificateRef defines the reference to a Kubernetes Secret that contains
the client certificate and private key for Envoy to use when connecting to
backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
This secret should be located within the same namespace as the Envoy proxy resource that references it. |
-| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
-| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
-| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
-| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
-| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
-| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `clientCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | | ClientCertificateRef defines the reference to a Kubernetes Secret that contains
the client certificate and private key for Envoy to use when connecting to
backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
This secret should be located within the same namespace as the Envoy proxy resource that references it. |
+| `minVersion` | _[TLSVersion](#tlsversion)_ | false | | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
+| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
+| `ciphers` | _string array_ | false | | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
+| `ecdhCurves` | _string array_ | false | | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
+| `signatureAlgorithms` | _string array_ | false | | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
+| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
#### BackendTrafficPolicy
@@ -415,13 +415,13 @@ between the Envoy Proxy listener and the backend service.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`BackendTrafficPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[BackendTrafficPolicySpec](#backendtrafficpolicyspec)_ | true | spec defines the desired state of BackendTrafficPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[BackendTrafficPolicySpec](#backendtrafficpolicyspec)_ | true | | spec defines the desired state of BackendTrafficPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | status defines the current status of BackendTrafficPolicy. |
#### BackendTrafficPolicySpec
@@ -433,25 +433,25 @@ BackendTrafficPolicySpec defines the desired state of BackendTrafficPolicy.
_Appears in:_
- [BackendTrafficPolicy](#backendtrafficpolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
-| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. |
-| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
-| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
-| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
-| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. |
-| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
-| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. |
-| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. |
-| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. |
-| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. |
-| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. |
-| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads |
-| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. |
-| `responseOverride` | _[ResponseOverride](#responseoverride) array_ | false | ResponseOverride defines the configuration to override specific responses with a custom one.
If multiple configurations are specified, the first one to match wins. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
+| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. |
+| `retry` | _[Retry](#retry)_ | false | | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
+| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
+| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
+| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | | HealthCheck allows gateway to perform active health checking on backends. |
+| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
+| `timeout` | _[Timeout](#timeout)_ | false | | Timeout settings for the backend connections. |
+| `connection` | _[BackendConnection](#backendconnection)_ | false | | Connection includes backend connection settings. |
+| `dns` | _[DNS](#dns)_ | false | | DNS includes dns resolution settings. |
+| `http2` | _[HTTP2Settings](#http2settings)_ | false | | HTTP2 provides HTTP/2 configuration for backend connections. |
+| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. |
+| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads |
+| `useClientProtocol` | _boolean_ | false | | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. |
+| `responseOverride` | _[ResponseOverride](#responseoverride) array_ | false | | ResponseOverride defines the configuration to override specific responses with a custom one.
If multiple configurations are specified, the first one to match wins. |
#### BasicAuth
@@ -463,9 +463,9 @@ BasicAuth defines the configuration for the HTTP Basic Authentication.
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.
This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.
Note: The secret must be in the same namespace as the SecurityPolicy. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.
This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.
Note: The secret must be in the same namespace as the SecurityPolicy. |
#### BodyToExtAuth
@@ -477,9 +477,9 @@ BodyToExtAuth defines the Body to Ext Auth configuration
_Appears in:_
- [ExtAuth](#extauth)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `maxRequestBytes` | _integer_ | true | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `maxRequestBytes` | _integer_ | true | | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode. |
#### BootstrapType
@@ -520,14 +520,14 @@ CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `allowOrigins` | _[Origin](#origin) array_ | false | AllowOrigins defines the origins that are allowed to make requests.
It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
The value "*" allows any origin to make requests. |
-| `allowMethods` | _string array_ | false | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. |
-| `allowHeaders` | _string array_ | false | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. |
-| `exposeHeaders` | _string array_ | false | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. |
-| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. |
-| `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `allowOrigins` | _[Origin](#origin) array_ | false | | AllowOrigins defines the origins that are allowed to make requests.
It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
The value "*" allows any origin to make requests. |
+| `allowMethods` | _string array_ | false | | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. |
+| `allowHeaders` | _string array_ | false | | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. |
+| `exposeHeaders` | _string array_ | false | | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. |
+| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. |
+| `allowCredentials` | _boolean_ | false | | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. |
#### CircuitBreaker
@@ -540,13 +540,13 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. |
-| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. |
-| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. |
-| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. |
-| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `maxConnections` | _integer_ | false | 1024 | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. |
+| `maxPendingRequests` | _integer_ | false | 1024 | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. |
+| `maxParallelRequests` | _integer_ | false | 1024 | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. |
+| `maxParallelRetries` | _integer_ | false | 1024 | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. |
+| `maxRequestsPerConnection` | _integer_ | false | | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. |
#### ClaimToHeader
@@ -558,10 +558,10 @@ ClaimToHeader defines a configuration to convert JWT claims into HTTP headers
_Appears in:_
- [JWTProvider](#jwtprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `header` | _string_ | true | Header defines the name of the HTTP request header that the JWT Claim will be saved into. |
-| `claim` | _string_ | true | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
(eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
to separate the JSON name path. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `header` | _string_ | true | | Header defines the name of the HTTP request header that the JWT Claim will be saved into. |
+| `claim` | _string_ | true | | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
(eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
to separate the JSON name path. |
#### ClientConnection
@@ -573,10 +573,10 @@ ClientConnection allows users to configure connection-level settings of client
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | ConnectionLimit defines limits related to connections |
-| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | | ConnectionLimit defines limits related to connections |
+| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. |
#### ClientIPDetectionSettings
@@ -588,10 +588,10 @@ ClientIPDetectionSettings provides configuration for determining the original cl
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `xForwardedFor` | _[XForwardedForSettings](#xforwardedforsettings)_ | false | XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. |
-| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ | false | CustomHeader provides configuration for determining the client IP address for a request based on
a trusted custom HTTP header. This uses the custom_header original IP detection extension.
Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `xForwardedFor` | _[XForwardedForSettings](#xforwardedforsettings)_ | false | | XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. |
+| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ | false | | CustomHeader provides configuration for determining the client IP address for a request based on
a trusted custom HTTP header. This uses the custom_header original IP detection extension.
Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details. |
#### ClientTLSSettings
@@ -603,16 +603,16 @@ _Appears in:_
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `clientValidation` | _[ClientValidationContext](#clientvalidationcontext)_ | false | ClientValidation specifies the configuration to validate the client
initiating the TLS connection to the Gateway listener. |
-| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
-| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
-| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
-| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
-| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
-| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
-| `session` | _[Session](#session)_ | false | Session defines settings related to TLS session management. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `clientValidation` | _[ClientValidationContext](#clientvalidationcontext)_ | false | | ClientValidation specifies the configuration to validate the client
initiating the TLS connection to the Gateway listener. |
+| `minVersion` | _[TLSVersion](#tlsversion)_ | false | | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
+| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
+| `ciphers` | _string array_ | false | | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
+| `ecdhCurves` | _string array_ | false | | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
+| `signatureAlgorithms` | _string array_ | false | | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
+| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
+| `session` | _[Session](#session)_ | false | | Session defines settings related to TLS session management. |
#### ClientTimeout
@@ -624,10 +624,10 @@ _Appears in:_
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `tcp` | _[TCPClientTimeout](#tcpclienttimeout)_ | false | Timeout settings for TCP. |
-| `http` | _[HTTPClientTimeout](#httpclienttimeout)_ | false | Timeout settings for HTTP. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `tcp` | _[TCPClientTimeout](#tcpclienttimeout)_ | false | | Timeout settings for TCP. |
+| `http` | _[HTTPClientTimeout](#httpclienttimeout)_ | false | | Timeout settings for HTTP. |
#### ClientTrafficPolicy
@@ -639,13 +639,13 @@ between the downstream client and Envoy Proxy listener.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`ClientTrafficPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[ClientTrafficPolicySpec](#clienttrafficpolicyspec)_ | true | Spec defines the desired state of ClientTrafficPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[ClientTrafficPolicySpec](#clienttrafficpolicyspec)_ | true | | Spec defines the desired state of ClientTrafficPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | Status defines the current status of ClientTrafficPolicy. |
#### ClientTrafficPolicySpec
@@ -657,23 +657,23 @@ ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
_Appears in:_
- [ClientTrafficPolicy](#clienttrafficpolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
-| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the downstream client connection.
If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
Disabled by default. |
-| `enableProxyProtocol` | _boolean_ | false | EnableProxyProtocol interprets the ProxyProtocol header and adds the
Client Address into the X-Forwarded-For header.
Note Proxy Protocol must be present when this field is set, else the connection
is closed. |
-| `clientIPDetection` | _[ClientIPDetectionSettings](#clientipdetectionsettings)_ | false | ClientIPDetectionSettings provides configuration for determining the original client IP address for requests. |
-| `tls` | _[ClientTLSSettings](#clienttlssettings)_ | false | TLS settings configure TLS termination settings with the downstream client. |
-| `path` | _[PathSettings](#pathsettings)_ | false | Path enables managing how the incoming path set by clients can be normalized. |
-| `headers` | _[HeaderSettings](#headersettings)_ | false | HeaderSettings provides configuration for header management. |
-| `timeout` | _[ClientTimeout](#clienttimeout)_ | false | Timeout settings for the client connections. |
-| `connection` | _[ClientConnection](#clientconnection)_ | false | Connection includes client connection settings. |
-| `http1` | _[HTTP1Settings](#http1settings)_ | false | HTTP1 provides HTTP/1 configuration on the listener. |
-| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration on the listener. |
-| `http3` | _[HTTP3Settings](#http3settings)_ | false | HTTP3 provides HTTP/3 configuration on the listener. |
-| `healthCheck` | _[HealthCheckSettings](#healthchecksettings)_ | false | HealthCheck provides configuration for determining whether the HTTP/HTTPS listener is healthy. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
+| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | | TcpKeepalive settings associated with the downstream client connection.
If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
Disabled by default. |
+| `enableProxyProtocol` | _boolean_ | false | | EnableProxyProtocol interprets the ProxyProtocol header and adds the
Client Address into the X-Forwarded-For header.
Note Proxy Protocol must be present when this field is set, else the connection
is closed. |
+| `clientIPDetection` | _[ClientIPDetectionSettings](#clientipdetectionsettings)_ | false | | ClientIPDetectionSettings provides configuration for determining the original client IP address for requests. |
+| `tls` | _[ClientTLSSettings](#clienttlssettings)_ | false | | TLS settings configure TLS termination settings with the downstream client. |
+| `path` | _[PathSettings](#pathsettings)_ | false | | Path enables managing how the incoming path set by clients can be normalized. |
+| `headers` | _[HeaderSettings](#headersettings)_ | false | | HeaderSettings provides configuration for header management. |
+| `timeout` | _[ClientTimeout](#clienttimeout)_ | false | | Timeout settings for the client connections. |
+| `connection` | _[ClientConnection](#clientconnection)_ | false | | Connection includes client connection settings. |
+| `http1` | _[HTTP1Settings](#http1settings)_ | false | | HTTP1 provides HTTP/1 configuration on the listener. |
+| `http2` | _[HTTP2Settings](#http2settings)_ | false | | HTTP2 provides HTTP/2 configuration on the listener. |
+| `http3` | _[HTTP3Settings](#http3settings)_ | false | | HTTP3 provides HTTP/3 configuration on the listener. |
+| `healthCheck` | _[HealthCheckSettings](#healthchecksettings)_ | false | | HealthCheck provides configuration for determining whether the HTTP/HTTPS listener is healthy. |
#### ClientValidationContext
@@ -687,10 +687,10 @@ By default, no client specific configuration is validated.
_Appears in:_
- [ClientTLSSettings](#clienttlssettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `optional` | _boolean_ | false | Optional set to true accepts connections even when a client doesn't present a certificate.
Defaults to false, which rejects connections without a valid client certificate. |
-| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `optional` | _boolean_ | false | | Optional set to true accepts connections even when a client doesn't present a certificate.
Defaults to false, which rejects connections without a valid client certificate. |
+| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. |
#### ClusterSettings
@@ -712,18 +712,18 @@ _Appears in:_
- [ProxyOpenTelemetrySink](#proxyopentelemetrysink)
- [TracingProvider](#tracingprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. |
-| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
-| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
-| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
-| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. |
-| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
-| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. |
-| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. |
-| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. |
-| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. |
+| `retry` | _[Retry](#retry)_ | false | | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
+| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
+| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
+| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | | HealthCheck allows gateway to perform active health checking on backends. |
+| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
+| `timeout` | _[Timeout](#timeout)_ | false | | Timeout settings for the backend connections. |
+| `connection` | _[BackendConnection](#backendconnection)_ | false | | Connection includes backend connection settings. |
+| `dns` | _[DNS](#dns)_ | false | | DNS includes dns resolution settings. |
+| `http2` | _[HTTP2Settings](#http2settings)_ | false | | HTTP2 provides HTTP/2 configuration for backend connections. |
#### Compression
@@ -737,10 +737,10 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ProxyPrometheusProvider](#proxyprometheusprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[CompressorType](#compressortype)_ | true | CompressorType defines the compressor type to use for compression. |
-| `gzip` | _[GzipCompressor](#gzipcompressor)_ | false | The configuration for GZIP compressor. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[CompressorType](#compressortype)_ | true | | CompressorType defines the compressor type to use for compression. |
+| `gzip` | _[GzipCompressor](#gzipcompressor)_ | false | | The configuration for GZIP compressor. |
#### CompressorType
@@ -763,10 +763,10 @@ _Appears in:_
_Appears in:_
- [ClientConnection](#clientconnection)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration. |
-| `closeDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `value` | _integer_ | true | | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration. |
+| `closeDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. |
#### ConsistentHash
@@ -779,12 +779,12 @@ load balancer policy.
_Appears in:_
- [LoadBalancer](#loadbalancer)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ConsistentHashType](#consistenthashtype)_ | true | ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
"Cookie". |
-| `header` | _[Header](#header)_ | false | Header configures the header hash policy when the consistent hash type is set to Header. |
-| `cookie` | _[Cookie](#cookie)_ | false | Cookie configures the cookie hash policy when the consistent hash type is set to Cookie. |
-| `tableSize` | _integer_ | false | The table size for consistent hashing, must be prime number limited to 5000011. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ConsistentHashType](#consistenthashtype)_ | true | | ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
"Cookie". |
+| `header` | _[Header](#header)_ | false | | Header configures the header hash policy when the consistent hash type is set to Header. |
+| `cookie` | _[Cookie](#cookie)_ | false | | Cookie configures the cookie hash policy when the consistent hash type is set to Cookie. |
+| `tableSize` | _integer_ | false | 65537 | The table size for consistent hashing, must be prime number limited to 5000011. |
#### ConsistentHashType
@@ -813,11 +813,11 @@ load balancing.
_Appears in:_
- [ConsistentHash](#consistenthash)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name of the cookie to hash.
If this cookie does not exist in the request, Envoy will generate a cookie and set
the TTL on the response back to the client based on Layer 4
attributes of the backend endpoint, to ensure that these future requests
go to the same backend endpoint. Make sure to set the TTL field for this case. |
-| `ttl` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value. |
-| `attributes` | _object (keys:string, values:string)_ | false | Additional Attributes to set for the generated cookie. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name of the cookie to hash.
If this cookie does not exist in the request, Envoy will generate a cookie and set
the TTL on the response back to the client based on Layer 4
attributes of the backend endpoint, to ensure that these future requests
go to the same backend endpoint. Make sure to set the TTL field for this case. |
+| `ttl` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value. |
+| `attributes` | _object (keys:string, values:string)_ | false | | Additional Attributes to set for the generated cookie. |
#### CustomHeaderExtensionSettings
@@ -832,10 +832,10 @@ for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name of the header containing the original downstream remote address, if present. |
-| `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name of the header containing the original downstream remote address, if present. |
+| `failClosed` | _boolean_ | false | | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. |
#### CustomResponse
@@ -847,10 +847,10 @@ CustomResponse defines the configuration for returning a custom response.
_Appears in:_
- [ResponseOverride](#responseoverride)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. |
-| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `contentType` | _string_ | false | | Content Type of the response. This will be set in the Content-Type header. |
+| `body` | _[CustomResponseBody](#customresponsebody)_ | true | | Body of the Custom Response |
#### CustomResponseBody
@@ -863,11 +863,11 @@ _Appears in:_
- [CustomResponse](#customresponse)
- [HTTPDirectResponseFilter](#httpdirectresponsefilter)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline. |
-| `inline` | _string_ | false | Inline contains the value as an inline string. |
-| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Inline | Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline. |
+| `inline` | _string_ | false | | Inline contains the value as an inline string. |
+| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used. |
#### CustomResponseMatch
@@ -879,9 +879,9 @@ CustomResponseMatch defines the configuration for matching a user response to re
_Appears in:_
- [ResponseOverride](#responseoverride)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `statusCodes` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `statusCodes` | _[StatusCodeMatch](#statuscodematch) array_ | true | | Status code to match on. The match evaluates to true if any of the matches are successful. |
#### CustomTag
@@ -893,12 +893,12 @@ _Appears in:_
_Appears in:_
- [ProxyTracing](#proxytracing)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[CustomTagType](#customtagtype)_ | true | Type defines the type of custom tag. |
-| `literal` | _[LiteralCustomTag](#literalcustomtag)_ | true | Literal adds hard-coded value to each span.
It's required when the type is "Literal". |
-| `environment` | _[EnvironmentCustomTag](#environmentcustomtag)_ | true | Environment adds value from environment variable to each span.
It's required when the type is "Environment". |
-| `requestHeader` | _[RequestHeaderCustomTag](#requestheadercustomtag)_ | true | RequestHeader adds value from request header to each span.
It's required when the type is "RequestHeader". |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[CustomTagType](#customtagtype)_ | true | Literal | Type defines the type of custom tag. |
+| `literal` | _[LiteralCustomTag](#literalcustomtag)_ | true | | Literal adds hard-coded value to each span.
It's required when the type is "Literal". |
+| `environment` | _[EnvironmentCustomTag](#environmentcustomtag)_ | true | | Environment adds value from environment variable to each span.
It's required when the type is "Environment". |
+| `requestHeader` | _[RequestHeaderCustomTag](#requestheadercustomtag)_ | true | | RequestHeader adds value from request header to each span.
It's required when the type is "RequestHeader". |
#### CustomTagType
@@ -927,10 +927,10 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. |
-| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. |
+| `respectDnsTtl` | _boolean_ | true | | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. |
#### EnvironmentCustomTag
@@ -942,10 +942,10 @@ EnvironmentCustomTag adds value from environment variable to each span.
_Appears in:_
- [CustomTag](#customtag)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name defines the name of the environment variable which to extract the value from. |
-| `defaultValue` | _string_ | false | DefaultValue defines the default value to use if the environment variable is not set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name defines the name of the environment variable which to extract the value from. |
+| `defaultValue` | _string_ | false | | DefaultValue defines the default value to use if the environment variable is not set. |
#### EnvoyExtensionPolicy
@@ -956,13 +956,13 @@ EnvoyExtensionPolicy allows the user to configure various envoy extensibility op
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyExtensionPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)_ | true | Spec defines the desired state of EnvoyExtensionPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)_ | true | | Spec defines the desired state of EnvoyExtensionPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | Status defines the current status of EnvoyExtensionPolicy. |
#### EnvoyExtensionPolicySpec
@@ -974,13 +974,13 @@ EnvoyExtensionPolicySpec defines the desired state of EnvoyExtensionPolicy.
_Appears in:_
- [EnvoyExtensionPolicy](#envoyextensionpolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
-| `wasm` | _[Wasm](#wasm) array_ | false | Wasm is a list of Wasm extensions to be loaded by the Gateway.
Order matters, as the extensions will be loaded in the order they are
defined in this list. |
-| `extProc` | _[ExtProc](#extproc) array_ | false | ExtProc is an ordered list of external processing filters
that should be added to the envoy filter chain |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
+| `wasm` | _[Wasm](#wasm) array_ | false | | Wasm is a list of Wasm extensions to be loaded by the Gateway.
Order matters, as the extensions will be loaded in the order they are
defined in this list. |
+| `extProc` | _[ExtProc](#extproc) array_ | false | | ExtProc is an ordered list of external processing filters
that should be added to the envoy filter chain |
#### EnvoyFilter
@@ -1019,18 +1019,18 @@ EnvoyGateway is the schema for the envoygateways API.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyGateway`
-| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
-| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
-| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. |
-| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
-| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
-| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
-| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
-| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
+| `gateway` | _[Gateway](#gateway)_ | false | | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
+| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
+| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | \{ default:info \} | Logging defines logging parameters for Envoy Gateway. |
+| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
+| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
+| `rateLimit` | _[RateLimit](#ratelimit)_ | false | | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
+| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
+| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
#### EnvoyGatewayAdmin
@@ -1043,11 +1043,11 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `address` | _[EnvoyGatewayAdminAddress](#envoygatewayadminaddress)_ | false | Address defines the address of Envoy Gateway Admin Server. |
-| `enableDumpConfig` | _boolean_ | false | EnableDumpConfig defines if enable dump config in Envoy Gateway logs. |
-| `enablePprof` | _boolean_ | false | EnablePprof defines if enable pprof in Envoy Gateway Admin Server. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `address` | _[EnvoyGatewayAdminAddress](#envoygatewayadminaddress)_ | false | | Address defines the address of Envoy Gateway Admin Server. |
+| `enableDumpConfig` | _boolean_ | false | | EnableDumpConfig defines if enable dump config in Envoy Gateway logs. |
+| `enablePprof` | _boolean_ | false | | EnablePprof defines if enable pprof in Envoy Gateway Admin Server. |
#### EnvoyGatewayAdminAddress
@@ -1059,10 +1059,10 @@ EnvoyGatewayAdminAddress defines the Envoy Gateway Admin Address configuration.
_Appears in:_
- [EnvoyGatewayAdmin](#envoygatewayadmin)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `port` | _integer_ | false | Port defines the port the admin server is exposed on. |
-| `host` | _string_ | false | Host defines the admin server hostname. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `port` | _integer_ | false | 19000 | Port defines the port the admin server is exposed on. |
+| `host` | _string_ | false | 127.0.0.1 | Host defines the admin server hostname. |
#### EnvoyGatewayCustomProvider
@@ -1074,10 +1074,10 @@ EnvoyGatewayCustomProvider defines configuration for the Custom provider.
_Appears in:_
- [EnvoyGatewayProvider](#envoygatewayprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources |
-| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | false | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane.
Infrastructure is optional, if provider is not specified,
No infrastructure provider is available. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources |
+| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | false | | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane.
Infrastructure is optional, if provider is not specified,
No infrastructure provider is available. |
#### EnvoyGatewayFileResourceProvider
@@ -1089,9 +1089,9 @@ EnvoyGatewayFileResourceProvider defines configuration for the File Resource pro
_Appears in:_
- [EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive subdirectories are not currently supported. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `paths` | _string array_ | true | | Paths are the paths to a directory or file containing the resource configuration.
Recursive subdirectories are not currently supported. |
#### EnvoyGatewayHostInfrastructureProvider
@@ -1114,10 +1114,10 @@ EnvoyGatewayInfrastructureProvider defines configuration for the Custom Infrastr
_Appears in:_
- [EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[InfrastructureProviderType](#infrastructureprovidertype)_ | true | Type is the type of infrastructure providers to use. Supported types are "Host". |
-| `host` | _[EnvoyGatewayHostInfrastructureProvider](#envoygatewayhostinfrastructureprovider)_ | false | Host defines the configuration of the Host provider. Host provides runtime
deployment of the data plane as a child process on the host environment. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[InfrastructureProviderType](#infrastructureprovidertype)_ | true | | Type is the type of infrastructure providers to use. Supported types are "Host". |
+| `host` | _[EnvoyGatewayHostInfrastructureProvider](#envoygatewayhostinfrastructureprovider)_ | false | | Host defines the configuration of the Host provider. Host provides runtime
deployment of the data plane as a child process on the host environment. |
#### EnvoyGatewayKubernetesProvider
@@ -1129,15 +1129,15 @@ EnvoyGatewayKubernetesProvider defines configuration for the Kubernetes provider
_Appears in:_
- [EnvoyGatewayProvider](#envoygatewayprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
-| `rateLimitHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | RateLimitHpa defines the Horizontal Pod Autoscaler settings for Envoy ratelimit Deployment.
If the HPA is set, Replicas field from RateLimitDeployment will be ignored. |
-| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. |
-| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
-| `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
-| `leaderElection` | _[LeaderElection](#leaderelection)_ | false | LeaderElection specifies the configuration for leader election.
If it's not set up, leader election will be active by default, using Kubernetes' standard settings. |
-| `shutdownManager` | _[ShutdownManager](#shutdownmanager)_ | false | ShutdownManager defines the configuration for the shutdown manager. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
+| `rateLimitHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | | RateLimitHpa defines the Horizontal Pod Autoscaler settings for Envoy ratelimit Deployment.
If the HPA is set, Replicas field from RateLimitDeployment will be ignored. |
+| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | | Watch holds configuration of which input resources should be watched and reconciled. |
+| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
+| `overwriteControlPlaneCerts` | _boolean_ | false | | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
+| `leaderElection` | _[LeaderElection](#leaderelection)_ | false | | LeaderElection specifies the configuration for leader election.
If it's not set up, leader election will be active by default, using Kubernetes' standard settings. |
+| `shutdownManager` | _[ShutdownManager](#shutdownmanager)_ | false | | ShutdownManager defines the configuration for the shutdown manager. |
#### EnvoyGatewayLogComponent
@@ -1170,9 +1170,9 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is the logging level. If unspecified, defaults to "info".
EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit.
LogLevel options: debug/info/error/warn. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | \{ default:info \} | Level is the logging level. If unspecified, defaults to "info".
EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit.
LogLevel options: debug/info/error/warn. |
#### EnvoyGatewayMetricSink
@@ -1185,10 +1185,10 @@ metric sinks where metrics are sent to.
_Appears in:_
- [EnvoyGatewayMetrics](#envoygatewaymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG control plane currently supports OpenTelemetry. |
-| `openTelemetry` | _[EnvoyGatewayOpenTelemetrySink](#envoygatewayopentelemetrysink)_ | true | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[MetricSinkType](#metricsinktype)_ | true | OpenTelemetry | Type defines the metric sink type.
EG control plane currently supports OpenTelemetry. |
+| `openTelemetry` | _[EnvoyGatewayOpenTelemetrySink](#envoygatewayopentelemetrysink)_ | true | | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
#### EnvoyGatewayMetrics
@@ -1200,10 +1200,10 @@ EnvoyGatewayMetrics defines control plane push/pull metrics configurations.
_Appears in:_
- [EnvoyGatewayTelemetry](#envoygatewaytelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `sinks` | _[EnvoyGatewayMetricSink](#envoygatewaymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. |
-| `prometheus` | _[EnvoyGatewayPrometheusProvider](#envoygatewayprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `sinks` | _[EnvoyGatewayMetricSink](#envoygatewaymetricsink) array_ | true | | Sinks defines the metric sinks where metrics are sent to. |
+| `prometheus` | _[EnvoyGatewayPrometheusProvider](#envoygatewayprometheusprovider)_ | true | | Prometheus defines the configuration for prometheus endpoint. |
#### EnvoyGatewayOpenTelemetrySink
@@ -1215,13 +1215,13 @@ _Appears in:_
_Appears in:_
- [EnvoyGatewayMetricSink](#envoygatewaymetricsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `host` | _string_ | true | Host define the sink service hostname. |
-| `protocol` | _string_ | true | Protocol define the sink service protocol. |
-| `port` | _integer_ | false | Port defines the port the sink service is exposed on. |
-| `exportInterval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | ExportInterval configures the intervening time between exports for a
Sink. This option overrides any value set for the
OTEL_METRIC_EXPORT_INTERVAL environment variable.
If ExportInterval is less than or equal to zero, 60 seconds
is used as the default. |
-| `exportTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | ExportTimeout configures the time a Sink waits for an export to
complete before canceling it. This option overrides any value set for the
OTEL_METRIC_EXPORT_TIMEOUT environment variable.
If ExportTimeout is less than or equal to zero, 30 seconds
is used as the default. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `host` | _string_ | true | | Host define the sink service hostname. |
+| `protocol` | _string_ | true | | Protocol define the sink service protocol. |
+| `port` | _integer_ | false | 4317 | Port defines the port the sink service is exposed on. |
+| `exportInterval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | ExportInterval configures the intervening time between exports for a
Sink. This option overrides any value set for the
OTEL_METRIC_EXPORT_INTERVAL environment variable.
If ExportInterval is less than or equal to zero, 60 seconds
is used as the default. |
+| `exportTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | ExportTimeout configures the time a Sink waits for an export to
complete before canceling it. This option overrides any value set for the
OTEL_METRIC_EXPORT_TIMEOUT environment variable.
If ExportTimeout is less than or equal to zero, 30 seconds
is used as the default. |
#### EnvoyGatewayPrometheusProvider
@@ -1233,9 +1233,9 @@ EnvoyGatewayPrometheusProvider will expose prometheus endpoint in pull mode.
_Appears in:_
- [EnvoyGatewayMetrics](#envoygatewaymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `disable` | _boolean_ | true | Disable defines if disables the prometheus metrics in pull mode. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `disable` | _boolean_ | true | | Disable defines if disables the prometheus metrics in pull mode. |
#### EnvoyGatewayProvider
@@ -1248,11 +1248,11 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes", "Custom". |
-| `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. |
-| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and an infrastructure
provider. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ProviderType](#providertype)_ | true | | Type is the type of provider to use. Supported types are "Kubernetes", "Custom". |
+| `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. |
+| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and an infrastructure
provider. |
#### EnvoyGatewayResourceProvider
@@ -1264,10 +1264,10 @@ EnvoyGatewayResourceProvider defines configuration for the Custom Resource provi
_Appears in:_
- [EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ResourceProviderType](#resourceprovidertype)_ | true | Type is the type of resource provider to use. Supported types are "File". |
-| `file` | _[EnvoyGatewayFileResourceProvider](#envoygatewayfileresourceprovider)_ | false | File defines the configuration of the File provider. File provides runtime
configuration defined by one or more files. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ResourceProviderType](#resourceprovidertype)_ | true | | Type is the type of resource provider to use. Supported types are "File". |
+| `file` | _[EnvoyGatewayFileResourceProvider](#envoygatewayfileresourceprovider)_ | false | | File defines the configuration of the File provider. File provides runtime
configuration defined by one or more files. |
#### EnvoyGatewaySpec
@@ -1279,16 +1279,16 @@ EnvoyGatewaySpec defines the desired state of Envoy Gateway.
_Appears in:_
- [EnvoyGateway](#envoygateway)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
-| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
-| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. |
-| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
-| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
-| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
-| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
-| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `gateway` | _[Gateway](#gateway)_ | false | | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
+| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
+| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | \{ default:info \} | Logging defines logging parameters for Envoy Gateway. |
+| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
+| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
+| `rateLimit` | _[RateLimit](#ratelimit)_ | false | | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
+| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
+| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
#### EnvoyGatewayTelemetry
@@ -1302,9 +1302,9 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `metrics` | _[EnvoyGatewayMetrics](#envoygatewaymetrics)_ | true | Metrics defines metrics configuration for envoy gateway. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `metrics` | _[EnvoyGatewayMetrics](#envoygatewaymetrics)_ | true | | Metrics defines metrics configuration for envoy gateway. |
#### EnvoyJSONPatchConfig
@@ -1317,11 +1317,11 @@ using JSONPatch semantic
_Appears in:_
- [EnvoyPatchPolicySpec](#envoypatchpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[EnvoyResourceType](#envoyresourcetype)_ | true | Type is the typed URL of the Envoy xDS Resource |
-| `name` | _string_ | true | Name is the name of the resource |
-| `operation` | _[JSONPatchOperation](#jsonpatchoperation)_ | true | Patch defines the JSON Patch Operation |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[EnvoyResourceType](#envoyresourcetype)_ | true | | Type is the typed URL of the Envoy xDS Resource |
+| `name` | _string_ | true | | Name is the name of the resource |
+| `operation` | _[JSONPatchOperation](#jsonpatchoperation)_ | true | | Patch defines the JSON Patch Operation |
#### EnvoyPatchPolicy
@@ -1333,13 +1333,13 @@ resources by Envoy Gateway using this patch API
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyPatchPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[EnvoyPatchPolicySpec](#envoypatchpolicyspec)_ | true | Spec defines the desired state of EnvoyPatchPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[EnvoyPatchPolicySpec](#envoypatchpolicyspec)_ | true | | Spec defines the desired state of EnvoyPatchPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | Status defines the current status of EnvoyPatchPolicy. |
#### EnvoyPatchPolicySpec
@@ -1351,12 +1351,12 @@ EnvoyPatchPolicySpec defines the desired state of EnvoyPatchPolicy.
_Appears in:_
- [EnvoyPatchPolicy](#envoypatchpolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[EnvoyPatchType](#envoypatchtype)_ | true | Type decides the type of patch.
Valid EnvoyPatchType values are "JSONPatch". |
-| `jsonPatches` | _[EnvoyJSONPatchConfig](#envoyjsonpatchconfig) array_ | false | JSONPatch defines the JSONPatch configuration. |
-| `targetRef` | _[LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference)_ | true | TargetRef is the name of the Gateway API resource this policy
is being attached to.
By default, attaching to Gateway is supported and
when mergeGateways is enabled it should attach to GatewayClass.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway
TargetRef |
-| `priority` | _integer_ | true | Priority of the EnvoyPatchPolicy.
If multiple EnvoyPatchPolicies are applied to the same
TargetRef, they will be applied in the ascending order of
the priority i.e. int32.min has the highest priority and
int32.max has the lowest priority.
Defaults to 0. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[EnvoyPatchType](#envoypatchtype)_ | true | | Type decides the type of patch.
Valid EnvoyPatchType values are "JSONPatch". |
+| `jsonPatches` | _[EnvoyJSONPatchConfig](#envoyjsonpatchconfig) array_ | false | | JSONPatch defines the JSONPatch configuration. |
+| `targetRef` | _[LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference)_ | true | | TargetRef is the name of the Gateway API resource this policy
is being attached to.
By default, attaching to Gateway is supported and
when mergeGateways is enabled it should attach to GatewayClass.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway
TargetRef |
+| `priority` | _integer_ | true | | Priority of the EnvoyPatchPolicy.
If multiple EnvoyPatchPolicies are applied to the same
TargetRef, they will be applied in the ascending order of
the priority i.e. int32.min has the highest priority and
int32.max has the lowest priority.
Defaults to 0. |
#### EnvoyPatchType
@@ -1381,13 +1381,13 @@ EnvoyProxy is the schema for the envoyproxies API.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyProxy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[EnvoyProxySpec](#envoyproxyspec)_ | true | EnvoyProxySpec defines the desired state of EnvoyProxy. |
-| `status` | _[EnvoyProxyStatus](#envoyproxystatus)_ | true | EnvoyProxyStatus defines the actual state of EnvoyProxy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[EnvoyProxySpec](#envoyproxyspec)_ | true | | EnvoyProxySpec defines the desired state of EnvoyProxy. |
+| `status` | _[EnvoyProxyStatus](#envoyproxystatus)_ | true | | EnvoyProxyStatus defines the actual state of EnvoyProxy. |
#### EnvoyProxyKubernetesProvider
@@ -1400,14 +1400,14 @@ provider.
_Appears in:_
- [EnvoyProxyProvider](#envoyproxyprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `envoyDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | EnvoyDeployment defines the desired state of the Envoy deployment resource.
If unspecified, default settings for the managed Envoy deployment resource
are applied. |
-| `envoyDaemonSet` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | EnvoyDaemonSet defines the desired state of the Envoy daemonset resource.
Disabled by default, a deployment resource is used instead to provision the Envoy Proxy fleet |
-| `envoyService` | _[KubernetesServiceSpec](#kubernetesservicespec)_ | false | EnvoyService defines the desired state of the Envoy service resource.
If unspecified, default settings for the managed Envoy service resource
are applied. |
-| `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored. |
-| `useListenerPortAsContainerPort` | _boolean_ | false | UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability. |
-| `envoyPDB` | _[KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)_ | false | EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `envoyDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | | EnvoyDeployment defines the desired state of the Envoy deployment resource.
If unspecified, default settings for the managed Envoy deployment resource
are applied. |
+| `envoyDaemonSet` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | | EnvoyDaemonSet defines the desired state of the Envoy daemonset resource.
Disabled by default, a deployment resource is used instead to provision the Envoy Proxy fleet |
+| `envoyService` | _[KubernetesServiceSpec](#kubernetesservicespec)_ | false | | EnvoyService defines the desired state of the Envoy service resource.
If unspecified, default settings for the managed Envoy service resource
are applied. |
+| `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored. |
+| `useListenerPortAsContainerPort` | _boolean_ | false | | UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability. |
+| `envoyPDB` | _[KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)_ | false | | EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. |
#### EnvoyProxyProvider
@@ -1419,10 +1419,10 @@ EnvoyProxyProvider defines the desired state of a resource provider.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ProviderType](#providertype)_ | true | Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
optional auxiliary control planes. Supported types are "Kubernetes". |
-| `kubernetes` | _[EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)_ | false | Kubernetes defines the desired state of the Kubernetes resource provider.
Kubernetes provides infrastructure resources for running the data plane,
e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
for managed Kubernetes resources are applied. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ProviderType](#providertype)_ | true | | Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
optional auxiliary control planes. Supported types are "Kubernetes". |
+| `kubernetes` | _[EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)_ | false | | Kubernetes defines the desired state of the Kubernetes resource provider.
Kubernetes provides infrastructure resources for running the data plane,
e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
for managed Kubernetes resources are applied. |
#### EnvoyProxySpec
@@ -1434,21 +1434,21 @@ EnvoyProxySpec defines the desired state of EnvoyProxy.
_Appears in:_
- [EnvoyProxy](#envoyproxy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `provider` | _[EnvoyProxyProvider](#envoyproxyprovider)_ | false | Provider defines the desired resource provider and provider-specific configuration.
If unspecified, the "Kubernetes" resource provider is used with default configuration
parameters. |
-| `logging` | _[ProxyLogging](#proxylogging)_ | true | Logging defines logging parameters for managed proxies. |
-| `telemetry` | _[ProxyTelemetry](#proxytelemetry)_ | false | Telemetry defines telemetry parameters for managed proxies. |
-| `bootstrap` | _[ProxyBootstrap](#proxybootstrap)_ | false | Bootstrap defines the Envoy Bootstrap as a YAML string.
Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
to learn more about the syntax.
If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
set by Envoy Gateway.
Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
Backward compatibility across minor versions is not guaranteed.
We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors. |
-| `concurrency` | _integer_ | false | Concurrency defines the number of worker threads to run. If unset, it defaults to
the number of cpuset threads on the platform. |
-| `routingType` | _[RoutingType](#routingtype)_ | false | RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
or it can be set to "Endpoint" to use Endpoint routing. The default is "Endpoint". |
-| `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
-| `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
-| `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. |
-| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
- envoy.filters.http.ext_authz
- envoy.filters.http.basic_auth
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
- envoy.filters.http.custom_response
- envoy.filters.http.router
Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. |
-| `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. |
-| `ipFamily` | _[IPFamily](#ipfamily)_ | false | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. |
-| `preserveRouteOrder` | _boolean_ | false | PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
specification (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule)
or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
Default: False |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `provider` | _[EnvoyProxyProvider](#envoyproxyprovider)_ | false | | Provider defines the desired resource provider and provider-specific configuration.
If unspecified, the "Kubernetes" resource provider is used with default configuration
parameters. |
+| `logging` | _[ProxyLogging](#proxylogging)_ | true | \{ level:map[default:warn] \} | Logging defines logging parameters for managed proxies. |
+| `telemetry` | _[ProxyTelemetry](#proxytelemetry)_ | false | | Telemetry defines telemetry parameters for managed proxies. |
+| `bootstrap` | _[ProxyBootstrap](#proxybootstrap)_ | false | | Bootstrap defines the Envoy Bootstrap as a YAML string.
Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
to learn more about the syntax.
If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
set by Envoy Gateway.
Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
Backward compatibility across minor versions is not guaranteed.
We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors. |
+| `concurrency` | _integer_ | false | | Concurrency defines the number of worker threads to run. If unset, it defaults to
the number of cpuset threads on the platform. |
+| `routingType` | _[RoutingType](#routingtype)_ | false | | RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
or it can be set to "Endpoint" to use Endpoint routing. The default is "Endpoint". |
+| `extraArgs` | _string array_ | false | | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
+| `mergeGateways` | _boolean_ | false | | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
+| `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | | Shutdown defines configuration for graceful envoy shutdown process. |
+| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
- envoy.filters.http.ext_authz
- envoy.filters.http.basic_auth
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
- envoy.filters.http.custom_response
- envoy.filters.http.router
Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. |
+| `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. |
+| `ipFamily` | _[IPFamily](#ipfamily)_ | false | | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. |
+| `preserveRouteOrder` | _boolean_ | false | | PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
specification (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule)
or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
Default: False |
#### EnvoyProxyStatus
@@ -1489,14 +1489,14 @@ ExtAuth defines the configuration for External Authorization.
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
-| `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
-| `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. |
-| `bodyToExtAuth` | _[BodyToExtAuth](#bodytoextauth)_ | false | BodyToExtAuth defines the Body to Ext Auth configuration. |
-| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. |
-| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
+| `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
+| `headersToExtAuth` | _string array_ | false | | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. |
+| `bodyToExtAuth` | _[BodyToExtAuth](#bodytoextauth)_ | false | | BodyToExtAuth defines the Body to Ext Auth configuration. |
+| `failOpen` | _boolean_ | false | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. |
+| `recomputeRoute` | _boolean_ | false | | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
#### ExtProc
@@ -1508,15 +1508,15 @@ ExtProc defines the configuration for External Processing filter.
_Appears in:_
- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms |
-| `failOpen` | _boolean_ | false | FailOpen defines if requests or responses that cannot be processed due to connectivity to the
external processor are terminated or passed-through.
Default: false |
-| `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor |
-| `metadata` | _[ExtProcMetadata](#extprocmetadata)_ | false | Refer to Kubernetes API documentation for fields of `metadata`. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms |
+| `failOpen` | _boolean_ | false | | FailOpen defines if requests or responses that cannot be processed due to connectivity to the
external processor are terminated or passed-through.
Default: false |
+| `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor |
+| `metadata` | _[ExtProcMetadata](#extprocmetadata)_ | false | | Refer to Kubernetes API documentation for fields of `metadata`. |
#### ExtProcBodyProcessingMode
@@ -1545,10 +1545,10 @@ external processor service
_Appears in:_
- [ExtProc](#extproc)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `accessibleNamespaces` | _string array_ | false | AccessibleNamespaces are metadata namespaces that are sent to the external processor as context |
-| `writableNamespaces` | _string array_ | false | WritableNamespaces are metadata namespaces that the external processor can write to |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `accessibleNamespaces` | _string array_ | false | | AccessibleNamespaces are metadata namespaces that are sent to the external processor as context |
+| `writableNamespaces` | _string array_ | false | | WritableNamespaces are metadata namespaces that the external processor can write to |
#### ExtProcProcessingMode
@@ -1561,10 +1561,10 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_p
_Appears in:_
- [ExtProc](#extproc)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `request` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for requests. If present, request headers are sent. Request body is processed according
to the specified mode. |
-| `response` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for responses. If present, response headers are sent. Response body is processed according
to the specified mode. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `request` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | | Defines processing mode for requests. If present, request headers are sent. Request body is processed according
to the specified mode. |
+| `response` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | | Defines processing mode for responses. If present, response headers are sent. Response body is processed according
to the specified mode. |
#### ExtensionAPISettings
@@ -1577,10 +1577,10 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `enableEnvoyPatchPolicy` | _boolean_ | true | EnableEnvoyPatchPolicy enables Envoy Gateway to
reconcile and implement the EnvoyPatchPolicy resources. |
-| `enableBackend` | _boolean_ | true | EnableBackend enables Envoy Gateway to
reconcile and implement the Backend resources. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `enableEnvoyPatchPolicy` | _boolean_ | true | | EnableEnvoyPatchPolicy enables Envoy Gateway to
reconcile and implement the EnvoyPatchPolicy resources. |
+| `enableBackend` | _boolean_ | true | | EnableBackend enables Envoy Gateway to
reconcile and implement the Backend resources. |
#### ExtensionHooks
@@ -1592,9 +1592,9 @@ ExtensionHooks defines extension hooks across all supported runners
_Appears in:_
- [ExtensionManager](#extensionmanager)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `xdsTranslator` | _[XDSTranslatorHooks](#xdstranslatorhooks)_ | true | XDSTranslator defines all the supported extension hooks for the xds-translator runner |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `xdsTranslator` | _[XDSTranslatorHooks](#xdstranslatorhooks)_ | true | | XDSTranslator defines all the supported extension hooks for the xds-translator runner |
#### ExtensionManager
@@ -1608,13 +1608,13 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `resources` | _[GroupVersionKind](#groupversionkind) array_ | false | Resources defines the set of K8s resources the extension will handle as route
filter resources |
-| `policyResources` | _[GroupVersionKind](#groupversionkind) array_ | false | PolicyResources defines the set of K8S resources the extension server will handle
as directly attached GatewayAPI policies |
-| `hooks` | _[ExtensionHooks](#extensionhooks)_ | true | Hooks defines the set of hooks the extension supports |
-| `service` | _[ExtensionService](#extensionservice)_ | true | Service defines the configuration of the extension service that the Envoy
Gateway Control Plane will call through extension hooks. |
-| `failOpen` | _boolean_ | false | FailOpen defines if Envoy Gateway should ignore errors returned from the Extension Service hooks.
The default is false, which means Envoy Gateway will fail closed if the Extension Service returns an error.
Fail-close means that if the Extension Service hooks return an error, the relevant route/listener/resource
will be replaced with a default configuration returning Internal Server Error (HTTP 500).
Fail-open means that if the Extension Service hooks return an error, no changes will be applied to the
source of the configuration which was sent to the extension server. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `resources` | _[GroupVersionKind](#groupversionkind) array_ | false | | Resources defines the set of K8s resources the extension will handle as route
filter resources |
+| `policyResources` | _[GroupVersionKind](#groupversionkind) array_ | false | | PolicyResources defines the set of K8S resources the extension server will handle
as directly attached GatewayAPI policies |
+| `hooks` | _[ExtensionHooks](#extensionhooks)_ | true | | Hooks defines the set of hooks the extension supports |
+| `service` | _[ExtensionService](#extensionservice)_ | true | | Service defines the configuration of the extension service that the Envoy
Gateway Control Plane will call through extension hooks. |
+| `failOpen` | _boolean_ | false | | FailOpen defines if Envoy Gateway should ignore errors returned from the Extension Service hooks.
The default is false, which means Envoy Gateway will fail closed if the Extension Service returns an error.
Fail-close means that if the Extension Service hooks return an error, the relevant route/listener/resource
will be replaced with a default configuration returning Internal Server Error (HTTP 500).
Fail-open means that if the Extension Service hooks return an error, no changes will be applied to the
source of the configuration which was sent to the extension server. |
#### ExtensionService
@@ -1626,14 +1626,14 @@ ExtensionService defines the configuration for connecting to a registered extens
_Appears in:_
- [ExtensionManager](#extensionmanager)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint |
-| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. |
-| `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint |
-| `host` | _string_ | false | Host define the extension service hostname.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) |
-| `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) |
-| `tls` | _[ExtensionTLS](#extensiontls)_ | false | TLS defines TLS configuration for communication between Envoy Gateway and
the extension service. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | | FQDN defines a FQDN endpoint |
+| `ip` | _[IPEndpoint](#ipendpoint)_ | false | | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. |
+| `unix` | _[UnixSocket](#unixsocket)_ | false | | Unix defines the unix domain socket endpoint |
+| `host` | _string_ | false | | Host define the extension service hostname.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) |
+| `port` | _integer_ | false | 80 | Port defines the port the extension service is exposed on.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) |
+| `tls` | _[ExtensionTLS](#extensiontls)_ | false | | TLS defines TLS configuration for communication between Envoy Gateway and
the extension service. |
#### ExtensionTLS
@@ -1645,9 +1645,9 @@ ExtensionTLS defines the TLS configuration when connecting to an extension servi
_Appears in:_
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that
contains a TLS certificate and private keys. These certificates are used to
establish a TLS handshake to the extension server.
CertificateRef can only reference a Kubernetes Secret at this time. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that
contains a TLS certificate and private keys. These certificates are used to
establish a TLS handshake to the extension server.
CertificateRef can only reference a Kubernetes Secret at this time. |
#### FQDNEndpoint
@@ -1661,10 +1661,10 @@ _Appears in:_
- [BackendEndpoint](#backendendpoint)
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `hostname` | _string_ | true | Hostname defines the FQDN hostname of the backend endpoint. |
-| `port` | _integer_ | true | Port defines the port of the backend endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `hostname` | _string_ | true | | Hostname defines the FQDN hostname of the backend endpoint. |
+| `port` | _integer_ | true | | Port defines the port of the backend endpoint. |
#### FaultInjection
@@ -1677,10 +1677,10 @@ inject delays and abort requests to mimic failure scenarios such as service fail
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `delay` | _[FaultInjectionDelay](#faultinjectiondelay)_ | false | If specified, a delay will be injected into the request. |
-| `abort` | _[FaultInjectionAbort](#faultinjectionabort)_ | false | If specified, the request will be aborted if it meets the configuration criteria. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `delay` | _[FaultInjectionDelay](#faultinjectiondelay)_ | false | | If specified, a delay will be injected into the request. |
+| `abort` | _[FaultInjectionAbort](#faultinjectionabort)_ | false | | If specified, the request will be aborted if it meets the configuration criteria. |
#### FaultInjectionAbort
@@ -1692,11 +1692,11 @@ FaultInjectionAbort defines the abort fault injection configuration
_Appears in:_
- [FaultInjection](#faultinjection)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `httpStatus` | _integer_ | false | StatusCode specifies the HTTP status code to be returned |
-| `grpcStatus` | _integer_ | false | GrpcStatus specifies the GRPC status code to be returned |
-| `percentage` | _float_ | false | Percentage specifies the percentage of requests to be aborted. Default 100%, if set 0, no requests will be aborted. Accuracy to 0.0001%. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `httpStatus` | _integer_ | false | | StatusCode specifies the HTTP status code to be returned |
+| `grpcStatus` | _integer_ | false | | GrpcStatus specifies the GRPC status code to be returned |
+| `percentage` | _float_ | false | 100 | Percentage specifies the percentage of requests to be aborted. Default 100%, if set 0, no requests will be aborted. Accuracy to 0.0001%. |
#### FaultInjectionDelay
@@ -1708,10 +1708,10 @@ FaultInjectionDelay defines the delay fault injection configuration
_Appears in:_
- [FaultInjection](#faultinjection)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `fixedDelay` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | FixedDelay specifies the fixed delay duration |
-| `percentage` | _float_ | false | Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `fixedDelay` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | FixedDelay specifies the fixed delay duration |
+| `percentage` | _float_ | false | 100 | Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%. |
#### FileEnvoyProxyAccessLog
@@ -1723,9 +1723,9 @@ _Appears in:_
_Appears in:_
- [ProxyAccessLogSink](#proxyaccesslogsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `path` | _string_ | true | Path defines the file path used to expose envoy access log(e.g. /dev/stdout). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `path` | _string_ | true | | Path defines the file path used to expose envoy access log(e.g. /dev/stdout). |
#### FilterPosition
@@ -1737,11 +1737,11 @@ FilterPosition defines the position of an Envoy HTTP filter in the filter chain.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _[EnvoyFilter](#envoyfilter)_ | true | Name of the filter. |
-| `before` | _[EnvoyFilter](#envoyfilter)_ | true | Before defines the filter that should come before the filter.
Only one of Before or After must be set. |
-| `after` | _[EnvoyFilter](#envoyfilter)_ | true | After defines the filter that should come after the filter.
Only one of Before or After must be set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _[EnvoyFilter](#envoyfilter)_ | true | | Name of the filter. |
+| `before` | _[EnvoyFilter](#envoyfilter)_ | true | | Before defines the filter that should come before the filter.
Only one of Before or After must be set. |
+| `after` | _[EnvoyFilter](#envoyfilter)_ | true | | After defines the filter that should come after the filter.
Only one of Before or After must be set. |
#### GRPCActiveHealthChecker
@@ -1753,9 +1753,9 @@ GRPCActiveHealthChecker defines the settings of the GRPC health check.
_Appears in:_
- [ActiveHealthCheck](#activehealthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `service` | _string_ | false | Service to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `service` | _string_ | false | | Service to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. |
#### GRPCExtAuthService
@@ -1769,11 +1769,11 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth
_Appears in:_
- [ExtAuth](#extauth)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
#### Gateway
@@ -1786,9 +1786,9 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `controllerName` | _string_ | false | ControllerName defines the name of the Gateway API controller. If unspecified,
defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
for additional details:
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `controllerName` | _string_ | false | | ControllerName defines the name of the Gateway API controller. If unspecified,
defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
for additional details:
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
#### GlobalRateLimit
@@ -1800,9 +1800,9 @@ GlobalRateLimit defines global rate limit configuration.
_Appears in:_
- [RateLimitSpec](#ratelimitspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | Rules are a list of RateLimit selectors and limits. Each rule and its
associated limit is applied in a mutually exclusive way. If a request
matches multiple rules, each of their associated limits get applied, so a
single request might increase the rate limit counters for multiple rules
if selected. The rate limit service will return a logical OR of the individual
rate limit decisions of all matching rules. For example, if a request
matches two rules, one rate limited and one not, the final decision will be
to rate limit the request. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | | Rules are a list of RateLimit selectors and limits. Each rule and its
associated limit is applied in a mutually exclusive way. If a request
matches multiple rules, each of their associated limits get applied, so a
single request might increase the rate limit counters for multiple rules
if selected. The rate limit service will return a logical OR of the individual
rate limit decisions of all matching rules. For example, if a request
matches two rules, one rate limited and one not, the final decision will be
to rate limit the request. |
#### GroupVersionKind
@@ -1815,11 +1815,11 @@ It can be converted to k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind
_Appears in:_
- [ExtensionManager](#extensionmanager)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `group` | _string_ | true | |
-| `version` | _string_ | true | |
-| `kind` | _string_ | true | |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `group` | _string_ | true | | |
+| `version` | _string_ | true | | |
+| `kind` | _string_ | true | | |
#### GzipCompressor
@@ -1844,9 +1844,9 @@ HTTP10Settings provides HTTP/1.0 configuration on the listener.
_Appears in:_
- [HTTP1Settings](#http1settings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `useDefaultHost` | _boolean_ | false | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
then the hostname associated with the listener should be injected into the
request.
If this is not set and an HTTP/1.0 request arrives without a host, then
it will be rejected. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `useDefaultHost` | _boolean_ | false | | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
then the hostname associated with the listener should be injected into the
request.
If this is not set and an HTTP/1.0 request arrives without a host, then
it will be rejected. |
#### HTTP1Settings
@@ -1858,11 +1858,11 @@ HTTP1Settings provides HTTP/1 configuration on the listener.
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `enableTrailers` | _boolean_ | false | EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy. |
-| `preserveHeaderCase` | _boolean_ | false | PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
By default, Envoy will lowercase all the headers. |
-| `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `enableTrailers` | _boolean_ | false | | EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy. |
+| `preserveHeaderCase` | _boolean_ | false | | PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
By default, Envoy will lowercase all the headers. |
+| `http10` | _[HTTP10Settings](#http10settings)_ | false | | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. |
#### HTTP2Settings
@@ -1876,12 +1876,12 @@ _Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). |
-| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. |
-| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. |
-| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). |
+| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. |
+| `maxConcurrentStreams` | _integer_ | false | | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. |
+| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection |
#### HTTP3Settings
@@ -1904,12 +1904,12 @@ HTTPActiveHealthChecker defines the settings of http health check.
_Appears in:_
- [ActiveHealthCheck](#activehealthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `path` | _string_ | true | Path defines the HTTP path that will be requested during health checking. |
-| `method` | _string_ | false | Method defines the HTTP method used for health checking.
Defaults to GET |
-| `expectedStatuses` | _[HTTPStatus](#httpstatus) array_ | false | ExpectedStatuses defines a list of HTTP response statuses considered healthy.
Defaults to 200 only |
-| `expectedResponse` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | ExpectedResponse defines a list of HTTP expected responses to match. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `path` | _string_ | true | | Path defines the HTTP path that will be requested during health checking. |
+| `method` | _string_ | false | | Method defines the HTTP method used for health checking.
Defaults to GET |
+| `expectedStatuses` | _[HTTPStatus](#httpstatus) array_ | false | | ExpectedStatuses defines a list of HTTP response statuses considered healthy.
Defaults to 200 only |
+| `expectedResponse` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | | ExpectedResponse defines a list of HTTP expected responses to match. |
#### HTTPClientTimeout
@@ -1921,10 +1921,10 @@ _Appears in:_
_Appears in:_
- [ClientTimeout](#clienttimeout)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `requestReceivedTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
initiation and stops when either the last byte of the request is sent upstream or when the response begins. |
-| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `requestReceivedTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
initiation and stops when either the last byte of the request is sent upstream or when the response begins. |
+| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
#### HTTPDirectResponseFilter
@@ -1936,11 +1936,11 @@ HTTPDirectResponseFilter defines the configuration to return a fixed response.
_Appears in:_
- [HTTPRouteFilterSpec](#httproutefilterspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. |
-| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Response |
-| `statusCode` | _integer_ | false | Status Code of the HTTP response
If unset, defaults to 200. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `contentType` | _string_ | false | | Content Type of the response. This will be set in the Content-Type header. |
+| `body` | _[CustomResponseBody](#customresponsebody)_ | false | | Body of the Response |
+| `statusCode` | _integer_ | false | | Status Code of the HTTP response
If unset, defaults to 200. |
#### HTTPExtAuthService
@@ -1952,13 +1952,13 @@ HTTPExtAuthService defines the HTTP External Authorization service
_Appears in:_
- [ExtAuth](#extauth)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. |
-| `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `path` | _string_ | true | | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. |
+| `headersToBackend` | _string array_ | false | | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. |
#### HTTPHostnameModifier
@@ -1970,10 +1970,10 @@ _Appears in:_
_Appears in:_
- [HTTPURLRewriteFilter](#httpurlrewritefilter)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | |
-| `header` | _string_ | false | Header is the name of the header whose value would be used to rewrite the Host header |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | | |
+| `header` | _string_ | false | | Header is the name of the header whose value would be used to rewrite the Host header |
#### HTTPHostnameModifierType
@@ -2000,10 +2000,10 @@ _Appears in:_
_Appears in:_
- [HTTPURLRewriteFilter](#httpurlrewritefilter)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | |
-| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | false | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | | |
+| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | false | | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). |
#### HTTPPathModifierType
@@ -2029,12 +2029,12 @@ traffic processing options such as path regex rewrite, direct response and more.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`HTTPRouteFilter`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | | Spec defines the desired state of HTTPRouteFilter. |
#### HTTPRouteFilterSpec
@@ -2046,10 +2046,10 @@ HTTPRouteFilterSpec defines the desired state of HTTPRouteFilter.
_Appears in:_
- [HTTPRouteFilter](#httproutefilter)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | |
-| `directResponse` | _[HTTPDirectResponseFilter](#httpdirectresponsefilter)_ | false | |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | | |
+| `directResponse` | _[HTTPDirectResponseFilter](#httpdirectresponsefilter)_ | false | | |
#### HTTPStatus
@@ -2073,11 +2073,11 @@ _Appears in:_
_Appears in:_
- [Timeout](#timeout)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `connectionIdleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
-| `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. |
-| `requestTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestTimeout is the time until which entire response is received from the upstream. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `connectionIdleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
+| `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The maximum duration of an HTTP connection.
Default: unlimited. |
+| `requestTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | RequestTimeout is the time until which entire response is received from the upstream. |
#### HTTPURLRewriteFilter
@@ -2089,10 +2089,10 @@ HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and hos
_Appears in:_
- [HTTPRouteFilterSpec](#httproutefilterspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `hostname` | _[HTTPHostnameModifier](#httphostnamemodifier)_ | false | Hostname is the value to be used to replace the Host header value during
forwarding. |
-| `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | Path defines a path rewrite. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `hostname` | _[HTTPHostnameModifier](#httphostnamemodifier)_ | false | | Hostname is the value to be used to replace the Host header value during
forwarding. |
+| `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | | Path defines a path rewrite. |
#### HTTPWasmCodeSource
@@ -2104,10 +2104,10 @@ HTTPWasmCodeSource defines the HTTP URL containing the Wasm code.
_Appears in:_
- [WasmCodeSource](#wasmcodesource)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `url` | _string_ | true | URL is the URL containing the Wasm code. |
-| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the Wasm code.
If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `url` | _string_ | true | | URL is the URL containing the Wasm code. |
+| `sha256` | _string_ | false | | SHA256 checksum that will be used to verify the Wasm code.
If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` |
#### Header
@@ -2120,9 +2120,9 @@ load balancing.
_Appears in:_
- [ConsistentHash](#consistenthash)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name of the header to hash. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name of the header to hash. |
#### HeaderMatch
@@ -2134,12 +2134,12 @@ HeaderMatch defines the match attributes within the HTTP Headers of the request.
_Appears in:_
- [RateLimitSelectCondition](#ratelimitselectcondition)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[HeaderMatchType](#headermatchtype)_ | false | Type specifies how to match against the value of the header. |
-| `name` | _string_ | true | Name of the HTTP header. |
-| `value` | _string_ | false | Value within the HTTP header. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. |
-| `invert` | _boolean_ | false | Invert specifies whether the value match result will be inverted.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[HeaderMatchType](#headermatchtype)_ | false | Exact | Type specifies how to match against the value of the header. |
+| `name` | _string_ | true | | Name of the HTTP header. |
+| `value` | _string_ | false | | Value within the HTTP header. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. |
+| `invert` | _boolean_ | false | false | Invert specifies whether the value match result will be inverted.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. |
#### HeaderMatchType
@@ -2168,14 +2168,14 @@ HeaderSettings provides configuration options for headers on the listener.
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `enableEnvoyHeaders` | _boolean_ | false | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses. |
-| `disableRateLimitHeaders` | _boolean_ | false | DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers
when rate limiting is enabled. |
-| `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ | false | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.
x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
information of part or all of the clients or proxies that a request has flowed through,
on its way from the client to the server.
Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.
If not set, the default behavior is sanitizing the XFCC header. |
-| `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. |
-| `preserveXRequestID` | _boolean_ | false | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. |
-| `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `enableEnvoyHeaders` | _boolean_ | false | | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses. |
+| `disableRateLimitHeaders` | _boolean_ | false | | DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers
when rate limiting is enabled. |
+| `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ | false | | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.
x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
information of part or all of the clients or proxies that a request has flowed through,
on its way from the client to the server.
Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.
If not set, the default behavior is sanitizing the XFCC header. |
+| `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. |
+| `preserveXRequestID` | _boolean_ | false | | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. |
+| `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. |
#### HealthCheck
@@ -2195,10 +2195,10 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration |
-| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | | Active health check configuration |
+| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | | Passive passive check configuration |
#### HealthCheckSettings
@@ -2210,9 +2210,9 @@ HealthCheckSettings provides HealthCheck configuration on the HTTP/HTTPS listene
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `path` | _string_ | true | Path specifies the HTTP path to match on for health check requests. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `path` | _string_ | true | | Path specifies the HTTP path to match on for health check requests. |
#### IPEndpoint
@@ -2226,10 +2226,10 @@ _Appears in:_
- [BackendEndpoint](#backendendpoint)
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `address` | _string_ | true | Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses. |
-| `port` | _integer_ | true | Port defines the port of the backend endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `address` | _string_ | true | | Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses. |
+| `port` | _integer_ | true | | Port defines the port of the backend endpoint. |
#### IPFamily
@@ -2272,11 +2272,11 @@ ImageWasmCodeSource defines the OCI image containing the Wasm code.
_Appears in:_
- [WasmCodeSource](#wasmcodesource)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `url` | _string_ | true | URL is the URL of the OCI image.
URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`. |
-| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the OCI image.
It must match the digest of the OCI image.
If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` |
-| `pullSecretRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | PullSecretRef is a reference to the secret containing the credentials to pull the image.
Only support Kubernetes Secret resource from the same namespace. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `url` | _string_ | true | | URL is the URL of the OCI image.
URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`. |
+| `sha256` | _string_ | false | | SHA256 checksum that will be used to verify the OCI image.
It must match the digest of the OCI image.
If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` |
+| `pullSecretRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | | PullSecretRef is a reference to the secret containing the credentials to pull the image.
Only support Kubernetes Secret resource from the same namespace. |
#### InfrastructureProviderType
@@ -2319,13 +2319,13 @@ _Appears in:_
- [EnvoyJSONPatchConfig](#envoyjsonpatchconfig)
- [ProxyBootstrap](#proxybootstrap)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform |
-| `path` | _string_ | false | Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed |
-| `jsonPath` | _string_ | false | JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. |
-| `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
-| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | | Op is the type of operation to perform |
+| `path` | _string_ | false | | Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed |
+| `jsonPath` | _string_ | false | | JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. |
+| `from` | _string_ | false | | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
+| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. |
#### JSONPatchOperationType
@@ -2348,10 +2348,10 @@ JWT defines the configuration for JSON Web Token (JWT) authentication.
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `optional` | _boolean_ | true | Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented. |
-| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `optional` | _boolean_ | true | | Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented. |
+| `providers` | _[JWTProvider](#jwtprovider) array_ | true | | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
#### JWTClaim
@@ -2363,11 +2363,11 @@ JWTClaim specifies a claim in a JWT token.
_Appears in:_
- [JWTPrincipal](#jwtprincipal)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name is the name of the claim.
If it is a nested claim, use a dot (.) separated string as the name to
represent the full path to the claim.
For example, if the claim is in the "department" field in the "organization" field,
the name should be "organization.department". |
-| `valueType` | _[JWTClaimValueType](#jwtclaimvaluetype)_ | false | ValueType is the type of the claim value.
Only String and StringArray types are supported for now. |
-| `values` | _string array_ | true | Values are the values that the claim must match.
If the claim is a string type, the specified value must match exactly.
If the claim is a string array type, the specified value must match one of the values in the array.
If multiple values are specified, one of the values must match for the rule to match. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name is the name of the claim.
If it is a nested claim, use a dot (.) separated string as the name to
represent the full path to the claim.
For example, if the claim is in the "department" field in the "organization" field,
the name should be "organization.department". |
+| `valueType` | _[JWTClaimValueType](#jwtclaimvaluetype)_ | false | String | ValueType is the type of the claim value.
Only String and StringArray types are supported for now. |
+| `values` | _string array_ | true | | Values are the values that the claim must match.
If the claim is a string type, the specified value must match exactly.
If the claim is a string array type, the specified value must match one of the values in the array.
If multiple values are specified, one of the values must match for the rule to match. |
#### JWTClaimValueType
@@ -2396,11 +2396,11 @@ If any value extracted is found to be an invalid JWT, a 401 error will be return
_Appears in:_
- [JWTProvider](#jwtprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `headers` | _[JWTHeaderExtractor](#jwtheaderextractor) array_ | false | Headers represents a list of HTTP request headers to extract the JWT token from. |
-| `cookies` | _string array_ | false | Cookies represents a list of cookie names to extract the JWT token from. |
-| `params` | _string array_ | false | Params represents a list of query parameters to extract the JWT token from. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `headers` | _[JWTHeaderExtractor](#jwtheaderextractor) array_ | false | | Headers represents a list of HTTP request headers to extract the JWT token from. |
+| `cookies` | _string array_ | false | | Cookies represents a list of cookie names to extract the JWT token from. |
+| `params` | _string array_ | false | | Params represents a list of query parameters to extract the JWT token from. |
#### JWTHeaderExtractor
@@ -2412,10 +2412,10 @@ JWTHeaderExtractor defines an HTTP header location to extract JWT token
_Appears in:_
- [JWTExtractor](#jwtextractor)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name is the HTTP header name to retrieve the token |
-| `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "\{ValuePrefix\}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name is the HTTP header name to retrieve the token |
+| `valuePrefix` | _string_ | false | | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "\{ValuePrefix\}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. |
#### JWTPrincipal
@@ -2429,11 +2429,11 @@ Claims and scopes are And-ed together if both are specified.
_Appears in:_
- [Principal](#principal)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `provider` | _string_ | true | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. |
-| `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.
If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. |
-| `scopes` | _[JWTScope](#jwtscope) array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.
The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
If multiple scopes are specified, all scopes must match for the rule to match. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `provider` | _string_ | true | | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. |
+| `claims` | _[JWTClaim](#jwtclaim) array_ | false | | Claims are the claims in a JWT token.
If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. |
+| `scopes` | _[JWTScope](#jwtscope) array_ | false | | Scopes are a special type of claim in a JWT token that represents the permissions of the client.
The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
If multiple scopes are specified, all scopes must match for the rule to match. |
#### JWTProvider
@@ -2445,15 +2445,15 @@ JWTProvider defines how a JSON Web Token (JWT) can be verified.
_Appears in:_
- [JWT](#jwt)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name defines a unique name for the JWT provider. A name can have a variety of forms,
including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. |
-| `issuer` | _string_ | false | Issuer is the principal that issued the JWT and takes the form of a URL or email address.
For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
the JWT issuer is not checked. |
-| `audiences` | _string array_ | false | Audiences is a list of JWT audiences allowed access. For additional details, see
https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
are not checked. |
-| `remoteJWKS` | _[RemoteJWKS](#remotejwks)_ | true | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
HTTP/HTTPS endpoint. |
-| `claimToHeaders` | _[ClaimToHeader](#claimtoheader) array_ | false | ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
For examples, following config:
The claim must be of type; string, int, double, bool. Array type claims are not supported |
-| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers generated from the claim are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
-| `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name defines a unique name for the JWT provider. A name can have a variety of forms,
including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. |
+| `issuer` | _string_ | false | | Issuer is the principal that issued the JWT and takes the form of a URL or email address.
For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
the JWT issuer is not checked. |
+| `audiences` | _string array_ | false | | Audiences is a list of JWT audiences allowed access. For additional details, see
https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
are not checked. |
+| `remoteJWKS` | _[RemoteJWKS](#remotejwks)_ | true | | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
HTTP/HTTPS endpoint. |
+| `claimToHeaders` | _[ClaimToHeader](#claimtoheader) array_ | false | | ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
For examples, following config:
The claim must be of type; string, int, double, bool. Array type claims are not supported |
+| `recomputeRoute` | _boolean_ | false | | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers generated from the claim are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
+| `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. |
#### JWTScope
@@ -2477,13 +2477,13 @@ _Appears in:_
- [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)
- [KubernetesDeploymentSpec](#kubernetesdeploymentspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `env` | _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#envvar-v1-core) array_ | false | List of environment variables to set in the container. |
-| `resources` | _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#resourcerequirements-v1-core)_ | false | Resources required by this container.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
-| `securityContext` | _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#securitycontext-v1-core)_ | false | SecurityContext defines the security options the container should be run with.
If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
-| `image` | _string_ | false | Image specifies the EnvoyProxy container image to be used, instead of the default image. |
-| `volumeMounts` | _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volumemount-v1-core) array_ | false | VolumeMounts are volumes to mount into the container's filesystem.
Cannot be updated. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `env` | _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#envvar-v1-core) array_ | false | | List of environment variables to set in the container. |
+| `resources` | _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#resourcerequirements-v1-core)_ | false | | Resources required by this container.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| `securityContext` | _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#securitycontext-v1-core)_ | false | | SecurityContext defines the security options the container should be run with.
If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
+| `image` | _string_ | false | | Image specifies the EnvoyProxy container image to be used, instead of the default image. |
+| `volumeMounts` | _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volumemount-v1-core) array_ | false | | VolumeMounts are volumes to mount into the container's filesystem.
Cannot be updated. |
#### KubernetesDaemonSetSpec
@@ -2495,13 +2495,13 @@ KubernetesDaemonSetSpec defines the desired state of the Kubernetes daemonset re
_Appears in:_
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to daemonset |
-| `strategy` | _[DaemonSetUpdateStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#daemonsetupdatestrategy-v1-apps)_ | false | The daemonset strategy to use to replace existing pods with new ones. |
-| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | Pod defines the desired specification of pod. |
-| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | Container defines the desired specification of main container. |
-| `name` | _string_ | false | Name of the daemonSet.
When unset, this defaults to an autogenerated name. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to daemonset |
+| `strategy` | _[DaemonSetUpdateStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#daemonsetupdatestrategy-v1-apps)_ | false | | The daemonset strategy to use to replace existing pods with new ones. |
+| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | | Pod defines the desired specification of pod. |
+| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | | Container defines the desired specification of main container. |
+| `name` | _string_ | false | | Name of the daemonSet.
When unset, this defaults to an autogenerated name. |
#### KubernetesDeployMode
@@ -2514,9 +2514,9 @@ data plane fleet.
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[KubernetesDeployModeType](#kubernetesdeploymodetype)_ | false | Type indicates what deployment mode to use. "ControllerNamespace" and
"GatewayNamespace" are currently supported.
By default, when this field is unset or empty, Envoy Gateway will deploy Envoy Proxy fleet in the Controller namespace. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[KubernetesDeployModeType](#kubernetesdeploymodetype)_ | false | ControllerNamespace | Type indicates what deployment mode to use. "ControllerNamespace" and
"GatewayNamespace" are currently supported.
By default, when this field is unset or empty, Envoy Gateway will deploy Envoy Proxy fleet in the Controller namespace. |
#### KubernetesDeployModeType
@@ -2540,15 +2540,15 @@ _Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to deployment |
-| `replicas` | _integer_ | false | Replicas is the number of desired pods. Defaults to 1. |
-| `strategy` | _[DeploymentStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#deploymentstrategy-v1-apps)_ | false | The deployment strategy to use to replace existing pods with new ones. |
-| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | Pod defines the desired specification of pod. |
-| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | Container defines the desired specification of main container. |
-| `initContainers` | _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#container-v1-core) array_ | false | List of initialization containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
-| `name` | _string_ | false | Name of the deployment.
When unset, this defaults to an autogenerated name. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to deployment |
+| `replicas` | _integer_ | false | | Replicas is the number of desired pods. Defaults to 1. |
+| `strategy` | _[DeploymentStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#deploymentstrategy-v1-apps)_ | false | | The deployment strategy to use to replace existing pods with new ones. |
+| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | | Pod defines the desired specification of pod. |
+| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | | Container defines the desired specification of main container. |
+| `initContainers` | _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#container-v1-core) array_ | false | | List of initialization containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
+| `name` | _string_ | false | | Name of the deployment.
When unset, this defaults to an autogenerated name. |
#### KubernetesHorizontalPodAutoscalerSpec
@@ -2564,13 +2564,13 @@ _Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `minReplicas` | _integer_ | false | minReplicas is the lower limit for the number of replicas to which the autoscaler
can scale down. It defaults to 1 replica. |
-| `maxReplicas` | _integer_ | true | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. |
-| `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#metricspec-v2-autoscaling) array_ | false | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. |
-| `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the HorizontalPodAutoscaler |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `minReplicas` | _integer_ | false | | minReplicas is the lower limit for the number of replicas to which the autoscaler
can scale down. It defaults to 1 replica. |
+| `maxReplicas` | _integer_ | true | | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. |
+| `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#metricspec-v2-autoscaling) array_ | false | | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. |
+| `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to the HorizontalPodAutoscaler |
#### KubernetesPatchSpec
@@ -2588,10 +2588,10 @@ _Appears in:_
- [KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)
- [KubernetesServiceSpec](#kubernetesservicespec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[MergeType](#mergetype)_ | false | Type is the type of merge operation to perform
By default, StrategicMerge is used as the patch type. |
-| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | true | Object contains the raw configuration for merged object |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[MergeType](#mergetype)_ | false | | Type is the type of merge operation to perform
By default, StrategicMerge is used as the patch type. |
+| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | true | | Object contains the raw configuration for merged object |
#### KubernetesPodDisruptionBudgetSpec
@@ -2603,10 +2603,10 @@ KubernetesPodDisruptionBudgetSpec defines Kubernetes PodDisruptionBudget setting
_Appears in:_
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `minAvailable` | _integer_ | false | MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
and resilience during maintenance operations. |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the PodDisruptionBudget |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `minAvailable` | _integer_ | false | | MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
and resilience during maintenance operations. |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to the PodDisruptionBudget |
#### KubernetesPodSpec
@@ -2619,17 +2619,17 @@ _Appears in:_
- [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)
- [KubernetesDeploymentSpec](#kubernetesdeploymentspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `annotations` | _object (keys:string, values:string)_ | false | Annotations are the annotations that should be appended to the pods.
By default, no pod annotations are appended. |
-| `labels` | _object (keys:string, values:string)_ | false | Labels are the additional labels that should be tagged to the pods.
By default, no additional pod labels are tagged. |
-| `securityContext` | _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podsecuritycontext-v1-core)_ | false | SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field. |
-| `affinity` | _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#affinity-v1-core)_ | false | If specified, the pod's scheduling constraints. |
-| `tolerations` | _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#toleration-v1-core) array_ | false | If specified, the pod's tolerations. |
-| `volumes` | _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volume-v1-core) array_ | false | Volumes that can be mounted by containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes |
-| `imagePullSecrets` | _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#localobjectreference-v1-core) array_ | false | ImagePullSecrets is an optional list of references to secrets
in the same namespace to use for pulling any of the images used by this PodSpec.
If specified, these secrets will be passed to individual puller implementations for them to use.
More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |
-| `nodeSelector` | _object (keys:string, values:string)_ | false | NodeSelector is a selector which must be true for the pod to fit on a node.
Selector which must match a node's labels for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
-| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core) array_ | false | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `annotations` | _object (keys:string, values:string)_ | false | | Annotations are the annotations that should be appended to the pods.
By default, no pod annotations are appended. |
+| `labels` | _object (keys:string, values:string)_ | false | | Labels are the additional labels that should be tagged to the pods.
By default, no additional pod labels are tagged. |
+| `securityContext` | _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podsecuritycontext-v1-core)_ | false | | SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field. |
+| `affinity` | _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#affinity-v1-core)_ | false | | If specified, the pod's scheduling constraints. |
+| `tolerations` | _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#toleration-v1-core) array_ | false | | If specified, the pod's tolerations. |
+| `volumes` | _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volume-v1-core) array_ | false | | Volumes that can be mounted by containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes |
+| `imagePullSecrets` | _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#localobjectreference-v1-core) array_ | false | | ImagePullSecrets is an optional list of references to secrets
in the same namespace to use for pulling any of the images used by this PodSpec.
If specified, these secrets will be passed to individual puller implementations for them to use.
More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |
+| `nodeSelector` | _object (keys:string, values:string)_ | false | | NodeSelector is a selector which must be true for the pod to fit on a node.
Selector which must match a node's labels for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
+| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core) array_ | false | | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. |
#### KubernetesServiceSpec
@@ -2641,18 +2641,18 @@ KubernetesServiceSpec defines the desired state of the Kubernetes service resour
_Appears in:_
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service.
By default, no annotations are appended. |
-| `labels` | _object (keys:string, values:string)_ | false | Labels that should be appended to the service.
By default, no labels are appended. |
-| `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. |
-| `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified |
-| `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. |
-| `loadBalancerSourceRanges` | _string array_ | false | LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
firewall rules on the platform providers load balancer. This is not guaranteed to be working as
it happens outside of kubernetes and has to be supported and handled by the platform provider.
This field may only be set for services with type LoadBalancer and will be cleared if the type
is changed to any other type. |
-| `loadBalancerIP` | _string_ | false | LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
may be ignored if the load balancer provider does not support this feature.
This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
providers such as GCP. |
-| `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the service |
-| `name` | _string_ | false | Name of the service.
When unset, this defaults to an autogenerated name. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `annotations` | _object (keys:string, values:string)_ | false | | Annotations that should be appended to the service.
By default, no annotations are appended. |
+| `labels` | _object (keys:string, values:string)_ | false | | Labels that should be appended to the service.
By default, no labels are appended. |
+| `type` | _[ServiceType](#servicetype)_ | false | LoadBalancer | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. |
+| `loadBalancerClass` | _string_ | false | | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified |
+| `allocateLoadBalancerNodePorts` | _boolean_ | false | | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. |
+| `loadBalancerSourceRanges` | _string array_ | false | | LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
firewall rules on the platform providers load balancer. This is not guaranteed to be working as
it happens outside of kubernetes and has to be supported and handled by the platform provider.
This field may only be set for services with type LoadBalancer and will be cleared if the type
is changed to any other type. |
+| `loadBalancerIP` | _string_ | false | | LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
may be ignored if the load balancer provider does not support this feature.
This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
providers such as GCP. |
+| `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | Local | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to the service |
+| `name` | _string_ | false | | Name of the service.
When unset, this defaults to an autogenerated name. |
#### KubernetesWatchMode
@@ -2664,11 +2664,11 @@ KubernetesWatchMode holds the configuration for which input resources to watch a
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | true | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
KubernetesWatchModeTypeNamespaceSelector are currently supported
By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
from all namespaces. |
-| `namespaces` | _string array_ | true | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
resources such as Gateway, HTTPRoute and Service.
Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set. |
-| `namespaceSelector` | _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#labelselector-v1-meta)_ | true | NamespaceSelector holds the label selector used to dynamically select namespaces.
Envoy Gateway will watch for namespaces matching the specified label selector.
Precisely one of Namespaces and NamespaceSelector must be set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | true | | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
KubernetesWatchModeTypeNamespaceSelector are currently supported
By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
from all namespaces. |
+| `namespaces` | _string array_ | true | | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
resources such as Gateway, HTTPRoute and Service.
Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set. |
+| `namespaceSelector` | _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#labelselector-v1-meta)_ | true | | NamespaceSelector holds the label selector used to dynamically select namespaces.
Envoy Gateway will watch for namespaces matching the specified label selector.
Precisely one of Namespaces and NamespaceSelector must be set. |
#### KubernetesWatchModeType
@@ -2691,12 +2691,12 @@ LeaderElection defines the desired leader election settings.
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `leaseDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. |
-| `renewDeadline` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position. The default setting is 10 seconds. |
-| `retryPeriod` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. |
-| `disable` | _boolean_ | true | Disable provides the option to turn off leader election, which is enabled by default. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `leaseDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. |
+| `renewDeadline` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position. The default setting is 10 seconds. |
+| `retryPeriod` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. |
+| `disable` | _boolean_ | true | | Disable provides the option to turn off leader election, which is enabled by default. |
#### LiteralCustomTag
@@ -2708,9 +2708,9 @@ LiteralCustomTag adds hard-coded value to each span.
_Appears in:_
- [CustomTag](#customtag)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `value` | _string_ | true | Value defines the hard-coded value to add to each span. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `value` | _string_ | true | | Value defines the hard-coded value to add to each span. |
#### LoadBalancer
@@ -2723,11 +2723,11 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". |
-| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash |
-| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". |
+| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash |
+| `slowStart` | _[SlowStart](#slowstart)_ | false | | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers |
#### LoadBalancerType
@@ -2756,9 +2756,9 @@ LocalRateLimit defines local rate limit configuration.
_Appears in:_
- [RateLimitSpec](#ratelimitspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | Rules are a list of RateLimit selectors and limits. If a request matches
multiple rules, the strictest limit is applied. For example, if a request
matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | | Rules are a list of RateLimit selectors and limits. If a request matches
multiple rules, the strictest limit is applied. For example, if a request
matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps. |
#### LogLevel
@@ -2789,11 +2789,11 @@ Only one of Inline or ValueRef must be set
_Appears in:_
- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[LuaValueType](#luavaluetype)_ | true | Type is the type of method to use to read the Lua value.
Valid values are Inline and ValueRef, default is Inline. |
-| `inline` | _string_ | false | Inline contains the source code as an inline string. |
-| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef has the source code specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `lua` in the ConfigMap will be used.
If the key is not found, the first value in the ConfigMap will be used. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[LuaValueType](#luavaluetype)_ | true | Inline | Type is the type of method to use to read the Lua value.
Valid values are Inline and ValueRef, default is Inline. |
+| `inline` | _string_ | false | | Inline contains the source code as an inline string. |
+| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | | ValueRef has the source code specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `lua` in the ConfigMap will be used.
If the key is not found, the first value in the ConfigMap will be used. |
#### LuaValueType
@@ -2850,21 +2850,21 @@ OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `provider` | _[OIDCProvider](#oidcprovider)_ | true | The OIDC Provider configuration. |
-| `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
-| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
This is an Opaque secret. The client secret should be stored in the key
"client-secret". |
-| `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix |
-| `cookieDomain` | _string_ | false | The optional domain to set the access and ID token cookies on.
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. |
-| `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. |
-| `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
-| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
-| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" |
-| `forwardAccessToken` | _boolean_ | false | ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false. |
-| `defaultTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultTokenTTL is the default lifetime of the id token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.
If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail. |
-| `refreshToken` | _boolean_ | false | RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.
If not specified, defaults to false. |
-| `defaultRefreshTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.
If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `provider` | _[OIDCProvider](#oidcprovider)_ | true | | The OIDC Provider configuration. |
+| `clientID` | _string_ | true | | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
+| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
This is an Opaque secret. The client secret should be stored in the key
"client-secret". |
+| `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix |
+| `cookieDomain` | _string_ | false | | The optional domain to set the access and ID token cookies on.
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. |
+| `scopes` | _string array_ | false | | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. |
+| `resources` | _string array_ | false | | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
+| `redirectURL` | _string_ | true | | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
+| `logoutPath` | _string_ | true | | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" |
+| `forwardAccessToken` | _boolean_ | false | | ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false. |
+| `defaultTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DefaultTokenTTL is the default lifetime of the id token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.
If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail. |
+| `refreshToken` | _boolean_ | false | | RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.
If not specified, defaults to false. |
+| `defaultRefreshTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.
If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true. |
#### OIDCCookieNames
@@ -2876,10 +2876,10 @@ OIDCCookieNames defines the names of cookies to use in the Envoy OIDC filter.
_Appears in:_
- [OIDC](#oidc)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `accessToken` | _string_ | false | The name of the cookie used to store the AccessToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "AccessToken-(randomly generated uid)" |
-| `idToken` | _string_ | false | The name of the cookie used to store the IdToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "IdToken-(randomly generated uid)" |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `accessToken` | _string_ | false | | The name of the cookie used to store the AccessToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "AccessToken-(randomly generated uid)" |
+| `idToken` | _string_ | false | | The name of the cookie used to store the IdToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "IdToken-(randomly generated uid)" |
#### OIDCProvider
@@ -2891,14 +2891,14 @@ OIDCProvider defines the OIDC Provider configuration.
_Appears in:_
- [OIDC](#oidc)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. |
-| `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
-| `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `issuer` | _string_ | true | | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. |
+| `authorizationEndpoint` | _string_ | false | | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
+| `tokenEndpoint` | _string_ | false | | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
#### OpenTelemetryEnvoyProxyAccessLog
@@ -2910,14 +2910,14 @@ OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink.
_Appears in:_
- [ProxyAccessLogSink](#proxyaccesslogsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. |
-| `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRefs instead. |
-| `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `host` | _string_ | false | | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. |
+| `port` | _integer_ | false | 4317 | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRefs instead. |
+| `resources` | _object (keys:string, values:string)_ | false | | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). |
#### Origin
@@ -2954,15 +2954,15 @@ see https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/out
_Appears in:_
- [HealthCheck](#healthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `splitExternalLocalOriginErrors` | _boolean_ | false | SplitExternalLocalOriginErrors enables splitting of errors between external and local origin. |
-| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Interval defines the time between passive health checks. |
-| `consecutiveLocalOriginFailures` | _integer_ | false | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true. |
-| `consecutiveGatewayErrors` | _integer_ | false | ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection. |
-| `consecutive5XxErrors` | _integer_ | false | Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection. |
-| `baseEjectionTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. |
-| `maxEjectionPercent` | _integer_ | false | MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `splitExternalLocalOriginErrors` | _boolean_ | false | false | SplitExternalLocalOriginErrors enables splitting of errors between external and local origin. |
+| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 3s | Interval defines the time between passive health checks. |
+| `consecutiveLocalOriginFailures` | _integer_ | false | 5 | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true. |
+| `consecutiveGatewayErrors` | _integer_ | false | 0 | ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection. |
+| `consecutive5XxErrors` | _integer_ | false | 5 | Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection. |
+| `baseEjectionTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 30s | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. |
+| `maxEjectionPercent` | _integer_ | false | 10 | MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. |
#### PathEscapedSlashAction
@@ -2992,10 +2992,10 @@ PathSettings provides settings that managing how the incoming path set by client
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `escapedSlashesAction` | _[PathEscapedSlashAction](#pathescapedslashaction)_ | false | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
should be handled.
The default is UnescapeAndRedirect. |
-| `disableMergeSlashes` | _boolean_ | false | DisableMergeSlashes allows disabling the default configuration of merging adjacent
slashes in the path.
Note that slash merging is not part of the HTTP spec and is provided for convenience. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `escapedSlashesAction` | _[PathEscapedSlashAction](#pathescapedslashaction)_ | false | | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
should be handled.
The default is UnescapeAndRedirect. |
+| `disableMergeSlashes` | _boolean_ | false | | DisableMergeSlashes allows disabling the default configuration of merging adjacent
slashes in the path.
Note that slash merging is not part of the HTTP spec and is provided for convenience. |
#### PerRetryPolicy
@@ -3007,10 +3007,10 @@ _Appears in:_
_Appears in:_
- [Retry](#retry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout is the timeout per retry attempt. |
-| `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | Timeout is the timeout per retry attempt. |
+| `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
#### PolicyTargetReferences
@@ -3025,11 +3025,11 @@ _Appears in:_
- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
#### Principal
@@ -3041,10 +3041,10 @@ If there are multiple principal types, all principals must match for the rule to
_Appears in:_
- [AuthorizationRule](#authorizationrule)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.
The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. |
-| `jwt` | _[JWTPrincipal](#jwtprincipal)_ | false | JWT authorize the request based on the JWT claims and scopes.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `clientCIDRs` | _[CIDR](#cidr) array_ | false | | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.
The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. |
+| `jwt` | _[JWTPrincipal](#jwtprincipal)_ | false | | JWT authorize the request based on the JWT claims and scopes.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`. |
#### ProcessingModeOptions
@@ -3057,10 +3057,10 @@ and which attributes are sent to the processor
_Appears in:_
- [ExtProcProcessingMode](#extprocprocessingmode)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | Defines body processing mode |
-| `attributes` | _string array_ | false | Defines which attributes are sent to the external processor. Envoy Gateway currently
supports only the following attribute prefixes: connection, source, destination,
request, response, upstream and xds.route.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | | Defines body processing mode |
+| `attributes` | _string array_ | false | | Defines which attributes are sent to the external processor. Envoy Gateway currently
supports only the following attribute prefixes: connection, source, destination,
request, response, upstream and xds.route.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes |
#### ProviderType
@@ -3088,10 +3088,10 @@ _Appears in:_
_Appears in:_
- [ProxyTelemetry](#proxytelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `disable` | _boolean_ | true | Disable disables access logging for managed proxies if set to true. |
-| `settings` | _[ProxyAccessLogSetting](#proxyaccesslogsetting) array_ | false | Settings defines accesslog settings for managed proxies.
If unspecified, will send default format to stdout. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `disable` | _boolean_ | true | | Disable disables access logging for managed proxies if set to true. |
+| `settings` | _[ProxyAccessLogSetting](#proxyaccesslogsetting) array_ | false | | Settings defines accesslog settings for managed proxies.
If unspecified, will send default format to stdout. |
#### ProxyAccessLogFormat
@@ -3104,11 +3104,11 @@ By default accesslogs are written to standard output.
_Appears in:_
- [ProxyAccessLogSetting](#proxyaccesslogsetting)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ProxyAccessLogFormatType](#proxyaccesslogformattype)_ | true | Type defines the type of accesslog format. |
-| `text` | _string_ | false | Text defines the text accesslog format, following Envoy accesslog formatting,
It's required when the format type is "Text".
Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. |
-| `json` | _object (keys:string, values:string)_ | false | JSON is additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON". |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ProxyAccessLogFormatType](#proxyaccesslogformattype)_ | true | | Type defines the type of accesslog format. |
+| `text` | _string_ | false | | Text defines the text accesslog format, following Envoy accesslog formatting,
It's required when the format type is "Text".
Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. |
+| `json` | _object (keys:string, values:string)_ | false | | JSON is additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON". |
#### ProxyAccessLogFormatType
@@ -3135,12 +3135,12 @@ _Appears in:_
_Appears in:_
- [ProxyAccessLog](#proxyaccesslog)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. |
-| `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. |
-| `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. |
-| `type` | _[ProxyAccessLogType](#proxyaccesslogtype)_ | false | Type defines the component emitting the accesslog, such as Listener and Route.
If type not defined, the setting would apply to:
(1) All Routes.
(2) Listeners if and only if Envoy does not find a matching route for a request.
If type is defined, the accesslog settings would apply to the relevant component (as-is). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | | Format defines the format of accesslog.
This will be ignored if sink type is ALS. |
+| `matches` | _string array_ | true | | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. |
+| `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | | Sinks defines the sinks of accesslog. |
+| `type` | _[ProxyAccessLogType](#proxyaccesslogtype)_ | false | | Type defines the component emitting the accesslog, such as Listener and Route.
If type not defined, the setting would apply to:
(1) All Routes.
(2) Listeners if and only if Envoy does not find a matching route for a request.
If type is defined, the accesslog settings would apply to the relevant component (as-is). |
#### ProxyAccessLogSink
@@ -3152,12 +3152,12 @@ ProxyAccessLogSink defines the sink of accesslog.
_Appears in:_
- [ProxyAccessLogSetting](#proxyaccesslogsetting)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ProxyAccessLogSinkType](#proxyaccesslogsinktype)_ | true | Type defines the type of accesslog sink. |
-| `als` | _[ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog)_ | false | ALS defines the gRPC Access Log Service (ALS) sink. |
-| `file` | _[FileEnvoyProxyAccessLog](#fileenvoyproxyaccesslog)_ | false | File defines the file accesslog sink. |
-| `openTelemetry` | _[OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog)_ | false | OpenTelemetry defines the OpenTelemetry accesslog sink. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ProxyAccessLogSinkType](#proxyaccesslogsinktype)_ | true | | Type defines the type of accesslog sink. |
+| `als` | _[ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog)_ | false | | ALS defines the gRPC Access Log Service (ALS) sink. |
+| `file` | _[FileEnvoyProxyAccessLog](#fileenvoyproxyaccesslog)_ | false | | File defines the file accesslog sink. |
+| `openTelemetry` | _[OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog)_ | false | | OpenTelemetry defines the OpenTelemetry accesslog sink. |
#### ProxyAccessLogSinkType
@@ -3200,11 +3200,11 @@ ProxyBootstrap defines Envoy Bootstrap configuration.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
If unspecified, it defaults to Replace. |
-| `value` | _string_ | false | Value is a YAML string of the bootstrap. |
-| `jsonPatches` | _[JSONPatchOperation](#jsonpatchoperation) array_ | true | JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
applied in the order in which they are defined. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[BootstrapType](#bootstraptype)_ | false | Replace | Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
If unspecified, it defaults to Replace. |
+| `value` | _string_ | false | | Value is a YAML string of the bootstrap. |
+| `jsonPatches` | _[JSONPatchOperation](#jsonpatchoperation) array_ | true | | JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
applied in the order in which they are defined. |
#### ProxyLogComponent
@@ -3239,9 +3239,9 @@ ProxyLogging defines logging parameters for managed proxies.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is a map of logging level per component, where the component is the key
and the log level is the value. If unspecified, defaults to "default: warn". |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | \{ default:warn \} | Level is a map of logging level per component, where the component is the key
and the log level is the value. If unspecified, defaults to "default: warn". |
#### ProxyMetricSink
@@ -3254,10 +3254,10 @@ Default metrics sink is OpenTelemetry.
_Appears in:_
- [ProxyMetrics](#proxymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG currently only supports OpenTelemetry. |
-| `openTelemetry` | _[ProxyOpenTelemetrySink](#proxyopentelemetrysink)_ | false | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[MetricSinkType](#metricsinktype)_ | true | OpenTelemetry | Type defines the metric sink type.
EG currently only supports OpenTelemetry. |
+| `openTelemetry` | _[ProxyOpenTelemetrySink](#proxyopentelemetrysink)_ | false | | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
#### ProxyMetrics
@@ -3269,14 +3269,14 @@ _Appears in:_
_Appears in:_
- [ProxyTelemetry](#proxytelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. |
-| `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. |
-| `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 |
-| `enableVirtualHostStats` | _boolean_ | false | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. |
-| `enablePerEndpointStats` | _boolean_ | false | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. |
-| `enableRequestResponseSizesStats` | _boolean_ | false | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. |
+| `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | | Sinks defines the metric sinks where metrics are sent to. |
+| `matches` | _[StringMatch](#stringmatch) array_ | true | | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 |
+| `enableVirtualHostStats` | _boolean_ | false | | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. |
+| `enablePerEndpointStats` | _boolean_ | false | | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. |
+| `enableRequestResponseSizesStats` | _boolean_ | false | | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. |
#### ProxyOpenTelemetrySink
@@ -3288,13 +3288,13 @@ ProxyOpenTelemetrySink defines the configuration for OpenTelemetry sink.
_Appears in:_
- [ProxyMetricSink](#proxymetricsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRefs instead. |
-| `port` | _integer_ | false | Port defines the port the service is exposed on.
Deprecated: Use BackendRefs instead. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `host` | _string_ | false | | Host define the service hostname.
Deprecated: Use BackendRefs instead. |
+| `port` | _integer_ | false | 4317 | Port defines the port the service is exposed on.
Deprecated: Use BackendRefs instead. |
#### ProxyPrometheusProvider
@@ -3306,10 +3306,10 @@ _Appears in:_
_Appears in:_
- [ProxyMetrics](#proxymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `disable` | _boolean_ | true | Disable the Prometheus endpoint. |
-| `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `disable` | _boolean_ | true | | Disable the Prometheus endpoint. |
+| `compression` | _[Compression](#compression)_ | false | | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. |
#### ProxyProtocol
@@ -3323,9 +3323,9 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" |
#### ProxyProtocolVersion
@@ -3352,11 +3352,11 @@ _Appears in:_
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `accessLog` | _[ProxyAccessLog](#proxyaccesslog)_ | false | AccessLogs defines accesslog parameters for managed proxies.
If unspecified, will send default format to stdout. |
-| `tracing` | _[ProxyTracing](#proxytracing)_ | false | Tracing defines tracing configuration for managed proxies.
If unspecified, will not send tracing data. |
-| `metrics` | _[ProxyMetrics](#proxymetrics)_ | true | Metrics defines metrics configuration for managed proxies. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `accessLog` | _[ProxyAccessLog](#proxyaccesslog)_ | false | | AccessLogs defines accesslog parameters for managed proxies.
If unspecified, will send default format to stdout. |
+| `tracing` | _[ProxyTracing](#proxytracing)_ | false | | Tracing defines tracing configuration for managed proxies.
If unspecified, will not send tracing data. |
+| `metrics` | _[ProxyMetrics](#proxymetrics)_ | true | | Metrics defines metrics configuration for managed proxies. |
#### ProxyTracing
@@ -3368,11 +3368,11 @@ _Appears in:_
_Appears in:_
- [ProxyTelemetry](#proxytelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
-| `customTags` | _object (keys:string, values:[CustomTag](#customtag))_ | true | CustomTags defines the custom tags to add to each span.
If provider is kubernetes, pod name and namespace are added by default. |
-| `provider` | _[TracingProvider](#tracingprovider)_ | true | Provider defines the tracing provider. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `samplingRate` | _integer_ | false | 100 | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
+| `customTags` | _object (keys:string, values:[CustomTag](#customtag))_ | true | | CustomTags defines the custom tags to add to each span.
If provider is kubernetes, pod name and namespace are added by default. |
+| `provider` | _[TracingProvider](#tracingprovider)_ | true | | Provider defines the tracing provider. |
#### RateLimit
@@ -3386,12 +3386,12 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | Backend holds the configuration associated with the
database backend used by the rate limit service to store
state associated with global ratelimiting. |
-| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. |
-| `failClosed` | _boolean_ | true | FailClosed is a switch used to control the flow of traffic
when the response from the ratelimit server cannot be obtained.
If FailClosed is false, let the traffic pass,
otherwise, don't let the traffic pass and return 500.
If not set, FailClosed is False. |
-| `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | Telemetry defines telemetry configuration for RateLimit. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | | Backend holds the configuration associated with the
database backend used by the rate limit service to store
state associated with global ratelimiting. |
+| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. |
+| `failClosed` | _boolean_ | true | | FailClosed is a switch used to control the flow of traffic
when the response from the ratelimit server cannot be obtained.
If FailClosed is false, let the traffic pass,
otherwise, don't let the traffic pass and return 500.
If not set, FailClosed is False. |
+| `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | | Telemetry defines telemetry configuration for RateLimit. |
#### RateLimitCost
@@ -3403,8 +3403,8 @@ _Appears in:_
_Appears in:_
- [RateLimitRule](#ratelimitrule)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
#### RateLimitCostFrom
@@ -3432,10 +3432,10 @@ RateLimitCostMetadata specifies the filter metadata to retrieve the usage number
_Appears in:_
- [RateLimitCostSpecifier](#ratelimitcostspecifier)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `namespace` | _string_ | true | Namespace is the namespace of the dynamic metadata. |
-| `key` | _string_ | true | Key is the key to retrieve the usage number from the filter metadata. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `namespace` | _string_ | true | | Namespace is the namespace of the dynamic metadata. |
+| `key` | _string_ | true | | Key is the key to retrieve the usage number from the filter metadata. |
#### RateLimitCostSpecifier
@@ -3447,9 +3447,9 @@ RateLimitCostSpecifier specifies where the Envoy retrieves the number to reduce
_Appears in:_
- [RateLimitCost](#ratelimitcost)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `from` | _[RateLimitCostFrom](#ratelimitcostfrom)_ | true | From specifies where to get the rate limit cost. Currently, only "Number" and "Metadata" are supported. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `from` | _[RateLimitCostFrom](#ratelimitcostfrom)_ | true | | From specifies where to get the rate limit cost. Currently, only "Number" and "Metadata" are supported. |
#### RateLimitDatabaseBackend
@@ -3462,10 +3462,10 @@ the database backend used by the rate limit service.
_Appears in:_
- [RateLimit](#ratelimit)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | true | Type is the type of database backend to use. Supported types are:
* Redis: Connects to a Redis database. |
-| `redis` | _[RateLimitRedisSettings](#ratelimitredissettings)_ | false | Redis defines the settings needed to connect to a Redis database. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | true | | Type is the type of database backend to use. Supported types are:
* Redis: Connects to a Redis database. |
+| `redis` | _[RateLimitRedisSettings](#ratelimitredissettings)_ | false | | Redis defines the settings needed to connect to a Redis database. |
#### RateLimitDatabaseBackendType
@@ -3492,9 +3492,9 @@ _Appears in:_
_Appears in:_
- [RateLimitTelemetry](#ratelimittelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | | Prometheus defines the configuration for prometheus endpoint. |
#### RateLimitMetricsPrometheusProvider
@@ -3506,9 +3506,9 @@ _Appears in:_
_Appears in:_
- [RateLimitMetrics](#ratelimitmetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `disable` | _boolean_ | true | Disable the Prometheus endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `disable` | _boolean_ | true | | Disable the Prometheus endpoint. |
#### RateLimitRedisSettings
@@ -3520,10 +3520,10 @@ RateLimitRedisSettings defines the configuration for connecting to redis databas
_Appears in:_
- [RateLimitDatabaseBackend](#ratelimitdatabasebackend)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `url` | _string_ | true | URL of the Redis Database. |
-| `tls` | _[RedisTLSSettings](#redistlssettings)_ | false | TLS defines TLS configuration for connecting to redis database. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `url` | _string_ | true | | URL of the Redis Database. |
+| `tls` | _[RedisTLSSettings](#redistlssettings)_ | false | | TLS defines TLS configuration for connecting to redis database. |
#### RateLimitRule
@@ -3537,10 +3537,10 @@ _Appears in:_
- [GlobalRateLimit](#globalratelimit)
- [LocalRateLimit](#localratelimit)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `clientSelectors` | _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | false | ClientSelectors holds the list of select conditions to select
specific clients using attributes from the traffic flow.
All individual select conditions must hold True for this rule
and its limit to be applied.
If no client selectors are specified, the rule applies to all traffic of
the targeted Route.
If the policy targets a Gateway, the rule applies to each Route of the Gateway.
Please note that each Route has its own rate limit counters. For example,
if a Gateway has two Routes, and the policy has a rule with limit 10rps,
each Route will have its own 10rps limit. |
-| `limit` | _[RateLimitValue](#ratelimitvalue)_ | true | Limit holds the rate limit values.
This limit is applied for traffic flows when the selectors
compute to True, causing the request to be counted towards the limit.
The limit is enforced and the request is ratelimited, i.e. a response with
429 HTTP status code is sent back to the client when
the selected requests have reached the limit. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `clientSelectors` | _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | false | | ClientSelectors holds the list of select conditions to select
specific clients using attributes from the traffic flow.
All individual select conditions must hold True for this rule
and its limit to be applied.
If no client selectors are specified, the rule applies to all traffic of
the targeted Route.
If the policy targets a Gateway, the rule applies to each Route of the Gateway.
Please note that each Route has its own rate limit counters. For example,
if a Gateway has two Routes, and the policy has a rule with limit 10rps,
each Route will have its own 10rps limit. |
+| `limit` | _[RateLimitValue](#ratelimitvalue)_ | true | | Limit holds the rate limit values.
This limit is applied for traffic flows when the selectors
compute to True, causing the request to be counted towards the limit.
The limit is enforced and the request is ratelimited, i.e. a response with
429 HTTP status code is sent back to the client when
the selected requests have reached the limit. |
#### RateLimitSelectCondition
@@ -3554,10 +3554,10 @@ All the individual conditions must hold True for the overall condition to hold T
_Appears in:_
- [RateLimitRule](#ratelimitrule)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `headers` | _[HeaderMatch](#headermatch) array_ | false | Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
At least one of headers or sourceCIDR condition must be specified. |
-| `sourceCIDR` | _[SourceMatch](#sourcematch)_ | false | SourceCIDR is the client IP Address range to match on.
At least one of headers or sourceCIDR condition must be specified. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `headers` | _[HeaderMatch](#headermatch) array_ | false | | Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
At least one of headers or sourceCIDR condition must be specified. |
+| `sourceCIDR` | _[SourceMatch](#sourcematch)_ | false | | SourceCIDR is the client IP Address range to match on.
At least one of headers or sourceCIDR condition must be specified. |
#### RateLimitSpec
@@ -3569,11 +3569,11 @@ RateLimitSpec defines the desired state of RateLimitSpec.
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[RateLimitType](#ratelimittype)_ | true | Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local". |
-| `global` | _[GlobalRateLimit](#globalratelimit)_ | false | Global defines global rate limit configuration. |
-| `local` | _[LocalRateLimit](#localratelimit)_ | false | Local defines local rate limit configuration. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[RateLimitType](#ratelimittype)_ | true | | Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local". |
+| `global` | _[GlobalRateLimit](#globalratelimit)_ | false | | Global defines global rate limit configuration. |
+| `local` | _[LocalRateLimit](#localratelimit)_ | false | | Local defines local rate limit configuration. |
#### RateLimitTelemetry
@@ -3585,10 +3585,10 @@ _Appears in:_
_Appears in:_
- [RateLimit](#ratelimit)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `metrics` | _[RateLimitMetrics](#ratelimitmetrics)_ | true | Metrics defines metrics configuration for RateLimit. |
-| `tracing` | _[RateLimitTracing](#ratelimittracing)_ | true | Tracing defines traces configuration for RateLimit. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `metrics` | _[RateLimitMetrics](#ratelimitmetrics)_ | true | | Metrics defines metrics configuration for RateLimit. |
+| `tracing` | _[RateLimitTracing](#ratelimittracing)_ | true | | Tracing defines traces configuration for RateLimit. |
#### RateLimitTracing
@@ -3600,10 +3600,10 @@ _Appears in:_
_Appears in:_
- [RateLimitTelemetry](#ratelimittelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
-| `provider` | _[RateLimitTracingProvider](#ratelimittracingprovider)_ | true | Provider defines the rateLimit tracing provider.
Only OpenTelemetry is supported currently. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `samplingRate` | _integer_ | false | | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
+| `provider` | _[RateLimitTracingProvider](#ratelimittracingprovider)_ | true | | Provider defines the rateLimit tracing provider.
Only OpenTelemetry is supported currently. |
#### RateLimitTracingProvider
@@ -3615,10 +3615,10 @@ RateLimitTracingProvider defines the tracing provider configuration of RateLimit
_Appears in:_
- [RateLimitTracing](#ratelimittracing)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[RateLimitTracingProviderType](#ratelimittracingprovidertype)_ | true | Type defines the tracing provider type.
Since to RateLimit Exporter currently using OpenTelemetry, only OpenTelemetry is supported |
-| `url` | _string_ | true | URL is the endpoint of the trace collector that supports the OTLP protocol |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[RateLimitTracingProviderType](#ratelimittracingprovidertype)_ | true | | Type defines the tracing provider type.
Since to RateLimit Exporter currently using OpenTelemetry, only OpenTelemetry is supported |
+| `url` | _string_ | true | | URL is the endpoint of the trace collector that supports the OTLP protocol |
#### RateLimitTracingProviderType
@@ -3674,10 +3674,10 @@ RateLimitValue defines the limits for rate limiting.
_Appears in:_
- [RateLimitRule](#ratelimitrule)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `requests` | _integer_ | true | |
-| `unit` | _[RateLimitUnit](#ratelimitunit)_ | true | |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `requests` | _integer_ | true | | |
+| `unit` | _[RateLimitUnit](#ratelimitunit)_ | true | | |
#### RedisTLSSettings
@@ -3689,9 +3689,9 @@ RedisTLSSettings defines the TLS configuration for connecting to redis database.
_Appears in:_
- [RateLimitRedisSettings](#ratelimitredissettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | CertificateRef defines the client certificate reference for TLS connections.
Currently only a Kubernetes Secret of type TLS is supported. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | | CertificateRef defines the client certificate reference for TLS connections.
Currently only a Kubernetes Secret of type TLS is supported. |
#### RemoteJWKS
@@ -3704,9 +3704,9 @@ HTTP/HTTPS endpoint.
_Appears in:_
- [JWTProvider](#jwtprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `uri` | _string_ | true | | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. |
#### ReplaceRegexMatch
@@ -3718,10 +3718,10 @@ _Appears in:_
_Appears in:_
- [HTTPPathModifier](#httppathmodifier)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `pattern` | _string_ | true | Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. |
-| `substitution` | _string_ | true | Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `pattern` | _string_ | true | | Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. |
+| `substitution` | _string_ | true | | Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. |
#### RequestHeaderCustomTag
@@ -3733,10 +3733,10 @@ RequestHeaderCustomTag adds value from request header to each span.
_Appears in:_
- [CustomTag](#customtag)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name defines the name of the request header which to extract the value from. |
-| `defaultValue` | _string_ | false | DefaultValue defines the default value to use if the request header is not set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name defines the name of the request header which to extract the value from. |
+| `defaultValue` | _string_ | false | | DefaultValue defines the default value to use if the request header is not set. |
#### ResourceProviderType
@@ -3762,10 +3762,10 @@ ResponseOverride defines the configuration to override specific responses with a
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | Match configuration. |
-| `response` | _[CustomResponse](#customresponse)_ | true | Response configuration. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | | Match configuration. |
+| `response` | _[CustomResponse](#customresponse)_ | true | | Response configuration. |
#### ResponseValueType
@@ -3793,11 +3793,11 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. |
-| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.
If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). |
-| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `numRetries` | _integer_ | false | 2 | NumRetries is the number of retries to be attempted. Defaults to 2. |
+| `retryOn` | _[RetryOn](#retryon)_ | false | | RetryOn specifies the retry trigger condition.
If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). |
+| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | | PerRetry is the retry policy to be applied per retry attempt. |
#### RetryOn
@@ -3809,10 +3809,10 @@ _Appears in:_
_Appears in:_
- [Retry](#retry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `triggers` | _[TriggerEnum](#triggerenum) array_ | false | Triggers specifies the retry trigger condition(Http/Grpc). |
-| `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ | false | HttpStatusCodes specifies the http status codes to be retried.
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `triggers` | _[TriggerEnum](#triggerenum) array_ | false | | Triggers specifies the retry trigger condition(Http/Grpc). |
+| `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ | false | | HttpStatusCodes specifies the http status codes to be retried.
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. |
#### RoutingType
@@ -3839,13 +3839,13 @@ Gateway.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`SecurityPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[SecurityPolicySpec](#securitypolicyspec)_ | true | Spec defines the desired state of SecurityPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[SecurityPolicySpec](#securitypolicyspec)_ | true | | Spec defines the desired state of SecurityPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | Status defines the current status of SecurityPolicy. |
#### SecurityPolicySpec
@@ -3857,17 +3857,17 @@ SecurityPolicySpec defines the desired state of SecurityPolicy.
_Appears in:_
- [SecurityPolicy](#securitypolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
-| `cors` | _[CORS](#cors)_ | false | CORS defines the configuration for Cross-Origin Resource Sharing (CORS). |
-| `basicAuth` | _[BasicAuth](#basicauth)_ | false | BasicAuth defines the configuration for the HTTP Basic Authentication. |
-| `jwt` | _[JWT](#jwt)_ | false | JWT defines the configuration for JSON Web Token (JWT) authentication. |
-| `oidc` | _[OIDC](#oidc)_ | false | OIDC defines the configuration for the OpenID Connect (OIDC) authentication. |
-| `extAuth` | _[ExtAuth](#extauth)_ | false | ExtAuth defines the configuration for External Authorization. |
-| `authorization` | _[Authorization](#authorization)_ | false | Authorization defines the authorization configuration. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
+| `cors` | _[CORS](#cors)_ | false | | CORS defines the configuration for Cross-Origin Resource Sharing (CORS). |
+| `basicAuth` | _[BasicAuth](#basicauth)_ | false | | BasicAuth defines the configuration for the HTTP Basic Authentication. |
+| `jwt` | _[JWT](#jwt)_ | false | | JWT defines the configuration for JSON Web Token (JWT) authentication. |
+| `oidc` | _[OIDC](#oidc)_ | false | | OIDC defines the configuration for the OpenID Connect (OIDC) authentication. |
+| `extAuth` | _[ExtAuth](#extauth)_ | false | | ExtAuth defines the configuration for External Authorization. |
+| `authorization` | _[Authorization](#authorization)_ | false | | Authorization defines the authorization configuration. |
#### ServiceExternalTrafficPolicy
@@ -3912,9 +3912,9 @@ Session defines settings related to TLS session management.
_Appears in:_
- [ClientTLSSettings](#clienttlssettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `resumption` | _[SessionResumption](#sessionresumption)_ | false | Resumption determines the proxy's supported TLS session resumption option.
By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
enable stateful and stateless session resumption. Users should consider security impacts
of different resumption methods. Performance gains from resumption are diminished when
Envoy proxy is deployed with more than one replica. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `resumption` | _[SessionResumption](#sessionresumption)_ | false | | Resumption determines the proxy's supported TLS session resumption option.
By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
enable stateful and stateless session resumption. Users should consider security impacts
of different resumption methods. Performance gains from resumption are diminished when
Envoy proxy is deployed with more than one replica. |
#### SessionResumption
@@ -3926,10 +3926,10 @@ SessionResumption defines supported tls session resumption methods and their ass
_Appears in:_
- [Session](#session)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `stateless` | _[StatelessTLSSessionResumption](#statelesstlssessionresumption)_ | false | Stateless defines setting for stateless (session-ticket based) session resumption |
-| `stateful` | _[StatefulTLSSessionResumption](#statefultlssessionresumption)_ | false | Stateful defines setting for stateful (session-id based) session resumption |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `stateless` | _[StatelessTLSSessionResumption](#statelesstlssessionresumption)_ | false | | Stateless defines setting for stateless (session-ticket based) session resumption |
+| `stateful` | _[StatefulTLSSessionResumption](#statefultlssessionresumption)_ | false | | Stateful defines setting for stateful (session-id based) session resumption |
#### ShutdownConfig
@@ -3941,10 +3941,10 @@ ShutdownConfig defines configuration for graceful envoy shutdown process.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. |
-| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. |
+| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. |
#### ShutdownManager
@@ -3956,9 +3956,9 @@ ShutdownManager defines the configuration for the shutdown manager.
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `image` | _string_ | true | Image specifies the ShutdownManager container image to be used, instead of the default image. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `image` | _string_ | true | | Image specifies the ShutdownManager container image to be used, instead of the default image. |
#### SlowStart
@@ -3970,9 +3970,9 @@ SlowStart defines the configuration related to the slow start load balancer poli
_Appears in:_
- [LoadBalancer](#loadbalancer)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig |
#### SourceMatch
@@ -3984,10 +3984,10 @@ _Appears in:_
_Appears in:_
- [RateLimitSelectCondition](#ratelimitselectcondition)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[SourceMatchType](#sourcematchtype)_ | false | |
-| `value` | _string_ | true | Value is the IP CIDR that represents the range of Source IP Addresses of the client.
These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[SourceMatchType](#sourcematchtype)_ | false | Exact | |
+| `value` | _string_ | true | | Value is the IP CIDR that represents the range of Source IP Addresses of the client.
These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. |
#### SourceMatchType
@@ -4045,11 +4045,11 @@ StatusCodeMatch defines the configuration for matching a status code.
_Appears in:_
- [CustomResponseMatch](#customresponsematch)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value.
Valid values are Value and Range, default is Value. |
-| `value` | _integer_ | false | Value contains the value of the status code. |
-| `range` | _[StatusCodeRange](#statuscoderange)_ | false | Range contains the range of status codes. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Value | Type is the type of value.
Valid values are Value and Range, default is Value. |
+| `value` | _integer_ | false | | Value contains the value of the status code. |
+| `range` | _[StatusCodeRange](#statuscoderange)_ | false | | Range contains the range of status codes. |
#### StatusCodeRange
@@ -4061,10 +4061,10 @@ StatusCodeRange defines the configuration for define a range of status codes.
_Appears in:_
- [StatusCodeMatch](#statuscodematch)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `start` | _integer_ | true | Start of the range, including the start value. |
-| `end` | _integer_ | true | End of the range, including the end value. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `start` | _integer_ | true | | Start of the range, including the start value. |
+| `end` | _integer_ | true | | End of the range, including the end value. |
#### StatusCodeValueType
@@ -4093,10 +4093,10 @@ that need to match against a string.
_Appears in:_
- [ProxyMetrics](#proxymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[StringMatchType](#stringmatchtype)_ | false | Type specifies how to match against a string. |
-| `value` | _string_ | true | Value specifies the string value that the match must have. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[StringMatchType](#stringmatchtype)_ | false | Exact | Type specifies how to match against a string. |
+| `value` | _string_ | true | | Value specifies the string value that the match must have. |
#### StringMatchType
@@ -4126,10 +4126,10 @@ TCPActiveHealthChecker defines the settings of tcp health check.
_Appears in:_
- [ActiveHealthCheck](#activehealthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `send` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | Send defines the request payload. |
-| `receive` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | Receive defines the expected response payload. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `send` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | | Send defines the request payload. |
+| `receive` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | | Receive defines the expected response payload. |
#### TCPClientTimeout
@@ -4141,9 +4141,9 @@ TCPClientTimeout only provides timeout configuration on the listener whose proto
_Appears in:_
- [ClientTimeout](#clienttimeout)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. |
#### TCPKeepalive
@@ -4157,11 +4157,11 @@ _Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. |
-| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. |
-| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `probes` | _integer_ | false | | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. |
+| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. |
+| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The duration between keep-alive probes.
Defaults to `75s`. |
#### TCPTimeout
@@ -4173,9 +4173,9 @@ _Appears in:_
_Appears in:_
- [Timeout](#timeout)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `connectTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `connectTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. |
#### TLSSettings
@@ -4188,14 +4188,14 @@ _Appears in:_
- [BackendTLSConfig](#backendtlsconfig)
- [ClientTLSSettings](#clienttlssettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
-| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
-| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
-| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
-| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
-| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `minVersion` | _[TLSVersion](#tlsversion)_ | false | | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
+| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
+| `ciphers` | _string array_ | false | | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
+| `ecdhCurves` | _string array_ | false | | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
+| `signatureAlgorithms` | _string array_ | false | | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
+| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
#### TLSVersion
@@ -4231,11 +4231,11 @@ _Appears in:_
- [PolicyTargetReferences](#policytargetreferences)
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `group` | _[Group](#group)_ | true | Group is the group that this selector targets. Defaults to gateway.networking.k8s.io |
-| `kind` | _[Kind](#kind)_ | true | Kind is the resource kind that this selector targets. |
-| `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `group` | _[Group](#group)_ | true | gateway.networking.k8s.io | Group is the group that this selector targets. Defaults to gateway.networking.k8s.io |
+| `kind` | _[Kind](#kind)_ | true | | Kind is the resource kind that this selector targets. |
+| `matchLabels` | _object (keys:string, values:string)_ | true | | MatchLabels are the set of label selectors for identifying the targeted resource |
#### Timeout
@@ -4248,10 +4248,10 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. |
-| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | | Timeout settings for TCP. |
+| `http` | _[HTTPTimeout](#httptimeout)_ | false | | Timeout settings for HTTP. |
#### TracingProvider
@@ -4263,15 +4263,15 @@ TracingProvider defines the tracing provider configuration.
_Appears in:_
- [ProxyTracing](#proxytracing)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. |
-| `host` | _string_ | false | Host define the provider service hostname.
Deprecated: Use BackendRefs instead. |
-| `port` | _integer_ | false | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRefs instead. |
-| `zipkin` | _[ZipkinTracingProvider](#zipkintracingprovider)_ | false | Zipkin defines the Zipkin tracing provider configuration |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `type` | _[TracingProviderType](#tracingprovidertype)_ | true | OpenTelemetry | Type defines the tracing provider type. |
+| `host` | _string_ | false | | Host define the provider service hostname.
Deprecated: Use BackendRefs instead. |
+| `port` | _integer_ | false | 4317 | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRefs instead. |
+| `zipkin` | _[ZipkinTracingProvider](#zipkintracingprovider)_ | false | | Zipkin defines the Zipkin tracing provider configuration |
#### TracingProviderType
@@ -4327,9 +4327,9 @@ _Appears in:_
- [BackendEndpoint](#backendendpoint)
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `path` | _string_ | true | Path defines the unix domain socket path of the backend endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `path` | _string_ | true | | Path defines the unix domain socket path of the backend endpoint. |
#### Wasm
@@ -4345,14 +4345,14 @@ v8 is used as the VM runtime for the Wasm extensions.
_Appears in:_
- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | false | Name is a unique name for this Wasm extension. It is used to identify the
Wasm extension if multiple extensions are handled by the same vm_id and root_id.
It's also used for logging/debugging.
If not specified, EG will generate a unique name for the Wasm extension. |
-| `rootID` | _string_ | true | RootID is a unique ID for a set of extensions in a VM which will share a
RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
Note: RootID must match the root_id parameter used to register the Context in the Wasm code. |
-| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. |
-| `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. |
-| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. |
-| `env` | _[WasmEnv](#wasmenv)_ | false | Env configures the environment for the Wasm extension |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | false | | Name is a unique name for this Wasm extension. It is used to identify the
Wasm extension if multiple extensions are handled by the same vm_id and root_id.
It's also used for logging/debugging.
If not specified, EG will generate a unique name for the Wasm extension. |
+| `rootID` | _string_ | true | | RootID is a unique ID for a set of extensions in a VM which will share a
RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
Note: RootID must match the root_id parameter used to register the Context in the Wasm code. |
+| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | | Code is the Wasm code for the extension. |
+| `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. |
+| `failOpen` | _boolean_ | false | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. |
+| `env` | _[WasmEnv](#wasmenv)_ | false | | Env configures the environment for the Wasm extension |
#### WasmCodeSource
@@ -4364,12 +4364,12 @@ WasmCodeSource defines the source of the Wasm code.
_Appears in:_
- [Wasm](#wasm)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[WasmCodeSourceType](#wasmcodesourcetype)_ | true | Type is the type of the source of the Wasm code.
Valid WasmCodeSourceType values are "HTTP" or "Image". |
-| `http` | _[HTTPWasmCodeSource](#httpwasmcodesource)_ | false | HTTP is the HTTP URL containing the Wasm code.
Note that the HTTP server must be accessible from the Envoy proxy. |
-| `image` | _[ImageWasmCodeSource](#imagewasmcodesource)_ | false | Image is the OCI image containing the Wasm code.
Note that the image must be accessible from the Envoy Gateway. |
-| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
This field is only applicable when the SHA256 field is not set.
If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
Note: EG does not update the Wasm module every time an Envoy proxy requests
the Wasm module even if the pull policy is set to Always.
It only updates the Wasm module when the EnvoyExtension resource version changes. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[WasmCodeSourceType](#wasmcodesourcetype)_ | true | | Type is the type of the source of the Wasm code.
Valid WasmCodeSourceType values are "HTTP" or "Image". |
+| `http` | _[HTTPWasmCodeSource](#httpwasmcodesource)_ | false | | HTTP is the HTTP URL containing the Wasm code.
Note that the HTTP server must be accessible from the Envoy proxy. |
+| `image` | _[ImageWasmCodeSource](#imagewasmcodesource)_ | false | | Image is the OCI image containing the Wasm code.
Note that the image must be accessible from the Envoy Gateway. |
+| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
This field is only applicable when the SHA256 field is not set.
If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
Note: EG does not update the Wasm module every time an Envoy proxy requests
the Wasm module even if the pull policy is set to Always.
It only updates the Wasm module when the EnvoyExtension resource version changes. |
#### WasmCodeSourceType
@@ -4396,9 +4396,9 @@ WasmEnv defines the environment variables for the VM of a Wasm extension
_Appears in:_
- [Wasm](#wasm)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `hostKeys` | _string array_ | false | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `hostKeys` | _string array_ | false | | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. |
#### WithUnderscoresAction
@@ -4445,10 +4445,10 @@ XDSTranslatorHooks contains all the pre and post hooks for the xds-translator ru
_Appears in:_
- [ExtensionHooks](#extensionhooks)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `pre` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | |
-| `post` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `pre` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | | |
+| `post` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | | |
#### XFCCCertData
@@ -4496,10 +4496,10 @@ XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-ce
_Appears in:_
- [HeaderSettings](#headersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `mode` | _[XFCCForwardMode](#xfccforwardmode)_ | false | Mode defines how XFCC header is handled by Envoy Proxy.
If not set, the default mode is `Sanitize`. |
-| `certDetailsToAdd` | _[XFCCCertData](#xfcccertdata) array_ | false | CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.
Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)
are always included if the client certificate is forwarded.
This field is only applicable when the mode is set to `AppendForward` or
`SanitizeSet` and the client connection is mTLS. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `mode` | _[XFCCForwardMode](#xfccforwardmode)_ | false | | Mode defines how XFCC header is handled by Envoy Proxy.
If not set, the default mode is `Sanitize`. |
+| `certDetailsToAdd` | _[XFCCCertData](#xfcccertdata) array_ | false | | CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.
Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)
are always included if the client certificate is forwarded.
This field is only applicable when the mode is set to `AppendForward` or
`SanitizeSet` and the client connection is mTLS. |
#### XForwardedForSettings
@@ -4513,9 +4513,9 @@ for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `numTrustedHops` | _integer_ | false | | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. |
#### ZipkinTracingProvider
@@ -4527,9 +4527,9 @@ ZipkinTracingProvider defines the Zipkin tracing provider configuration.
_Appears in:_
- [TracingProvider](#tracingprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `enable128BitTraceId` | _boolean_ | false | Enable128BitTraceID determines whether a 128bit trace id will be used
when creating a new trace instance. If set to false, a 64bit trace
id will be used. |
-| `disableSharedSpanContext` | _boolean_ | false | DisableSharedSpanContext determines whether the default Envoy behaviour of
client and server spans sharing the same span context should be disabled. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `enable128BitTraceId` | _boolean_ | false | | Enable128BitTraceID determines whether a 128bit trace id will be used
when creating a new trace instance. If set to false, a 64bit trace
id will be used. |
+| `disableSharedSpanContext` | _boolean_ | false | | DisableSharedSpanContext determines whether the default Envoy behaviour of
client and server spans sharing the same span context should be disabled. |
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
index fb136b62892..316a1201c8a 100644
--- a/site/content/zh/latest/api/extension_types.md
+++ b/site/content/zh/latest/api/extension_types.md
@@ -57,14 +57,14 @@ stream is established.
_Appears in:_
- [ProxyAccessLogSink](#proxyaccesslogsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `logName` | _string_ | false | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. |
-| `type` | _[ALSEnvoyProxyAccessLogType](#alsenvoyproxyaccesslogtype)_ | true | Type defines the type of accesslog. Supported types are "HTTP" and "TCP". |
-| `http` | _[ALSEnvoyProxyHTTPAccessLogConfig](#alsenvoyproxyhttpaccesslogconfig)_ | false | HTTP defines additional configuration specific to HTTP access logs. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `logName` | _string_ | false | | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. |
+| `type` | _[ALSEnvoyProxyAccessLogType](#alsenvoyproxyaccesslogtype)_ | true | | Type defines the type of accesslog. Supported types are "HTTP" and "TCP". |
+| `http` | _[ALSEnvoyProxyHTTPAccessLogConfig](#alsenvoyproxyhttpaccesslogconfig)_ | false | | HTTP defines additional configuration specific to HTTP access logs. |
#### ALSEnvoyProxyAccessLogType
@@ -91,11 +91,11 @@ _Appears in:_
_Appears in:_
- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `requestHeaders` | _string array_ | false | RequestHeaders defines request headers to include in log entries sent to the access log service. |
-| `responseHeaders` | _string array_ | false | ResponseHeaders defines response headers to include in log entries sent to the access log service. |
-| `responseTrailers` | _string array_ | false | ResponseTrailers defines response trailers to include in log entries sent to the access log service. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `requestHeaders` | _string array_ | false | | RequestHeaders defines request headers to include in log entries sent to the access log service. |
+| `responseHeaders` | _string array_ | false | | ResponseHeaders defines response headers to include in log entries sent to the access log service. |
+| `responseTrailers` | _string array_ | false | | ResponseTrailers defines response trailers to include in log entries sent to the access log service. |
#### ActiveHealthCheck
@@ -108,16 +108,16 @@ EG supports various types of active health checking including HTTP, TCP.
_Appears in:_
- [HealthCheck](#healthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout defines the time to wait for a health check response. |
-| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Interval defines the time between active health checks. |
-| `unhealthyThreshold` | _integer_ | false | UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. |
-| `healthyThreshold` | _integer_ | false | HealthyThreshold defines the number of healthy health checks required before a backend host is marked healthy. |
-| `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | Type defines the type of health checker. |
-| `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. |
-| `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. |
-| `grpc` | _[GRPCActiveHealthChecker](#grpcactivehealthchecker)_ | false | GRPC defines the configuration of the GRPC health checker.
It's optional, and can only be used if the specified type is GRPC. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 1s | Timeout defines the time to wait for a health check response. |
+| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 3s | Interval defines the time between active health checks. |
+| `unhealthyThreshold` | _integer_ | false | 3 | UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. |
+| `healthyThreshold` | _integer_ | false | 1 | HealthyThreshold defines the number of healthy health checks required before a backend host is marked healthy. |
+| `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | | Type defines the type of health checker. |
+| `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. |
+| `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. |
+| `grpc` | _[GRPCActiveHealthChecker](#grpcactivehealthchecker)_ | false | | GRPC defines the configuration of the GRPC health checker.
It's optional, and can only be used if the specified type is GRPC. |
#### ActiveHealthCheckPayload
@@ -130,11 +130,11 @@ _Appears in:_
- [HTTPActiveHealthChecker](#httpactivehealthchecker)
- [TCPActiveHealthChecker](#tcpactivehealthchecker)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | Type defines the type of the payload. |
-| `text` | _string_ | false | Text payload in plain text. |
-| `binary` | _integer array_ | false | Binary payload base64 encoded. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | | Type defines the type of the payload. |
+| `text` | _string_ | false | | Text payload in plain text. |
+| `binary` | _integer array_ | false | | Binary payload base64 encoded. |
#### ActiveHealthCheckPayloadType
@@ -196,10 +196,10 @@ Note: if neither `Rules` nor `DefaultAction` is specified, the default action is
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `rules` | _[AuthorizationRule](#authorizationrule) array_ | false | Rules defines a list of authorization rules.
These rules are evaluated in order, the first matching rule will be applied,
and the rest will be skipped.
For example, if there are two rules: the first rule allows the request
and the second rule denies it, when a request matches both rules, it will be allowed. |
-| `defaultAction` | _[AuthorizationAction](#authorizationaction)_ | false | DefaultAction defines the default action to be taken if no rules match.
If not specified, the default action is Deny. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `rules` | _[AuthorizationRule](#authorizationrule) array_ | false | | Rules defines a list of authorization rules.
These rules are evaluated in order, the first matching rule will be applied,
and the rest will be skipped.
For example, if there are two rules: the first rule allows the request
and the second rule denies it, when a request matches both rules, it will be allowed. |
+| `defaultAction` | _[AuthorizationAction](#authorizationaction)_ | false | | DefaultAction defines the default action to be taken if no rules match.
If not specified, the default action is Deny. |
#### AuthorizationAction
@@ -227,11 +227,11 @@ AuthorizationRule defines a single authorization rule.
_Appears in:_
- [Authorization](#authorization)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. |
-| `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. |
-| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | false | | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. |
+| `action` | _[AuthorizationAction](#authorizationaction)_ | true | | Action defines the action to be taken if the rule matches. |
+| `principal` | _[Principal](#principal)_ | true | | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. |
#### BackOffPolicy
@@ -243,10 +243,10 @@ _Appears in:_
_Appears in:_
- [PerRetryPolicy](#perretrypolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `baseInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | BaseInterval is the base interval between retries. |
-| `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `baseInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | BaseInterval is the base interval between retries. |
+| `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval |
#### Backend
@@ -258,13 +258,13 @@ the behavior of the connection from Envoy Proxy to the backend.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`Backend`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[BackendSpec](#backendspec)_ | true | Spec defines the desired state of Backend. |
-| `status` | _[BackendStatus](#backendstatus)_ | true | Status defines the current status of Backend. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[BackendSpec](#backendspec)_ | true | | Spec defines the desired state of Backend. |
+| `status` | _[BackendStatus](#backendstatus)_ | true | | Status defines the current status of Backend. |
#### BackendCluster
@@ -285,11 +285,11 @@ _Appears in:_
- [ProxyOpenTelemetrySink](#proxyopentelemetrysink)
- [TracingProvider](#tracingprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
@@ -306,9 +306,9 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. |
#### BackendEndpoint
@@ -322,11 +322,11 @@ _Appears in:_
- [BackendSpec](#backendspec)
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint |
-| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. |
-| `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | | FQDN defines a FQDN endpoint |
+| `ip` | _[IPEndpoint](#ipendpoint)_ | false | | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. |
+| `unix` | _[UnixSocket](#unixsocket)_ | false | | Unix defines the unix domain socket endpoint |
#### BackendRef
@@ -346,14 +346,14 @@ _Appears in:_
- [ProxyOpenTelemetrySink](#proxyopentelemetrysink)
- [TracingProvider](#tracingprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `group` | _[Group](#group)_ | false | Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred. |
-| `kind` | _[Kind](#kind)_ | false | Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName) |
-| `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. |
-| `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core |
-| `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. |
-| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
Multiple fallback backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `group` | _[Group](#group)_ | false | | Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred. |
+| `kind` | _[Kind](#kind)_ | false | Service | Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName) |
+| `name` | _[ObjectName](#objectname)_ | true | | Name is the name of the referent. |
+| `namespace` | _[Namespace](#namespace)_ | false | | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core |
+| `port` | _[PortNumber](#portnumber)_ | false | | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. |
+| `fallback` | _boolean_ | false | | Fallback indicates whether the backend is designated as a fallback.
Multiple fallback backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. |
#### BackendSpec
@@ -365,11 +365,11 @@ BackendSpec describes the desired state of BackendSpec.
_Appears in:_
- [Backend](#backend)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `endpoints` | _[BackendEndpoint](#backendendpoint) array_ | true | Endpoints defines the endpoints to be used when connecting to the backend. |
-| `appProtocols` | _[AppProtocolType](#appprotocoltype) array_ | false | AppProtocols defines the application protocols to be supported when connecting to the backend. |
-| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `endpoints` | _[BackendEndpoint](#backendendpoint) array_ | true | | Endpoints defines the endpoints to be used when connecting to the backend. |
+| `appProtocols` | _[AppProtocolType](#appprotocoltype) array_ | false | | AppProtocols defines the application protocols to be supported when connecting to the backend. |
+| `fallback` | _boolean_ | false | | Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. |
#### BackendStatus
@@ -381,9 +381,9 @@ BackendStatus defines the state of Backend
_Appears in:_
- [Backend](#backend)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `conditions` | _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta) array_ | false | Conditions describe the current conditions of the Backend. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `conditions` | _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta) array_ | false | | Conditions describe the current conditions of the Backend. |
#### BackendTLSConfig
@@ -395,15 +395,15 @@ BackendTLSConfig describes the BackendTLS configuration for Envoy Proxy.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `clientCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | ClientCertificateRef defines the reference to a Kubernetes Secret that contains
the client certificate and private key for Envoy to use when connecting to
backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
This secret should be located within the same namespace as the Envoy proxy resource that references it. |
-| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
-| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
-| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
-| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
-| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
-| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `clientCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | | ClientCertificateRef defines the reference to a Kubernetes Secret that contains
the client certificate and private key for Envoy to use when connecting to
backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
This secret should be located within the same namespace as the Envoy proxy resource that references it. |
+| `minVersion` | _[TLSVersion](#tlsversion)_ | false | | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
+| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
+| `ciphers` | _string array_ | false | | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
+| `ecdhCurves` | _string array_ | false | | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
+| `signatureAlgorithms` | _string array_ | false | | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
+| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
#### BackendTrafficPolicy
@@ -415,13 +415,13 @@ between the Envoy Proxy listener and the backend service.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`BackendTrafficPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[BackendTrafficPolicySpec](#backendtrafficpolicyspec)_ | true | spec defines the desired state of BackendTrafficPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[BackendTrafficPolicySpec](#backendtrafficpolicyspec)_ | true | | spec defines the desired state of BackendTrafficPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | status defines the current status of BackendTrafficPolicy. |
#### BackendTrafficPolicySpec
@@ -433,25 +433,25 @@ BackendTrafficPolicySpec defines the desired state of BackendTrafficPolicy.
_Appears in:_
- [BackendTrafficPolicy](#backendtrafficpolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
-| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. |
-| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
-| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
-| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
-| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. |
-| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
-| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. |
-| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. |
-| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. |
-| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. |
-| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. |
-| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads |
-| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. |
-| `responseOverride` | _[ResponseOverride](#responseoverride) array_ | false | ResponseOverride defines the configuration to override specific responses with a custom one.
If multiple configurations are specified, the first one to match wins. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
+| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. |
+| `retry` | _[Retry](#retry)_ | false | | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
+| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
+| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
+| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | | HealthCheck allows gateway to perform active health checking on backends. |
+| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
+| `timeout` | _[Timeout](#timeout)_ | false | | Timeout settings for the backend connections. |
+| `connection` | _[BackendConnection](#backendconnection)_ | false | | Connection includes backend connection settings. |
+| `dns` | _[DNS](#dns)_ | false | | DNS includes dns resolution settings. |
+| `http2` | _[HTTP2Settings](#http2settings)_ | false | | HTTP2 provides HTTP/2 configuration for backend connections. |
+| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. |
+| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads |
+| `useClientProtocol` | _boolean_ | false | | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. |
+| `responseOverride` | _[ResponseOverride](#responseoverride) array_ | false | | ResponseOverride defines the configuration to override specific responses with a custom one.
If multiple configurations are specified, the first one to match wins. |
#### BasicAuth
@@ -463,9 +463,9 @@ BasicAuth defines the configuration for the HTTP Basic Authentication.
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.
This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.
Note: The secret must be in the same namespace as the SecurityPolicy. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.
This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.
Note: The secret must be in the same namespace as the SecurityPolicy. |
#### BodyToExtAuth
@@ -477,9 +477,9 @@ BodyToExtAuth defines the Body to Ext Auth configuration
_Appears in:_
- [ExtAuth](#extauth)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `maxRequestBytes` | _integer_ | true | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `maxRequestBytes` | _integer_ | true | | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode. |
#### BootstrapType
@@ -520,14 +520,14 @@ CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `allowOrigins` | _[Origin](#origin) array_ | false | AllowOrigins defines the origins that are allowed to make requests.
It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
The value "*" allows any origin to make requests. |
-| `allowMethods` | _string array_ | false | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. |
-| `allowHeaders` | _string array_ | false | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. |
-| `exposeHeaders` | _string array_ | false | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. |
-| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. |
-| `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `allowOrigins` | _[Origin](#origin) array_ | false | | AllowOrigins defines the origins that are allowed to make requests.
It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
The value "*" allows any origin to make requests. |
+| `allowMethods` | _string array_ | false | | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. |
+| `allowHeaders` | _string array_ | false | | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. |
+| `exposeHeaders` | _string array_ | false | | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. |
+| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. |
+| `allowCredentials` | _boolean_ | false | | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. |
#### CircuitBreaker
@@ -540,13 +540,13 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. |
-| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. |
-| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. |
-| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. |
-| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `maxConnections` | _integer_ | false | 1024 | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. |
+| `maxPendingRequests` | _integer_ | false | 1024 | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. |
+| `maxParallelRequests` | _integer_ | false | 1024 | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. |
+| `maxParallelRetries` | _integer_ | false | 1024 | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. |
+| `maxRequestsPerConnection` | _integer_ | false | | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. |
#### ClaimToHeader
@@ -558,10 +558,10 @@ ClaimToHeader defines a configuration to convert JWT claims into HTTP headers
_Appears in:_
- [JWTProvider](#jwtprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `header` | _string_ | true | Header defines the name of the HTTP request header that the JWT Claim will be saved into. |
-| `claim` | _string_ | true | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
(eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
to separate the JSON name path. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `header` | _string_ | true | | Header defines the name of the HTTP request header that the JWT Claim will be saved into. |
+| `claim` | _string_ | true | | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
(eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
to separate the JSON name path. |
#### ClientConnection
@@ -573,10 +573,10 @@ ClientConnection allows users to configure connection-level settings of client
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | ConnectionLimit defines limits related to connections |
-| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | | ConnectionLimit defines limits related to connections |
+| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. |
#### ClientIPDetectionSettings
@@ -588,10 +588,10 @@ ClientIPDetectionSettings provides configuration for determining the original cl
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `xForwardedFor` | _[XForwardedForSettings](#xforwardedforsettings)_ | false | XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. |
-| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ | false | CustomHeader provides configuration for determining the client IP address for a request based on
a trusted custom HTTP header. This uses the custom_header original IP detection extension.
Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `xForwardedFor` | _[XForwardedForSettings](#xforwardedforsettings)_ | false | | XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. |
+| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ | false | | CustomHeader provides configuration for determining the client IP address for a request based on
a trusted custom HTTP header. This uses the custom_header original IP detection extension.
Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details. |
#### ClientTLSSettings
@@ -603,16 +603,16 @@ _Appears in:_
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `clientValidation` | _[ClientValidationContext](#clientvalidationcontext)_ | false | ClientValidation specifies the configuration to validate the client
initiating the TLS connection to the Gateway listener. |
-| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
-| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
-| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
-| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
-| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
-| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
-| `session` | _[Session](#session)_ | false | Session defines settings related to TLS session management. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `clientValidation` | _[ClientValidationContext](#clientvalidationcontext)_ | false | | ClientValidation specifies the configuration to validate the client
initiating the TLS connection to the Gateway listener. |
+| `minVersion` | _[TLSVersion](#tlsversion)_ | false | | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
+| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
+| `ciphers` | _string array_ | false | | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
+| `ecdhCurves` | _string array_ | false | | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
+| `signatureAlgorithms` | _string array_ | false | | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
+| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
+| `session` | _[Session](#session)_ | false | | Session defines settings related to TLS session management. |
#### ClientTimeout
@@ -624,10 +624,10 @@ _Appears in:_
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `tcp` | _[TCPClientTimeout](#tcpclienttimeout)_ | false | Timeout settings for TCP. |
-| `http` | _[HTTPClientTimeout](#httpclienttimeout)_ | false | Timeout settings for HTTP. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `tcp` | _[TCPClientTimeout](#tcpclienttimeout)_ | false | | Timeout settings for TCP. |
+| `http` | _[HTTPClientTimeout](#httpclienttimeout)_ | false | | Timeout settings for HTTP. |
#### ClientTrafficPolicy
@@ -639,13 +639,13 @@ between the downstream client and Envoy Proxy listener.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`ClientTrafficPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[ClientTrafficPolicySpec](#clienttrafficpolicyspec)_ | true | Spec defines the desired state of ClientTrafficPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[ClientTrafficPolicySpec](#clienttrafficpolicyspec)_ | true | | Spec defines the desired state of ClientTrafficPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | Status defines the current status of ClientTrafficPolicy. |
#### ClientTrafficPolicySpec
@@ -657,23 +657,23 @@ ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
_Appears in:_
- [ClientTrafficPolicy](#clienttrafficpolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
-| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the downstream client connection.
If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
Disabled by default. |
-| `enableProxyProtocol` | _boolean_ | false | EnableProxyProtocol interprets the ProxyProtocol header and adds the
Client Address into the X-Forwarded-For header.
Note Proxy Protocol must be present when this field is set, else the connection
is closed. |
-| `clientIPDetection` | _[ClientIPDetectionSettings](#clientipdetectionsettings)_ | false | ClientIPDetectionSettings provides configuration for determining the original client IP address for requests. |
-| `tls` | _[ClientTLSSettings](#clienttlssettings)_ | false | TLS settings configure TLS termination settings with the downstream client. |
-| `path` | _[PathSettings](#pathsettings)_ | false | Path enables managing how the incoming path set by clients can be normalized. |
-| `headers` | _[HeaderSettings](#headersettings)_ | false | HeaderSettings provides configuration for header management. |
-| `timeout` | _[ClientTimeout](#clienttimeout)_ | false | Timeout settings for the client connections. |
-| `connection` | _[ClientConnection](#clientconnection)_ | false | Connection includes client connection settings. |
-| `http1` | _[HTTP1Settings](#http1settings)_ | false | HTTP1 provides HTTP/1 configuration on the listener. |
-| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration on the listener. |
-| `http3` | _[HTTP3Settings](#http3settings)_ | false | HTTP3 provides HTTP/3 configuration on the listener. |
-| `healthCheck` | _[HealthCheckSettings](#healthchecksettings)_ | false | HealthCheck provides configuration for determining whether the HTTP/HTTPS listener is healthy. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
+| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | | TcpKeepalive settings associated with the downstream client connection.
If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
Disabled by default. |
+| `enableProxyProtocol` | _boolean_ | false | | EnableProxyProtocol interprets the ProxyProtocol header and adds the
Client Address into the X-Forwarded-For header.
Note Proxy Protocol must be present when this field is set, else the connection
is closed. |
+| `clientIPDetection` | _[ClientIPDetectionSettings](#clientipdetectionsettings)_ | false | | ClientIPDetectionSettings provides configuration for determining the original client IP address for requests. |
+| `tls` | _[ClientTLSSettings](#clienttlssettings)_ | false | | TLS settings configure TLS termination settings with the downstream client. |
+| `path` | _[PathSettings](#pathsettings)_ | false | | Path enables managing how the incoming path set by clients can be normalized. |
+| `headers` | _[HeaderSettings](#headersettings)_ | false | | HeaderSettings provides configuration for header management. |
+| `timeout` | _[ClientTimeout](#clienttimeout)_ | false | | Timeout settings for the client connections. |
+| `connection` | _[ClientConnection](#clientconnection)_ | false | | Connection includes client connection settings. |
+| `http1` | _[HTTP1Settings](#http1settings)_ | false | | HTTP1 provides HTTP/1 configuration on the listener. |
+| `http2` | _[HTTP2Settings](#http2settings)_ | false | | HTTP2 provides HTTP/2 configuration on the listener. |
+| `http3` | _[HTTP3Settings](#http3settings)_ | false | | HTTP3 provides HTTP/3 configuration on the listener. |
+| `healthCheck` | _[HealthCheckSettings](#healthchecksettings)_ | false | | HealthCheck provides configuration for determining whether the HTTP/HTTPS listener is healthy. |
#### ClientValidationContext
@@ -687,10 +687,10 @@ By default, no client specific configuration is validated.
_Appears in:_
- [ClientTLSSettings](#clienttlssettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `optional` | _boolean_ | false | Optional set to true accepts connections even when a client doesn't present a certificate.
Defaults to false, which rejects connections without a valid client certificate. |
-| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `optional` | _boolean_ | false | | Optional set to true accepts connections even when a client doesn't present a certificate.
Defaults to false, which rejects connections without a valid client certificate. |
+| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. |
#### ClusterSettings
@@ -712,18 +712,18 @@ _Appears in:_
- [ProxyOpenTelemetrySink](#proxyopentelemetrysink)
- [TracingProvider](#tracingprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. |
-| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
-| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
-| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
-| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. |
-| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
-| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. |
-| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. |
-| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. |
-| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. |
+| `retry` | _[Retry](#retry)_ | false | | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. |
+| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | | ProxyProtocol enables the Proxy Protocol when communicating with the backend. |
+| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. |
+| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | | HealthCheck allows gateway to perform active health checking on backends. |
+| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds |
+| `timeout` | _[Timeout](#timeout)_ | false | | Timeout settings for the backend connections. |
+| `connection` | _[BackendConnection](#backendconnection)_ | false | | Connection includes backend connection settings. |
+| `dns` | _[DNS](#dns)_ | false | | DNS includes dns resolution settings. |
+| `http2` | _[HTTP2Settings](#http2settings)_ | false | | HTTP2 provides HTTP/2 configuration for backend connections. |
#### Compression
@@ -737,10 +737,10 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ProxyPrometheusProvider](#proxyprometheusprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[CompressorType](#compressortype)_ | true | CompressorType defines the compressor type to use for compression. |
-| `gzip` | _[GzipCompressor](#gzipcompressor)_ | false | The configuration for GZIP compressor. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[CompressorType](#compressortype)_ | true | | CompressorType defines the compressor type to use for compression. |
+| `gzip` | _[GzipCompressor](#gzipcompressor)_ | false | | The configuration for GZIP compressor. |
#### CompressorType
@@ -763,10 +763,10 @@ _Appears in:_
_Appears in:_
- [ClientConnection](#clientconnection)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration. |
-| `closeDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `value` | _integer_ | true | | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration. |
+| `closeDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. |
#### ConsistentHash
@@ -779,12 +779,12 @@ load balancer policy.
_Appears in:_
- [LoadBalancer](#loadbalancer)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ConsistentHashType](#consistenthashtype)_ | true | ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
"Cookie". |
-| `header` | _[Header](#header)_ | false | Header configures the header hash policy when the consistent hash type is set to Header. |
-| `cookie` | _[Cookie](#cookie)_ | false | Cookie configures the cookie hash policy when the consistent hash type is set to Cookie. |
-| `tableSize` | _integer_ | false | The table size for consistent hashing, must be prime number limited to 5000011. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ConsistentHashType](#consistenthashtype)_ | true | | ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
"Cookie". |
+| `header` | _[Header](#header)_ | false | | Header configures the header hash policy when the consistent hash type is set to Header. |
+| `cookie` | _[Cookie](#cookie)_ | false | | Cookie configures the cookie hash policy when the consistent hash type is set to Cookie. |
+| `tableSize` | _integer_ | false | 65537 | The table size for consistent hashing, must be prime number limited to 5000011. |
#### ConsistentHashType
@@ -813,11 +813,11 @@ load balancing.
_Appears in:_
- [ConsistentHash](#consistenthash)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name of the cookie to hash.
If this cookie does not exist in the request, Envoy will generate a cookie and set
the TTL on the response back to the client based on Layer 4
attributes of the backend endpoint, to ensure that these future requests
go to the same backend endpoint. Make sure to set the TTL field for this case. |
-| `ttl` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value. |
-| `attributes` | _object (keys:string, values:string)_ | false | Additional Attributes to set for the generated cookie. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name of the cookie to hash.
If this cookie does not exist in the request, Envoy will generate a cookie and set
the TTL on the response back to the client based on Layer 4
attributes of the backend endpoint, to ensure that these future requests
go to the same backend endpoint. Make sure to set the TTL field for this case. |
+| `ttl` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value. |
+| `attributes` | _object (keys:string, values:string)_ | false | | Additional Attributes to set for the generated cookie. |
#### CustomHeaderExtensionSettings
@@ -832,10 +832,10 @@ for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name of the header containing the original downstream remote address, if present. |
-| `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name of the header containing the original downstream remote address, if present. |
+| `failClosed` | _boolean_ | false | | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. |
#### CustomResponse
@@ -847,10 +847,10 @@ CustomResponse defines the configuration for returning a custom response.
_Appears in:_
- [ResponseOverride](#responseoverride)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. |
-| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `contentType` | _string_ | false | | Content Type of the response. This will be set in the Content-Type header. |
+| `body` | _[CustomResponseBody](#customresponsebody)_ | true | | Body of the Custom Response |
#### CustomResponseBody
@@ -863,11 +863,11 @@ _Appears in:_
- [CustomResponse](#customresponse)
- [HTTPDirectResponseFilter](#httpdirectresponsefilter)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline. |
-| `inline` | _string_ | false | Inline contains the value as an inline string. |
-| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Inline | Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline. |
+| `inline` | _string_ | false | | Inline contains the value as an inline string. |
+| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used. |
#### CustomResponseMatch
@@ -879,9 +879,9 @@ CustomResponseMatch defines the configuration for matching a user response to re
_Appears in:_
- [ResponseOverride](#responseoverride)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `statusCodes` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `statusCodes` | _[StatusCodeMatch](#statuscodematch) array_ | true | | Status code to match on. The match evaluates to true if any of the matches are successful. |
#### CustomTag
@@ -893,12 +893,12 @@ _Appears in:_
_Appears in:_
- [ProxyTracing](#proxytracing)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[CustomTagType](#customtagtype)_ | true | Type defines the type of custom tag. |
-| `literal` | _[LiteralCustomTag](#literalcustomtag)_ | true | Literal adds hard-coded value to each span.
It's required when the type is "Literal". |
-| `environment` | _[EnvironmentCustomTag](#environmentcustomtag)_ | true | Environment adds value from environment variable to each span.
It's required when the type is "Environment". |
-| `requestHeader` | _[RequestHeaderCustomTag](#requestheadercustomtag)_ | true | RequestHeader adds value from request header to each span.
It's required when the type is "RequestHeader". |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[CustomTagType](#customtagtype)_ | true | Literal | Type defines the type of custom tag. |
+| `literal` | _[LiteralCustomTag](#literalcustomtag)_ | true | | Literal adds hard-coded value to each span.
It's required when the type is "Literal". |
+| `environment` | _[EnvironmentCustomTag](#environmentcustomtag)_ | true | | Environment adds value from environment variable to each span.
It's required when the type is "Environment". |
+| `requestHeader` | _[RequestHeaderCustomTag](#requestheadercustomtag)_ | true | | RequestHeader adds value from request header to each span.
It's required when the type is "RequestHeader". |
#### CustomTagType
@@ -927,10 +927,10 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. |
-| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. |
+| `respectDnsTtl` | _boolean_ | true | | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. |
#### EnvironmentCustomTag
@@ -942,10 +942,10 @@ EnvironmentCustomTag adds value from environment variable to each span.
_Appears in:_
- [CustomTag](#customtag)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name defines the name of the environment variable which to extract the value from. |
-| `defaultValue` | _string_ | false | DefaultValue defines the default value to use if the environment variable is not set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name defines the name of the environment variable which to extract the value from. |
+| `defaultValue` | _string_ | false | | DefaultValue defines the default value to use if the environment variable is not set. |
#### EnvoyExtensionPolicy
@@ -956,13 +956,13 @@ EnvoyExtensionPolicy allows the user to configure various envoy extensibility op
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyExtensionPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)_ | true | Spec defines the desired state of EnvoyExtensionPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)_ | true | | Spec defines the desired state of EnvoyExtensionPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | Status defines the current status of EnvoyExtensionPolicy. |
#### EnvoyExtensionPolicySpec
@@ -974,13 +974,13 @@ EnvoyExtensionPolicySpec defines the desired state of EnvoyExtensionPolicy.
_Appears in:_
- [EnvoyExtensionPolicy](#envoyextensionpolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
-| `wasm` | _[Wasm](#wasm) array_ | false | Wasm is a list of Wasm extensions to be loaded by the Gateway.
Order matters, as the extensions will be loaded in the order they are
defined in this list. |
-| `extProc` | _[ExtProc](#extproc) array_ | false | ExtProc is an ordered list of external processing filters
that should be added to the envoy filter chain |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
+| `wasm` | _[Wasm](#wasm) array_ | false | | Wasm is a list of Wasm extensions to be loaded by the Gateway.
Order matters, as the extensions will be loaded in the order they are
defined in this list. |
+| `extProc` | _[ExtProc](#extproc) array_ | false | | ExtProc is an ordered list of external processing filters
that should be added to the envoy filter chain |
#### EnvoyFilter
@@ -1019,18 +1019,18 @@ EnvoyGateway is the schema for the envoygateways API.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyGateway`
-| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
-| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
-| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. |
-| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
-| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
-| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
-| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
-| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
+| `gateway` | _[Gateway](#gateway)_ | false | | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
+| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
+| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | \{ default:info \} | Logging defines logging parameters for Envoy Gateway. |
+| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
+| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
+| `rateLimit` | _[RateLimit](#ratelimit)_ | false | | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
+| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
+| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
#### EnvoyGatewayAdmin
@@ -1043,11 +1043,11 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `address` | _[EnvoyGatewayAdminAddress](#envoygatewayadminaddress)_ | false | Address defines the address of Envoy Gateway Admin Server. |
-| `enableDumpConfig` | _boolean_ | false | EnableDumpConfig defines if enable dump config in Envoy Gateway logs. |
-| `enablePprof` | _boolean_ | false | EnablePprof defines if enable pprof in Envoy Gateway Admin Server. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `address` | _[EnvoyGatewayAdminAddress](#envoygatewayadminaddress)_ | false | | Address defines the address of Envoy Gateway Admin Server. |
+| `enableDumpConfig` | _boolean_ | false | | EnableDumpConfig defines if enable dump config in Envoy Gateway logs. |
+| `enablePprof` | _boolean_ | false | | EnablePprof defines if enable pprof in Envoy Gateway Admin Server. |
#### EnvoyGatewayAdminAddress
@@ -1059,10 +1059,10 @@ EnvoyGatewayAdminAddress defines the Envoy Gateway Admin Address configuration.
_Appears in:_
- [EnvoyGatewayAdmin](#envoygatewayadmin)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `port` | _integer_ | false | Port defines the port the admin server is exposed on. |
-| `host` | _string_ | false | Host defines the admin server hostname. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `port` | _integer_ | false | 19000 | Port defines the port the admin server is exposed on. |
+| `host` | _string_ | false | 127.0.0.1 | Host defines the admin server hostname. |
#### EnvoyGatewayCustomProvider
@@ -1074,10 +1074,10 @@ EnvoyGatewayCustomProvider defines configuration for the Custom provider.
_Appears in:_
- [EnvoyGatewayProvider](#envoygatewayprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources |
-| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | false | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane.
Infrastructure is optional, if provider is not specified,
No infrastructure provider is available. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources |
+| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | false | | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane.
Infrastructure is optional, if provider is not specified,
No infrastructure provider is available. |
#### EnvoyGatewayFileResourceProvider
@@ -1089,9 +1089,9 @@ EnvoyGatewayFileResourceProvider defines configuration for the File Resource pro
_Appears in:_
- [EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive subdirectories are not currently supported. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `paths` | _string array_ | true | | Paths are the paths to a directory or file containing the resource configuration.
Recursive subdirectories are not currently supported. |
#### EnvoyGatewayHostInfrastructureProvider
@@ -1114,10 +1114,10 @@ EnvoyGatewayInfrastructureProvider defines configuration for the Custom Infrastr
_Appears in:_
- [EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[InfrastructureProviderType](#infrastructureprovidertype)_ | true | Type is the type of infrastructure providers to use. Supported types are "Host". |
-| `host` | _[EnvoyGatewayHostInfrastructureProvider](#envoygatewayhostinfrastructureprovider)_ | false | Host defines the configuration of the Host provider. Host provides runtime
deployment of the data plane as a child process on the host environment. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[InfrastructureProviderType](#infrastructureprovidertype)_ | true | | Type is the type of infrastructure providers to use. Supported types are "Host". |
+| `host` | _[EnvoyGatewayHostInfrastructureProvider](#envoygatewayhostinfrastructureprovider)_ | false | | Host defines the configuration of the Host provider. Host provides runtime
deployment of the data plane as a child process on the host environment. |
#### EnvoyGatewayKubernetesProvider
@@ -1129,15 +1129,15 @@ EnvoyGatewayKubernetesProvider defines configuration for the Kubernetes provider
_Appears in:_
- [EnvoyGatewayProvider](#envoygatewayprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
-| `rateLimitHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | RateLimitHpa defines the Horizontal Pod Autoscaler settings for Envoy ratelimit Deployment.
If the HPA is set, Replicas field from RateLimitDeployment will be ignored. |
-| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. |
-| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
-| `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
-| `leaderElection` | _[LeaderElection](#leaderelection)_ | false | LeaderElection specifies the configuration for leader election.
If it's not set up, leader election will be active by default, using Kubernetes' standard settings. |
-| `shutdownManager` | _[ShutdownManager](#shutdownmanager)_ | false | ShutdownManager defines the configuration for the shutdown manager. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. |
+| `rateLimitHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | | RateLimitHpa defines the Horizontal Pod Autoscaler settings for Envoy ratelimit Deployment.
If the HPA is set, Replicas field from RateLimitDeployment will be ignored. |
+| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | | Watch holds configuration of which input resources should be watched and reconciled. |
+| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed |
+| `overwriteControlPlaneCerts` | _boolean_ | false | | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
+| `leaderElection` | _[LeaderElection](#leaderelection)_ | false | | LeaderElection specifies the configuration for leader election.
If it's not set up, leader election will be active by default, using Kubernetes' standard settings. |
+| `shutdownManager` | _[ShutdownManager](#shutdownmanager)_ | false | | ShutdownManager defines the configuration for the shutdown manager. |
#### EnvoyGatewayLogComponent
@@ -1170,9 +1170,9 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is the logging level. If unspecified, defaults to "info".
EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit.
LogLevel options: debug/info/error/warn. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | \{ default:info \} | Level is the logging level. If unspecified, defaults to "info".
EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit.
LogLevel options: debug/info/error/warn. |
#### EnvoyGatewayMetricSink
@@ -1185,10 +1185,10 @@ metric sinks where metrics are sent to.
_Appears in:_
- [EnvoyGatewayMetrics](#envoygatewaymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG control plane currently supports OpenTelemetry. |
-| `openTelemetry` | _[EnvoyGatewayOpenTelemetrySink](#envoygatewayopentelemetrysink)_ | true | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[MetricSinkType](#metricsinktype)_ | true | OpenTelemetry | Type defines the metric sink type.
EG control plane currently supports OpenTelemetry. |
+| `openTelemetry` | _[EnvoyGatewayOpenTelemetrySink](#envoygatewayopentelemetrysink)_ | true | | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
#### EnvoyGatewayMetrics
@@ -1200,10 +1200,10 @@ EnvoyGatewayMetrics defines control plane push/pull metrics configurations.
_Appears in:_
- [EnvoyGatewayTelemetry](#envoygatewaytelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `sinks` | _[EnvoyGatewayMetricSink](#envoygatewaymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. |
-| `prometheus` | _[EnvoyGatewayPrometheusProvider](#envoygatewayprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `sinks` | _[EnvoyGatewayMetricSink](#envoygatewaymetricsink) array_ | true | | Sinks defines the metric sinks where metrics are sent to. |
+| `prometheus` | _[EnvoyGatewayPrometheusProvider](#envoygatewayprometheusprovider)_ | true | | Prometheus defines the configuration for prometheus endpoint. |
#### EnvoyGatewayOpenTelemetrySink
@@ -1215,13 +1215,13 @@ _Appears in:_
_Appears in:_
- [EnvoyGatewayMetricSink](#envoygatewaymetricsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `host` | _string_ | true | Host define the sink service hostname. |
-| `protocol` | _string_ | true | Protocol define the sink service protocol. |
-| `port` | _integer_ | false | Port defines the port the sink service is exposed on. |
-| `exportInterval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | ExportInterval configures the intervening time between exports for a
Sink. This option overrides any value set for the
OTEL_METRIC_EXPORT_INTERVAL environment variable.
If ExportInterval is less than or equal to zero, 60 seconds
is used as the default. |
-| `exportTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | ExportTimeout configures the time a Sink waits for an export to
complete before canceling it. This option overrides any value set for the
OTEL_METRIC_EXPORT_TIMEOUT environment variable.
If ExportTimeout is less than or equal to zero, 30 seconds
is used as the default. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `host` | _string_ | true | | Host define the sink service hostname. |
+| `protocol` | _string_ | true | | Protocol define the sink service protocol. |
+| `port` | _integer_ | false | 4317 | Port defines the port the sink service is exposed on. |
+| `exportInterval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | ExportInterval configures the intervening time between exports for a
Sink. This option overrides any value set for the
OTEL_METRIC_EXPORT_INTERVAL environment variable.
If ExportInterval is less than or equal to zero, 60 seconds
is used as the default. |
+| `exportTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | ExportTimeout configures the time a Sink waits for an export to
complete before canceling it. This option overrides any value set for the
OTEL_METRIC_EXPORT_TIMEOUT environment variable.
If ExportTimeout is less than or equal to zero, 30 seconds
is used as the default. |
#### EnvoyGatewayPrometheusProvider
@@ -1233,9 +1233,9 @@ EnvoyGatewayPrometheusProvider will expose prometheus endpoint in pull mode.
_Appears in:_
- [EnvoyGatewayMetrics](#envoygatewaymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `disable` | _boolean_ | true | Disable defines if disables the prometheus metrics in pull mode. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `disable` | _boolean_ | true | | Disable defines if disables the prometheus metrics in pull mode. |
#### EnvoyGatewayProvider
@@ -1248,11 +1248,11 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes", "Custom". |
-| `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. |
-| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and an infrastructure
provider. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ProviderType](#providertype)_ | true | | Type is the type of provider to use. Supported types are "Kubernetes", "Custom". |
+| `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. |
+| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and an infrastructure
provider. |
#### EnvoyGatewayResourceProvider
@@ -1264,10 +1264,10 @@ EnvoyGatewayResourceProvider defines configuration for the Custom Resource provi
_Appears in:_
- [EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ResourceProviderType](#resourceprovidertype)_ | true | Type is the type of resource provider to use. Supported types are "File". |
-| `file` | _[EnvoyGatewayFileResourceProvider](#envoygatewayfileresourceprovider)_ | false | File defines the configuration of the File provider. File provides runtime
configuration defined by one or more files. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ResourceProviderType](#resourceprovidertype)_ | true | | Type is the type of resource provider to use. Supported types are "File". |
+| `file` | _[EnvoyGatewayFileResourceProvider](#envoygatewayfileresourceprovider)_ | false | | File defines the configuration of the File provider. File provides runtime
configuration defined by one or more files. |
#### EnvoyGatewaySpec
@@ -1279,16 +1279,16 @@ EnvoyGatewaySpec defines the desired state of Envoy Gateway.
_Appears in:_
- [EnvoyGateway](#envoygateway)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
-| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
-| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. |
-| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
-| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
-| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
-| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
-| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `gateway` | _[Gateway](#gateway)_ | false | | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. |
+| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. |
+| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | \{ default:info \} | Logging defines logging parameters for Envoy Gateway. |
+| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. |
+| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. |
+| `rateLimit` | _[RateLimit](#ratelimit)_ | false | | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. |
+| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. |
+| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway |
#### EnvoyGatewayTelemetry
@@ -1302,9 +1302,9 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `metrics` | _[EnvoyGatewayMetrics](#envoygatewaymetrics)_ | true | Metrics defines metrics configuration for envoy gateway. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `metrics` | _[EnvoyGatewayMetrics](#envoygatewaymetrics)_ | true | | Metrics defines metrics configuration for envoy gateway. |
#### EnvoyJSONPatchConfig
@@ -1317,11 +1317,11 @@ using JSONPatch semantic
_Appears in:_
- [EnvoyPatchPolicySpec](#envoypatchpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[EnvoyResourceType](#envoyresourcetype)_ | true | Type is the typed URL of the Envoy xDS Resource |
-| `name` | _string_ | true | Name is the name of the resource |
-| `operation` | _[JSONPatchOperation](#jsonpatchoperation)_ | true | Patch defines the JSON Patch Operation |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[EnvoyResourceType](#envoyresourcetype)_ | true | | Type is the typed URL of the Envoy xDS Resource |
+| `name` | _string_ | true | | Name is the name of the resource |
+| `operation` | _[JSONPatchOperation](#jsonpatchoperation)_ | true | | Patch defines the JSON Patch Operation |
#### EnvoyPatchPolicy
@@ -1333,13 +1333,13 @@ resources by Envoy Gateway using this patch API
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyPatchPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[EnvoyPatchPolicySpec](#envoypatchpolicyspec)_ | true | Spec defines the desired state of EnvoyPatchPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[EnvoyPatchPolicySpec](#envoypatchpolicyspec)_ | true | | Spec defines the desired state of EnvoyPatchPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | Status defines the current status of EnvoyPatchPolicy. |
#### EnvoyPatchPolicySpec
@@ -1351,12 +1351,12 @@ EnvoyPatchPolicySpec defines the desired state of EnvoyPatchPolicy.
_Appears in:_
- [EnvoyPatchPolicy](#envoypatchpolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[EnvoyPatchType](#envoypatchtype)_ | true | Type decides the type of patch.
Valid EnvoyPatchType values are "JSONPatch". |
-| `jsonPatches` | _[EnvoyJSONPatchConfig](#envoyjsonpatchconfig) array_ | false | JSONPatch defines the JSONPatch configuration. |
-| `targetRef` | _[LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference)_ | true | TargetRef is the name of the Gateway API resource this policy
is being attached to.
By default, attaching to Gateway is supported and
when mergeGateways is enabled it should attach to GatewayClass.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway
TargetRef |
-| `priority` | _integer_ | true | Priority of the EnvoyPatchPolicy.
If multiple EnvoyPatchPolicies are applied to the same
TargetRef, they will be applied in the ascending order of
the priority i.e. int32.min has the highest priority and
int32.max has the lowest priority.
Defaults to 0. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[EnvoyPatchType](#envoypatchtype)_ | true | | Type decides the type of patch.
Valid EnvoyPatchType values are "JSONPatch". |
+| `jsonPatches` | _[EnvoyJSONPatchConfig](#envoyjsonpatchconfig) array_ | false | | JSONPatch defines the JSONPatch configuration. |
+| `targetRef` | _[LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference)_ | true | | TargetRef is the name of the Gateway API resource this policy
is being attached to.
By default, attaching to Gateway is supported and
when mergeGateways is enabled it should attach to GatewayClass.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway
TargetRef |
+| `priority` | _integer_ | true | | Priority of the EnvoyPatchPolicy.
If multiple EnvoyPatchPolicies are applied to the same
TargetRef, they will be applied in the ascending order of
the priority i.e. int32.min has the highest priority and
int32.max has the lowest priority.
Defaults to 0. |
#### EnvoyPatchType
@@ -1381,13 +1381,13 @@ EnvoyProxy is the schema for the envoyproxies API.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`EnvoyProxy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[EnvoyProxySpec](#envoyproxyspec)_ | true | EnvoyProxySpec defines the desired state of EnvoyProxy. |
-| `status` | _[EnvoyProxyStatus](#envoyproxystatus)_ | true | EnvoyProxyStatus defines the actual state of EnvoyProxy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[EnvoyProxySpec](#envoyproxyspec)_ | true | | EnvoyProxySpec defines the desired state of EnvoyProxy. |
+| `status` | _[EnvoyProxyStatus](#envoyproxystatus)_ | true | | EnvoyProxyStatus defines the actual state of EnvoyProxy. |
#### EnvoyProxyKubernetesProvider
@@ -1400,14 +1400,14 @@ provider.
_Appears in:_
- [EnvoyProxyProvider](#envoyproxyprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `envoyDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | EnvoyDeployment defines the desired state of the Envoy deployment resource.
If unspecified, default settings for the managed Envoy deployment resource
are applied. |
-| `envoyDaemonSet` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | EnvoyDaemonSet defines the desired state of the Envoy daemonset resource.
Disabled by default, a deployment resource is used instead to provision the Envoy Proxy fleet |
-| `envoyService` | _[KubernetesServiceSpec](#kubernetesservicespec)_ | false | EnvoyService defines the desired state of the Envoy service resource.
If unspecified, default settings for the managed Envoy service resource
are applied. |
-| `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored. |
-| `useListenerPortAsContainerPort` | _boolean_ | false | UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability. |
-| `envoyPDB` | _[KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)_ | false | EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `envoyDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | | EnvoyDeployment defines the desired state of the Envoy deployment resource.
If unspecified, default settings for the managed Envoy deployment resource
are applied. |
+| `envoyDaemonSet` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | | EnvoyDaemonSet defines the desired state of the Envoy daemonset resource.
Disabled by default, a deployment resource is used instead to provision the Envoy Proxy fleet |
+| `envoyService` | _[KubernetesServiceSpec](#kubernetesservicespec)_ | false | | EnvoyService defines the desired state of the Envoy service resource.
If unspecified, default settings for the managed Envoy service resource
are applied. |
+| `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored. |
+| `useListenerPortAsContainerPort` | _boolean_ | false | | UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability. |
+| `envoyPDB` | _[KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)_ | false | | EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. |
#### EnvoyProxyProvider
@@ -1419,10 +1419,10 @@ EnvoyProxyProvider defines the desired state of a resource provider.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ProviderType](#providertype)_ | true | Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
optional auxiliary control planes. Supported types are "Kubernetes". |
-| `kubernetes` | _[EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)_ | false | Kubernetes defines the desired state of the Kubernetes resource provider.
Kubernetes provides infrastructure resources for running the data plane,
e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
for managed Kubernetes resources are applied. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ProviderType](#providertype)_ | true | | Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
optional auxiliary control planes. Supported types are "Kubernetes". |
+| `kubernetes` | _[EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)_ | false | | Kubernetes defines the desired state of the Kubernetes resource provider.
Kubernetes provides infrastructure resources for running the data plane,
e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
for managed Kubernetes resources are applied. |
#### EnvoyProxySpec
@@ -1434,21 +1434,21 @@ EnvoyProxySpec defines the desired state of EnvoyProxy.
_Appears in:_
- [EnvoyProxy](#envoyproxy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `provider` | _[EnvoyProxyProvider](#envoyproxyprovider)_ | false | Provider defines the desired resource provider and provider-specific configuration.
If unspecified, the "Kubernetes" resource provider is used with default configuration
parameters. |
-| `logging` | _[ProxyLogging](#proxylogging)_ | true | Logging defines logging parameters for managed proxies. |
-| `telemetry` | _[ProxyTelemetry](#proxytelemetry)_ | false | Telemetry defines telemetry parameters for managed proxies. |
-| `bootstrap` | _[ProxyBootstrap](#proxybootstrap)_ | false | Bootstrap defines the Envoy Bootstrap as a YAML string.
Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
to learn more about the syntax.
If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
set by Envoy Gateway.
Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
Backward compatibility across minor versions is not guaranteed.
We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors. |
-| `concurrency` | _integer_ | false | Concurrency defines the number of worker threads to run. If unset, it defaults to
the number of cpuset threads on the platform. |
-| `routingType` | _[RoutingType](#routingtype)_ | false | RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
or it can be set to "Endpoint" to use Endpoint routing. The default is "Endpoint". |
-| `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
-| `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
-| `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. |
-| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
- envoy.filters.http.ext_authz
- envoy.filters.http.basic_auth
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
- envoy.filters.http.custom_response
- envoy.filters.http.router
Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. |
-| `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. |
-| `ipFamily` | _[IPFamily](#ipfamily)_ | false | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. |
-| `preserveRouteOrder` | _boolean_ | false | PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
specification (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule)
or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
Default: False |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `provider` | _[EnvoyProxyProvider](#envoyproxyprovider)_ | false | | Provider defines the desired resource provider and provider-specific configuration.
If unspecified, the "Kubernetes" resource provider is used with default configuration
parameters. |
+| `logging` | _[ProxyLogging](#proxylogging)_ | true | \{ level:map[default:warn] \} | Logging defines logging parameters for managed proxies. |
+| `telemetry` | _[ProxyTelemetry](#proxytelemetry)_ | false | | Telemetry defines telemetry parameters for managed proxies. |
+| `bootstrap` | _[ProxyBootstrap](#proxybootstrap)_ | false | | Bootstrap defines the Envoy Bootstrap as a YAML string.
Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
to learn more about the syntax.
If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
set by Envoy Gateway.
Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
Backward compatibility across minor versions is not guaranteed.
We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors. |
+| `concurrency` | _integer_ | false | | Concurrency defines the number of worker threads to run. If unset, it defaults to
the number of cpuset threads on the platform. |
+| `routingType` | _[RoutingType](#routingtype)_ | false | | RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
or it can be set to "Endpoint" to use Endpoint routing. The default is "Endpoint". |
+| `extraArgs` | _string array_ | false | | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
+| `mergeGateways` | _boolean_ | false | | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
+| `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | | Shutdown defines configuration for graceful envoy shutdown process. |
+| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
- envoy.filters.http.ext_authz
- envoy.filters.http.basic_auth
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
- envoy.filters.http.custom_response
- envoy.filters.http.router
Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. |
+| `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. |
+| `ipFamily` | _[IPFamily](#ipfamily)_ | false | | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. |
+| `preserveRouteOrder` | _boolean_ | false | | PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
specification (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule)
or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
Default: False |
#### EnvoyProxyStatus
@@ -1489,14 +1489,14 @@ ExtAuth defines the configuration for External Authorization.
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
-| `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
-| `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. |
-| `bodyToExtAuth` | _[BodyToExtAuth](#bodytoextauth)_ | false | BodyToExtAuth defines the Body to Ext Auth configuration. |
-| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. |
-| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
+| `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. |
+| `headersToExtAuth` | _string array_ | false | | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. |
+| `bodyToExtAuth` | _[BodyToExtAuth](#bodytoextauth)_ | false | | BodyToExtAuth defines the Body to Ext Auth configuration. |
+| `failOpen` | _boolean_ | false | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. |
+| `recomputeRoute` | _boolean_ | false | | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
#### ExtProc
@@ -1508,15 +1508,15 @@ ExtProc defines the configuration for External Processing filter.
_Appears in:_
- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms |
-| `failOpen` | _boolean_ | false | FailOpen defines if requests or responses that cannot be processed due to connectivity to the
external processor are terminated or passed-through.
Default: false |
-| `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor |
-| `metadata` | _[ExtProcMetadata](#extprocmetadata)_ | false | Refer to Kubernetes API documentation for fields of `metadata`. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms |
+| `failOpen` | _boolean_ | false | | FailOpen defines if requests or responses that cannot be processed due to connectivity to the
external processor are terminated or passed-through.
Default: false |
+| `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor |
+| `metadata` | _[ExtProcMetadata](#extprocmetadata)_ | false | | Refer to Kubernetes API documentation for fields of `metadata`. |
#### ExtProcBodyProcessingMode
@@ -1545,10 +1545,10 @@ external processor service
_Appears in:_
- [ExtProc](#extproc)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `accessibleNamespaces` | _string array_ | false | AccessibleNamespaces are metadata namespaces that are sent to the external processor as context |
-| `writableNamespaces` | _string array_ | false | WritableNamespaces are metadata namespaces that the external processor can write to |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `accessibleNamespaces` | _string array_ | false | | AccessibleNamespaces are metadata namespaces that are sent to the external processor as context |
+| `writableNamespaces` | _string array_ | false | | WritableNamespaces are metadata namespaces that the external processor can write to |
#### ExtProcProcessingMode
@@ -1561,10 +1561,10 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_p
_Appears in:_
- [ExtProc](#extproc)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `request` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for requests. If present, request headers are sent. Request body is processed according
to the specified mode. |
-| `response` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for responses. If present, response headers are sent. Response body is processed according
to the specified mode. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `request` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | | Defines processing mode for requests. If present, request headers are sent. Request body is processed according
to the specified mode. |
+| `response` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | | Defines processing mode for responses. If present, response headers are sent. Response body is processed according
to the specified mode. |
#### ExtensionAPISettings
@@ -1577,10 +1577,10 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `enableEnvoyPatchPolicy` | _boolean_ | true | EnableEnvoyPatchPolicy enables Envoy Gateway to
reconcile and implement the EnvoyPatchPolicy resources. |
-| `enableBackend` | _boolean_ | true | EnableBackend enables Envoy Gateway to
reconcile and implement the Backend resources. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `enableEnvoyPatchPolicy` | _boolean_ | true | | EnableEnvoyPatchPolicy enables Envoy Gateway to
reconcile and implement the EnvoyPatchPolicy resources. |
+| `enableBackend` | _boolean_ | true | | EnableBackend enables Envoy Gateway to
reconcile and implement the Backend resources. |
#### ExtensionHooks
@@ -1592,9 +1592,9 @@ ExtensionHooks defines extension hooks across all supported runners
_Appears in:_
- [ExtensionManager](#extensionmanager)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `xdsTranslator` | _[XDSTranslatorHooks](#xdstranslatorhooks)_ | true | XDSTranslator defines all the supported extension hooks for the xds-translator runner |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `xdsTranslator` | _[XDSTranslatorHooks](#xdstranslatorhooks)_ | true | | XDSTranslator defines all the supported extension hooks for the xds-translator runner |
#### ExtensionManager
@@ -1608,13 +1608,13 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `resources` | _[GroupVersionKind](#groupversionkind) array_ | false | Resources defines the set of K8s resources the extension will handle as route
filter resources |
-| `policyResources` | _[GroupVersionKind](#groupversionkind) array_ | false | PolicyResources defines the set of K8S resources the extension server will handle
as directly attached GatewayAPI policies |
-| `hooks` | _[ExtensionHooks](#extensionhooks)_ | true | Hooks defines the set of hooks the extension supports |
-| `service` | _[ExtensionService](#extensionservice)_ | true | Service defines the configuration of the extension service that the Envoy
Gateway Control Plane will call through extension hooks. |
-| `failOpen` | _boolean_ | false | FailOpen defines if Envoy Gateway should ignore errors returned from the Extension Service hooks.
The default is false, which means Envoy Gateway will fail closed if the Extension Service returns an error.
Fail-close means that if the Extension Service hooks return an error, the relevant route/listener/resource
will be replaced with a default configuration returning Internal Server Error (HTTP 500).
Fail-open means that if the Extension Service hooks return an error, no changes will be applied to the
source of the configuration which was sent to the extension server. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `resources` | _[GroupVersionKind](#groupversionkind) array_ | false | | Resources defines the set of K8s resources the extension will handle as route
filter resources |
+| `policyResources` | _[GroupVersionKind](#groupversionkind) array_ | false | | PolicyResources defines the set of K8S resources the extension server will handle
as directly attached GatewayAPI policies |
+| `hooks` | _[ExtensionHooks](#extensionhooks)_ | true | | Hooks defines the set of hooks the extension supports |
+| `service` | _[ExtensionService](#extensionservice)_ | true | | Service defines the configuration of the extension service that the Envoy
Gateway Control Plane will call through extension hooks. |
+| `failOpen` | _boolean_ | false | | FailOpen defines if Envoy Gateway should ignore errors returned from the Extension Service hooks.
The default is false, which means Envoy Gateway will fail closed if the Extension Service returns an error.
Fail-close means that if the Extension Service hooks return an error, the relevant route/listener/resource
will be replaced with a default configuration returning Internal Server Error (HTTP 500).
Fail-open means that if the Extension Service hooks return an error, no changes will be applied to the
source of the configuration which was sent to the extension server. |
#### ExtensionService
@@ -1626,14 +1626,14 @@ ExtensionService defines the configuration for connecting to a registered extens
_Appears in:_
- [ExtensionManager](#extensionmanager)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint |
-| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. |
-| `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint |
-| `host` | _string_ | false | Host define the extension service hostname.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) |
-| `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) |
-| `tls` | _[ExtensionTLS](#extensiontls)_ | false | TLS defines TLS configuration for communication between Envoy Gateway and
the extension service. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | | FQDN defines a FQDN endpoint |
+| `ip` | _[IPEndpoint](#ipendpoint)_ | false | | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. |
+| `unix` | _[UnixSocket](#unixsocket)_ | false | | Unix defines the unix domain socket endpoint |
+| `host` | _string_ | false | | Host define the extension service hostname.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) |
+| `port` | _integer_ | false | 80 | Port defines the port the extension service is exposed on.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) |
+| `tls` | _[ExtensionTLS](#extensiontls)_ | false | | TLS defines TLS configuration for communication between Envoy Gateway and
the extension service. |
#### ExtensionTLS
@@ -1645,9 +1645,9 @@ ExtensionTLS defines the TLS configuration when connecting to an extension servi
_Appears in:_
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that
contains a TLS certificate and private keys. These certificates are used to
establish a TLS handshake to the extension server.
CertificateRef can only reference a Kubernetes Secret at this time. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that
contains a TLS certificate and private keys. These certificates are used to
establish a TLS handshake to the extension server.
CertificateRef can only reference a Kubernetes Secret at this time. |
#### FQDNEndpoint
@@ -1661,10 +1661,10 @@ _Appears in:_
- [BackendEndpoint](#backendendpoint)
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `hostname` | _string_ | true | Hostname defines the FQDN hostname of the backend endpoint. |
-| `port` | _integer_ | true | Port defines the port of the backend endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `hostname` | _string_ | true | | Hostname defines the FQDN hostname of the backend endpoint. |
+| `port` | _integer_ | true | | Port defines the port of the backend endpoint. |
#### FaultInjection
@@ -1677,10 +1677,10 @@ inject delays and abort requests to mimic failure scenarios such as service fail
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `delay` | _[FaultInjectionDelay](#faultinjectiondelay)_ | false | If specified, a delay will be injected into the request. |
-| `abort` | _[FaultInjectionAbort](#faultinjectionabort)_ | false | If specified, the request will be aborted if it meets the configuration criteria. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `delay` | _[FaultInjectionDelay](#faultinjectiondelay)_ | false | | If specified, a delay will be injected into the request. |
+| `abort` | _[FaultInjectionAbort](#faultinjectionabort)_ | false | | If specified, the request will be aborted if it meets the configuration criteria. |
#### FaultInjectionAbort
@@ -1692,11 +1692,11 @@ FaultInjectionAbort defines the abort fault injection configuration
_Appears in:_
- [FaultInjection](#faultinjection)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `httpStatus` | _integer_ | false | StatusCode specifies the HTTP status code to be returned |
-| `grpcStatus` | _integer_ | false | GrpcStatus specifies the GRPC status code to be returned |
-| `percentage` | _float_ | false | Percentage specifies the percentage of requests to be aborted. Default 100%, if set 0, no requests will be aborted. Accuracy to 0.0001%. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `httpStatus` | _integer_ | false | | StatusCode specifies the HTTP status code to be returned |
+| `grpcStatus` | _integer_ | false | | GrpcStatus specifies the GRPC status code to be returned |
+| `percentage` | _float_ | false | 100 | Percentage specifies the percentage of requests to be aborted. Default 100%, if set 0, no requests will be aborted. Accuracy to 0.0001%. |
#### FaultInjectionDelay
@@ -1708,10 +1708,10 @@ FaultInjectionDelay defines the delay fault injection configuration
_Appears in:_
- [FaultInjection](#faultinjection)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `fixedDelay` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | FixedDelay specifies the fixed delay duration |
-| `percentage` | _float_ | false | Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `fixedDelay` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | FixedDelay specifies the fixed delay duration |
+| `percentage` | _float_ | false | 100 | Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%. |
#### FileEnvoyProxyAccessLog
@@ -1723,9 +1723,9 @@ _Appears in:_
_Appears in:_
- [ProxyAccessLogSink](#proxyaccesslogsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `path` | _string_ | true | Path defines the file path used to expose envoy access log(e.g. /dev/stdout). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `path` | _string_ | true | | Path defines the file path used to expose envoy access log(e.g. /dev/stdout). |
#### FilterPosition
@@ -1737,11 +1737,11 @@ FilterPosition defines the position of an Envoy HTTP filter in the filter chain.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _[EnvoyFilter](#envoyfilter)_ | true | Name of the filter. |
-| `before` | _[EnvoyFilter](#envoyfilter)_ | true | Before defines the filter that should come before the filter.
Only one of Before or After must be set. |
-| `after` | _[EnvoyFilter](#envoyfilter)_ | true | After defines the filter that should come after the filter.
Only one of Before or After must be set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _[EnvoyFilter](#envoyfilter)_ | true | | Name of the filter. |
+| `before` | _[EnvoyFilter](#envoyfilter)_ | true | | Before defines the filter that should come before the filter.
Only one of Before or After must be set. |
+| `after` | _[EnvoyFilter](#envoyfilter)_ | true | | After defines the filter that should come after the filter.
Only one of Before or After must be set. |
#### GRPCActiveHealthChecker
@@ -1753,9 +1753,9 @@ GRPCActiveHealthChecker defines the settings of the GRPC health check.
_Appears in:_
- [ActiveHealthCheck](#activehealthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `service` | _string_ | false | Service to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `service` | _string_ | false | | Service to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. |
#### GRPCExtAuthService
@@ -1769,11 +1769,11 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth
_Appears in:_
- [ExtAuth](#extauth)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
#### Gateway
@@ -1786,9 +1786,9 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `controllerName` | _string_ | false | ControllerName defines the name of the Gateway API controller. If unspecified,
defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
for additional details:
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `controllerName` | _string_ | false | | ControllerName defines the name of the Gateway API controller. If unspecified,
defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
for additional details:
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass |
#### GlobalRateLimit
@@ -1800,9 +1800,9 @@ GlobalRateLimit defines global rate limit configuration.
_Appears in:_
- [RateLimitSpec](#ratelimitspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | Rules are a list of RateLimit selectors and limits. Each rule and its
associated limit is applied in a mutually exclusive way. If a request
matches multiple rules, each of their associated limits get applied, so a
single request might increase the rate limit counters for multiple rules
if selected. The rate limit service will return a logical OR of the individual
rate limit decisions of all matching rules. For example, if a request
matches two rules, one rate limited and one not, the final decision will be
to rate limit the request. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | | Rules are a list of RateLimit selectors and limits. Each rule and its
associated limit is applied in a mutually exclusive way. If a request
matches multiple rules, each of their associated limits get applied, so a
single request might increase the rate limit counters for multiple rules
if selected. The rate limit service will return a logical OR of the individual
rate limit decisions of all matching rules. For example, if a request
matches two rules, one rate limited and one not, the final decision will be
to rate limit the request. |
#### GroupVersionKind
@@ -1815,11 +1815,11 @@ It can be converted to k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind
_Appears in:_
- [ExtensionManager](#extensionmanager)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `group` | _string_ | true | |
-| `version` | _string_ | true | |
-| `kind` | _string_ | true | |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `group` | _string_ | true | | |
+| `version` | _string_ | true | | |
+| `kind` | _string_ | true | | |
#### GzipCompressor
@@ -1844,9 +1844,9 @@ HTTP10Settings provides HTTP/1.0 configuration on the listener.
_Appears in:_
- [HTTP1Settings](#http1settings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `useDefaultHost` | _boolean_ | false | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
then the hostname associated with the listener should be injected into the
request.
If this is not set and an HTTP/1.0 request arrives without a host, then
it will be rejected. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `useDefaultHost` | _boolean_ | false | | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
then the hostname associated with the listener should be injected into the
request.
If this is not set and an HTTP/1.0 request arrives without a host, then
it will be rejected. |
#### HTTP1Settings
@@ -1858,11 +1858,11 @@ HTTP1Settings provides HTTP/1 configuration on the listener.
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `enableTrailers` | _boolean_ | false | EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy. |
-| `preserveHeaderCase` | _boolean_ | false | PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
By default, Envoy will lowercase all the headers. |
-| `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `enableTrailers` | _boolean_ | false | | EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy. |
+| `preserveHeaderCase` | _boolean_ | false | | PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
By default, Envoy will lowercase all the headers. |
+| `http10` | _[HTTP10Settings](#http10settings)_ | false | | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. |
#### HTTP2Settings
@@ -1876,12 +1876,12 @@ _Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). |
-| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. |
-| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. |
-| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). |
+| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. |
+| `maxConcurrentStreams` | _integer_ | false | | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. |
+| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection |
#### HTTP3Settings
@@ -1904,12 +1904,12 @@ HTTPActiveHealthChecker defines the settings of http health check.
_Appears in:_
- [ActiveHealthCheck](#activehealthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `path` | _string_ | true | Path defines the HTTP path that will be requested during health checking. |
-| `method` | _string_ | false | Method defines the HTTP method used for health checking.
Defaults to GET |
-| `expectedStatuses` | _[HTTPStatus](#httpstatus) array_ | false | ExpectedStatuses defines a list of HTTP response statuses considered healthy.
Defaults to 200 only |
-| `expectedResponse` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | ExpectedResponse defines a list of HTTP expected responses to match. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `path` | _string_ | true | | Path defines the HTTP path that will be requested during health checking. |
+| `method` | _string_ | false | | Method defines the HTTP method used for health checking.
Defaults to GET |
+| `expectedStatuses` | _[HTTPStatus](#httpstatus) array_ | false | | ExpectedStatuses defines a list of HTTP response statuses considered healthy.
Defaults to 200 only |
+| `expectedResponse` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | | ExpectedResponse defines a list of HTTP expected responses to match. |
#### HTTPClientTimeout
@@ -1921,10 +1921,10 @@ _Appears in:_
_Appears in:_
- [ClientTimeout](#clienttimeout)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `requestReceivedTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
initiation and stops when either the last byte of the request is sent upstream or when the response begins. |
-| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `requestReceivedTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
initiation and stops when either the last byte of the request is sent upstream or when the response begins. |
+| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
#### HTTPDirectResponseFilter
@@ -1936,11 +1936,11 @@ HTTPDirectResponseFilter defines the configuration to return a fixed response.
_Appears in:_
- [HTTPRouteFilterSpec](#httproutefilterspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. |
-| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Response |
-| `statusCode` | _integer_ | false | Status Code of the HTTP response
If unset, defaults to 200. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `contentType` | _string_ | false | | Content Type of the response. This will be set in the Content-Type header. |
+| `body` | _[CustomResponseBody](#customresponsebody)_ | false | | Body of the Response |
+| `statusCode` | _integer_ | false | | Status Code of the HTTP response
If unset, defaults to 200. |
#### HTTPExtAuthService
@@ -1952,13 +1952,13 @@ HTTPExtAuthService defines the HTTP External Authorization service
_Appears in:_
- [ExtAuth](#extauth)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. |
-| `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `path` | _string_ | true | | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. |
+| `headersToBackend` | _string array_ | false | | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. |
#### HTTPHostnameModifier
@@ -1970,10 +1970,10 @@ _Appears in:_
_Appears in:_
- [HTTPURLRewriteFilter](#httpurlrewritefilter)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | |
-| `header` | _string_ | false | Header is the name of the header whose value would be used to rewrite the Host header |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | | |
+| `header` | _string_ | false | | Header is the name of the header whose value would be used to rewrite the Host header |
#### HTTPHostnameModifierType
@@ -2000,10 +2000,10 @@ _Appears in:_
_Appears in:_
- [HTTPURLRewriteFilter](#httpurlrewritefilter)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | |
-| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | false | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | | |
+| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | false | | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). |
#### HTTPPathModifierType
@@ -2029,12 +2029,12 @@ traffic processing options such as path regex rewrite, direct response and more.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`HTTPRouteFilter`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | | Spec defines the desired state of HTTPRouteFilter. |
#### HTTPRouteFilterSpec
@@ -2046,10 +2046,10 @@ HTTPRouteFilterSpec defines the desired state of HTTPRouteFilter.
_Appears in:_
- [HTTPRouteFilter](#httproutefilter)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | |
-| `directResponse` | _[HTTPDirectResponseFilter](#httpdirectresponsefilter)_ | false | |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | | |
+| `directResponse` | _[HTTPDirectResponseFilter](#httpdirectresponsefilter)_ | false | | |
#### HTTPStatus
@@ -2073,11 +2073,11 @@ _Appears in:_
_Appears in:_
- [Timeout](#timeout)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `connectionIdleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
-| `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. |
-| `requestTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestTimeout is the time until which entire response is received from the upstream. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `connectionIdleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. |
+| `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The maximum duration of an HTTP connection.
Default: unlimited. |
+| `requestTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | RequestTimeout is the time until which entire response is received from the upstream. |
#### HTTPURLRewriteFilter
@@ -2089,10 +2089,10 @@ HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and hos
_Appears in:_
- [HTTPRouteFilterSpec](#httproutefilterspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `hostname` | _[HTTPHostnameModifier](#httphostnamemodifier)_ | false | Hostname is the value to be used to replace the Host header value during
forwarding. |
-| `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | Path defines a path rewrite. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `hostname` | _[HTTPHostnameModifier](#httphostnamemodifier)_ | false | | Hostname is the value to be used to replace the Host header value during
forwarding. |
+| `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | | Path defines a path rewrite. |
#### HTTPWasmCodeSource
@@ -2104,10 +2104,10 @@ HTTPWasmCodeSource defines the HTTP URL containing the Wasm code.
_Appears in:_
- [WasmCodeSource](#wasmcodesource)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `url` | _string_ | true | URL is the URL containing the Wasm code. |
-| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the Wasm code.
If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `url` | _string_ | true | | URL is the URL containing the Wasm code. |
+| `sha256` | _string_ | false | | SHA256 checksum that will be used to verify the Wasm code.
If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` |
#### Header
@@ -2120,9 +2120,9 @@ load balancing.
_Appears in:_
- [ConsistentHash](#consistenthash)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name of the header to hash. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name of the header to hash. |
#### HeaderMatch
@@ -2134,12 +2134,12 @@ HeaderMatch defines the match attributes within the HTTP Headers of the request.
_Appears in:_
- [RateLimitSelectCondition](#ratelimitselectcondition)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[HeaderMatchType](#headermatchtype)_ | false | Type specifies how to match against the value of the header. |
-| `name` | _string_ | true | Name of the HTTP header. |
-| `value` | _string_ | false | Value within the HTTP header. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. |
-| `invert` | _boolean_ | false | Invert specifies whether the value match result will be inverted.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[HeaderMatchType](#headermatchtype)_ | false | Exact | Type specifies how to match against the value of the header. |
+| `name` | _string_ | true | | Name of the HTTP header. |
+| `value` | _string_ | false | | Value within the HTTP header. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. |
+| `invert` | _boolean_ | false | false | Invert specifies whether the value match result will be inverted.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. |
#### HeaderMatchType
@@ -2168,14 +2168,14 @@ HeaderSettings provides configuration options for headers on the listener.
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `enableEnvoyHeaders` | _boolean_ | false | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses. |
-| `disableRateLimitHeaders` | _boolean_ | false | DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers
when rate limiting is enabled. |
-| `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ | false | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.
x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
information of part or all of the clients or proxies that a request has flowed through,
on its way from the client to the server.
Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.
If not set, the default behavior is sanitizing the XFCC header. |
-| `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. |
-| `preserveXRequestID` | _boolean_ | false | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. |
-| `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `enableEnvoyHeaders` | _boolean_ | false | | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses. |
+| `disableRateLimitHeaders` | _boolean_ | false | | DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers
when rate limiting is enabled. |
+| `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ | false | | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.
x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
information of part or all of the clients or proxies that a request has flowed through,
on its way from the client to the server.
Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.
If not set, the default behavior is sanitizing the XFCC header. |
+| `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. |
+| `preserveXRequestID` | _boolean_ | false | | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. |
+| `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. |
#### HealthCheck
@@ -2195,10 +2195,10 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration |
-| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | | Active health check configuration |
+| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | | Passive passive check configuration |
#### HealthCheckSettings
@@ -2210,9 +2210,9 @@ HealthCheckSettings provides HealthCheck configuration on the HTTP/HTTPS listene
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `path` | _string_ | true | Path specifies the HTTP path to match on for health check requests. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `path` | _string_ | true | | Path specifies the HTTP path to match on for health check requests. |
#### IPEndpoint
@@ -2226,10 +2226,10 @@ _Appears in:_
- [BackendEndpoint](#backendendpoint)
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `address` | _string_ | true | Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses. |
-| `port` | _integer_ | true | Port defines the port of the backend endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `address` | _string_ | true | | Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses. |
+| `port` | _integer_ | true | | Port defines the port of the backend endpoint. |
#### IPFamily
@@ -2272,11 +2272,11 @@ ImageWasmCodeSource defines the OCI image containing the Wasm code.
_Appears in:_
- [WasmCodeSource](#wasmcodesource)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `url` | _string_ | true | URL is the URL of the OCI image.
URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`. |
-| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the OCI image.
It must match the digest of the OCI image.
If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` |
-| `pullSecretRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | PullSecretRef is a reference to the secret containing the credentials to pull the image.
Only support Kubernetes Secret resource from the same namespace. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `url` | _string_ | true | | URL is the URL of the OCI image.
URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`. |
+| `sha256` | _string_ | false | | SHA256 checksum that will be used to verify the OCI image.
It must match the digest of the OCI image.
If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` |
+| `pullSecretRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | | PullSecretRef is a reference to the secret containing the credentials to pull the image.
Only support Kubernetes Secret resource from the same namespace. |
#### InfrastructureProviderType
@@ -2319,13 +2319,13 @@ _Appears in:_
- [EnvoyJSONPatchConfig](#envoyjsonpatchconfig)
- [ProxyBootstrap](#proxybootstrap)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform |
-| `path` | _string_ | false | Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed |
-| `jsonPath` | _string_ | false | JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. |
-| `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
-| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | | Op is the type of operation to perform |
+| `path` | _string_ | false | | Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed |
+| `jsonPath` | _string_ | false | | JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. |
+| `from` | _string_ | false | | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
+| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. |
#### JSONPatchOperationType
@@ -2348,10 +2348,10 @@ JWT defines the configuration for JSON Web Token (JWT) authentication.
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `optional` | _boolean_ | true | Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented. |
-| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `optional` | _boolean_ | true | | Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented. |
+| `providers` | _[JWTProvider](#jwtprovider) array_ | true | | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
#### JWTClaim
@@ -2363,11 +2363,11 @@ JWTClaim specifies a claim in a JWT token.
_Appears in:_
- [JWTPrincipal](#jwtprincipal)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name is the name of the claim.
If it is a nested claim, use a dot (.) separated string as the name to
represent the full path to the claim.
For example, if the claim is in the "department" field in the "organization" field,
the name should be "organization.department". |
-| `valueType` | _[JWTClaimValueType](#jwtclaimvaluetype)_ | false | ValueType is the type of the claim value.
Only String and StringArray types are supported for now. |
-| `values` | _string array_ | true | Values are the values that the claim must match.
If the claim is a string type, the specified value must match exactly.
If the claim is a string array type, the specified value must match one of the values in the array.
If multiple values are specified, one of the values must match for the rule to match. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name is the name of the claim.
If it is a nested claim, use a dot (.) separated string as the name to
represent the full path to the claim.
For example, if the claim is in the "department" field in the "organization" field,
the name should be "organization.department". |
+| `valueType` | _[JWTClaimValueType](#jwtclaimvaluetype)_ | false | String | ValueType is the type of the claim value.
Only String and StringArray types are supported for now. |
+| `values` | _string array_ | true | | Values are the values that the claim must match.
If the claim is a string type, the specified value must match exactly.
If the claim is a string array type, the specified value must match one of the values in the array.
If multiple values are specified, one of the values must match for the rule to match. |
#### JWTClaimValueType
@@ -2396,11 +2396,11 @@ If any value extracted is found to be an invalid JWT, a 401 error will be return
_Appears in:_
- [JWTProvider](#jwtprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `headers` | _[JWTHeaderExtractor](#jwtheaderextractor) array_ | false | Headers represents a list of HTTP request headers to extract the JWT token from. |
-| `cookies` | _string array_ | false | Cookies represents a list of cookie names to extract the JWT token from. |
-| `params` | _string array_ | false | Params represents a list of query parameters to extract the JWT token from. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `headers` | _[JWTHeaderExtractor](#jwtheaderextractor) array_ | false | | Headers represents a list of HTTP request headers to extract the JWT token from. |
+| `cookies` | _string array_ | false | | Cookies represents a list of cookie names to extract the JWT token from. |
+| `params` | _string array_ | false | | Params represents a list of query parameters to extract the JWT token from. |
#### JWTHeaderExtractor
@@ -2412,10 +2412,10 @@ JWTHeaderExtractor defines an HTTP header location to extract JWT token
_Appears in:_
- [JWTExtractor](#jwtextractor)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name is the HTTP header name to retrieve the token |
-| `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "\{ValuePrefix\}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name is the HTTP header name to retrieve the token |
+| `valuePrefix` | _string_ | false | | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "\{ValuePrefix\}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. |
#### JWTPrincipal
@@ -2429,11 +2429,11 @@ Claims and scopes are And-ed together if both are specified.
_Appears in:_
- [Principal](#principal)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `provider` | _string_ | true | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. |
-| `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.
If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. |
-| `scopes` | _[JWTScope](#jwtscope) array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.
The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
If multiple scopes are specified, all scopes must match for the rule to match. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `provider` | _string_ | true | | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. |
+| `claims` | _[JWTClaim](#jwtclaim) array_ | false | | Claims are the claims in a JWT token.
If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. |
+| `scopes` | _[JWTScope](#jwtscope) array_ | false | | Scopes are a special type of claim in a JWT token that represents the permissions of the client.
The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
If multiple scopes are specified, all scopes must match for the rule to match. |
#### JWTProvider
@@ -2445,15 +2445,15 @@ JWTProvider defines how a JSON Web Token (JWT) can be verified.
_Appears in:_
- [JWT](#jwt)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name defines a unique name for the JWT provider. A name can have a variety of forms,
including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. |
-| `issuer` | _string_ | false | Issuer is the principal that issued the JWT and takes the form of a URL or email address.
For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
the JWT issuer is not checked. |
-| `audiences` | _string array_ | false | Audiences is a list of JWT audiences allowed access. For additional details, see
https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
are not checked. |
-| `remoteJWKS` | _[RemoteJWKS](#remotejwks)_ | true | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
HTTP/HTTPS endpoint. |
-| `claimToHeaders` | _[ClaimToHeader](#claimtoheader) array_ | false | ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
For examples, following config:
The claim must be of type; string, int, double, bool. Array type claims are not supported |
-| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers generated from the claim are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
-| `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name defines a unique name for the JWT provider. A name can have a variety of forms,
including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. |
+| `issuer` | _string_ | false | | Issuer is the principal that issued the JWT and takes the form of a URL or email address.
For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
the JWT issuer is not checked. |
+| `audiences` | _string array_ | false | | Audiences is a list of JWT audiences allowed access. For additional details, see
https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
are not checked. |
+| `remoteJWKS` | _[RemoteJWKS](#remotejwks)_ | true | | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
HTTP/HTTPS endpoint. |
+| `claimToHeaders` | _[ClaimToHeader](#claimtoheader) array_ | false | | ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
For examples, following config:
The claim must be of type; string, int, double, bool. Array type claims are not supported |
+| `recomputeRoute` | _boolean_ | false | | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers generated from the claim are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. |
+| `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. |
#### JWTScope
@@ -2477,13 +2477,13 @@ _Appears in:_
- [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)
- [KubernetesDeploymentSpec](#kubernetesdeploymentspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `env` | _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#envvar-v1-core) array_ | false | List of environment variables to set in the container. |
-| `resources` | _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#resourcerequirements-v1-core)_ | false | Resources required by this container.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
-| `securityContext` | _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#securitycontext-v1-core)_ | false | SecurityContext defines the security options the container should be run with.
If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
-| `image` | _string_ | false | Image specifies the EnvoyProxy container image to be used, instead of the default image. |
-| `volumeMounts` | _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volumemount-v1-core) array_ | false | VolumeMounts are volumes to mount into the container's filesystem.
Cannot be updated. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `env` | _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#envvar-v1-core) array_ | false | | List of environment variables to set in the container. |
+| `resources` | _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#resourcerequirements-v1-core)_ | false | | Resources required by this container.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| `securityContext` | _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#securitycontext-v1-core)_ | false | | SecurityContext defines the security options the container should be run with.
If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
+| `image` | _string_ | false | | Image specifies the EnvoyProxy container image to be used, instead of the default image. |
+| `volumeMounts` | _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volumemount-v1-core) array_ | false | | VolumeMounts are volumes to mount into the container's filesystem.
Cannot be updated. |
#### KubernetesDaemonSetSpec
@@ -2495,13 +2495,13 @@ KubernetesDaemonSetSpec defines the desired state of the Kubernetes daemonset re
_Appears in:_
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to daemonset |
-| `strategy` | _[DaemonSetUpdateStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#daemonsetupdatestrategy-v1-apps)_ | false | The daemonset strategy to use to replace existing pods with new ones. |
-| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | Pod defines the desired specification of pod. |
-| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | Container defines the desired specification of main container. |
-| `name` | _string_ | false | Name of the daemonSet.
When unset, this defaults to an autogenerated name. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to daemonset |
+| `strategy` | _[DaemonSetUpdateStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#daemonsetupdatestrategy-v1-apps)_ | false | | The daemonset strategy to use to replace existing pods with new ones. |
+| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | | Pod defines the desired specification of pod. |
+| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | | Container defines the desired specification of main container. |
+| `name` | _string_ | false | | Name of the daemonSet.
When unset, this defaults to an autogenerated name. |
#### KubernetesDeployMode
@@ -2514,9 +2514,9 @@ data plane fleet.
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[KubernetesDeployModeType](#kubernetesdeploymodetype)_ | false | Type indicates what deployment mode to use. "ControllerNamespace" and
"GatewayNamespace" are currently supported.
By default, when this field is unset or empty, Envoy Gateway will deploy Envoy Proxy fleet in the Controller namespace. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[KubernetesDeployModeType](#kubernetesdeploymodetype)_ | false | ControllerNamespace | Type indicates what deployment mode to use. "ControllerNamespace" and
"GatewayNamespace" are currently supported.
By default, when this field is unset or empty, Envoy Gateway will deploy Envoy Proxy fleet in the Controller namespace. |
#### KubernetesDeployModeType
@@ -2540,15 +2540,15 @@ _Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to deployment |
-| `replicas` | _integer_ | false | Replicas is the number of desired pods. Defaults to 1. |
-| `strategy` | _[DeploymentStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#deploymentstrategy-v1-apps)_ | false | The deployment strategy to use to replace existing pods with new ones. |
-| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | Pod defines the desired specification of pod. |
-| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | Container defines the desired specification of main container. |
-| `initContainers` | _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#container-v1-core) array_ | false | List of initialization containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
-| `name` | _string_ | false | Name of the deployment.
When unset, this defaults to an autogenerated name. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to deployment |
+| `replicas` | _integer_ | false | | Replicas is the number of desired pods. Defaults to 1. |
+| `strategy` | _[DeploymentStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#deploymentstrategy-v1-apps)_ | false | | The deployment strategy to use to replace existing pods with new ones. |
+| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | | Pod defines the desired specification of pod. |
+| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | | Container defines the desired specification of main container. |
+| `initContainers` | _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#container-v1-core) array_ | false | | List of initialization containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
+| `name` | _string_ | false | | Name of the deployment.
When unset, this defaults to an autogenerated name. |
#### KubernetesHorizontalPodAutoscalerSpec
@@ -2564,13 +2564,13 @@ _Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `minReplicas` | _integer_ | false | minReplicas is the lower limit for the number of replicas to which the autoscaler
can scale down. It defaults to 1 replica. |
-| `maxReplicas` | _integer_ | true | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. |
-| `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#metricspec-v2-autoscaling) array_ | false | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. |
-| `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the HorizontalPodAutoscaler |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `minReplicas` | _integer_ | false | | minReplicas is the lower limit for the number of replicas to which the autoscaler
can scale down. It defaults to 1 replica. |
+| `maxReplicas` | _integer_ | true | | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. |
+| `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#metricspec-v2-autoscaling) array_ | false | | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. |
+| `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to the HorizontalPodAutoscaler |
#### KubernetesPatchSpec
@@ -2588,10 +2588,10 @@ _Appears in:_
- [KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)
- [KubernetesServiceSpec](#kubernetesservicespec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[MergeType](#mergetype)_ | false | Type is the type of merge operation to perform
By default, StrategicMerge is used as the patch type. |
-| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | true | Object contains the raw configuration for merged object |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[MergeType](#mergetype)_ | false | | Type is the type of merge operation to perform
By default, StrategicMerge is used as the patch type. |
+| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | true | | Object contains the raw configuration for merged object |
#### KubernetesPodDisruptionBudgetSpec
@@ -2603,10 +2603,10 @@ KubernetesPodDisruptionBudgetSpec defines Kubernetes PodDisruptionBudget setting
_Appears in:_
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `minAvailable` | _integer_ | false | MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
and resilience during maintenance operations. |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the PodDisruptionBudget |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `minAvailable` | _integer_ | false | | MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
and resilience during maintenance operations. |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to the PodDisruptionBudget |
#### KubernetesPodSpec
@@ -2619,17 +2619,17 @@ _Appears in:_
- [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)
- [KubernetesDeploymentSpec](#kubernetesdeploymentspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `annotations` | _object (keys:string, values:string)_ | false | Annotations are the annotations that should be appended to the pods.
By default, no pod annotations are appended. |
-| `labels` | _object (keys:string, values:string)_ | false | Labels are the additional labels that should be tagged to the pods.
By default, no additional pod labels are tagged. |
-| `securityContext` | _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podsecuritycontext-v1-core)_ | false | SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field. |
-| `affinity` | _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#affinity-v1-core)_ | false | If specified, the pod's scheduling constraints. |
-| `tolerations` | _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#toleration-v1-core) array_ | false | If specified, the pod's tolerations. |
-| `volumes` | _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volume-v1-core) array_ | false | Volumes that can be mounted by containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes |
-| `imagePullSecrets` | _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#localobjectreference-v1-core) array_ | false | ImagePullSecrets is an optional list of references to secrets
in the same namespace to use for pulling any of the images used by this PodSpec.
If specified, these secrets will be passed to individual puller implementations for them to use.
More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |
-| `nodeSelector` | _object (keys:string, values:string)_ | false | NodeSelector is a selector which must be true for the pod to fit on a node.
Selector which must match a node's labels for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
-| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core) array_ | false | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `annotations` | _object (keys:string, values:string)_ | false | | Annotations are the annotations that should be appended to the pods.
By default, no pod annotations are appended. |
+| `labels` | _object (keys:string, values:string)_ | false | | Labels are the additional labels that should be tagged to the pods.
By default, no additional pod labels are tagged. |
+| `securityContext` | _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podsecuritycontext-v1-core)_ | false | | SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field. |
+| `affinity` | _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#affinity-v1-core)_ | false | | If specified, the pod's scheduling constraints. |
+| `tolerations` | _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#toleration-v1-core) array_ | false | | If specified, the pod's tolerations. |
+| `volumes` | _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volume-v1-core) array_ | false | | Volumes that can be mounted by containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes |
+| `imagePullSecrets` | _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#localobjectreference-v1-core) array_ | false | | ImagePullSecrets is an optional list of references to secrets
in the same namespace to use for pulling any of the images used by this PodSpec.
If specified, these secrets will be passed to individual puller implementations for them to use.
More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |
+| `nodeSelector` | _object (keys:string, values:string)_ | false | | NodeSelector is a selector which must be true for the pod to fit on a node.
Selector which must match a node's labels for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
+| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core) array_ | false | | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. |
#### KubernetesServiceSpec
@@ -2641,18 +2641,18 @@ KubernetesServiceSpec defines the desired state of the Kubernetes service resour
_Appears in:_
- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service.
By default, no annotations are appended. |
-| `labels` | _object (keys:string, values:string)_ | false | Labels that should be appended to the service.
By default, no labels are appended. |
-| `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. |
-| `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified |
-| `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. |
-| `loadBalancerSourceRanges` | _string array_ | false | LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
firewall rules on the platform providers load balancer. This is not guaranteed to be working as
it happens outside of kubernetes and has to be supported and handled by the platform provider.
This field may only be set for services with type LoadBalancer and will be cleared if the type
is changed to any other type. |
-| `loadBalancerIP` | _string_ | false | LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
may be ignored if the load balancer provider does not support this feature.
This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
providers such as GCP. |
-| `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. |
-| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the service |
-| `name` | _string_ | false | Name of the service.
When unset, this defaults to an autogenerated name. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `annotations` | _object (keys:string, values:string)_ | false | | Annotations that should be appended to the service.
By default, no annotations are appended. |
+| `labels` | _object (keys:string, values:string)_ | false | | Labels that should be appended to the service.
By default, no labels are appended. |
+| `type` | _[ServiceType](#servicetype)_ | false | LoadBalancer | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. |
+| `loadBalancerClass` | _string_ | false | | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified |
+| `allocateLoadBalancerNodePorts` | _boolean_ | false | | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. |
+| `loadBalancerSourceRanges` | _string array_ | false | | LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
firewall rules on the platform providers load balancer. This is not guaranteed to be working as
it happens outside of kubernetes and has to be supported and handled by the platform provider.
This field may only be set for services with type LoadBalancer and will be cleared if the type
is changed to any other type. |
+| `loadBalancerIP` | _string_ | false | | LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
may be ignored if the load balancer provider does not support this feature.
This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
providers such as GCP. |
+| `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | Local | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. |
+| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | | Patch defines how to perform the patch operation to the service |
+| `name` | _string_ | false | | Name of the service.
When unset, this defaults to an autogenerated name. |
#### KubernetesWatchMode
@@ -2664,11 +2664,11 @@ KubernetesWatchMode holds the configuration for which input resources to watch a
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | true | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
KubernetesWatchModeTypeNamespaceSelector are currently supported
By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
from all namespaces. |
-| `namespaces` | _string array_ | true | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
resources such as Gateway, HTTPRoute and Service.
Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set. |
-| `namespaceSelector` | _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#labelselector-v1-meta)_ | true | NamespaceSelector holds the label selector used to dynamically select namespaces.
Envoy Gateway will watch for namespaces matching the specified label selector.
Precisely one of Namespaces and NamespaceSelector must be set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | true | | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
KubernetesWatchModeTypeNamespaceSelector are currently supported
By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
from all namespaces. |
+| `namespaces` | _string array_ | true | | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
resources such as Gateway, HTTPRoute and Service.
Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set. |
+| `namespaceSelector` | _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#labelselector-v1-meta)_ | true | | NamespaceSelector holds the label selector used to dynamically select namespaces.
Envoy Gateway will watch for namespaces matching the specified label selector.
Precisely one of Namespaces and NamespaceSelector must be set. |
#### KubernetesWatchModeType
@@ -2691,12 +2691,12 @@ LeaderElection defines the desired leader election settings.
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `leaseDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. |
-| `renewDeadline` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position. The default setting is 10 seconds. |
-| `retryPeriod` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. |
-| `disable` | _boolean_ | true | Disable provides the option to turn off leader election, which is enabled by default. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `leaseDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. |
+| `renewDeadline` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position. The default setting is 10 seconds. |
+| `retryPeriod` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. |
+| `disable` | _boolean_ | true | | Disable provides the option to turn off leader election, which is enabled by default. |
#### LiteralCustomTag
@@ -2708,9 +2708,9 @@ LiteralCustomTag adds hard-coded value to each span.
_Appears in:_
- [CustomTag](#customtag)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `value` | _string_ | true | Value defines the hard-coded value to add to each span. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `value` | _string_ | true | | Value defines the hard-coded value to add to each span. |
#### LoadBalancer
@@ -2723,11 +2723,11 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". |
-| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash |
-| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". |
+| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash |
+| `slowStart` | _[SlowStart](#slowstart)_ | false | | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers |
#### LoadBalancerType
@@ -2756,9 +2756,9 @@ LocalRateLimit defines local rate limit configuration.
_Appears in:_
- [RateLimitSpec](#ratelimitspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | Rules are a list of RateLimit selectors and limits. If a request matches
multiple rules, the strictest limit is applied. For example, if a request
matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | | Rules are a list of RateLimit selectors and limits. If a request matches
multiple rules, the strictest limit is applied. For example, if a request
matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps. |
#### LogLevel
@@ -2789,11 +2789,11 @@ Only one of Inline or ValueRef must be set
_Appears in:_
- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[LuaValueType](#luavaluetype)_ | true | Type is the type of method to use to read the Lua value.
Valid values are Inline and ValueRef, default is Inline. |
-| `inline` | _string_ | false | Inline contains the source code as an inline string. |
-| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef has the source code specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `lua` in the ConfigMap will be used.
If the key is not found, the first value in the ConfigMap will be used. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[LuaValueType](#luavaluetype)_ | true | Inline | Type is the type of method to use to read the Lua value.
Valid values are Inline and ValueRef, default is Inline. |
+| `inline` | _string_ | false | | Inline contains the source code as an inline string. |
+| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | | ValueRef has the source code specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `lua` in the ConfigMap will be used.
If the key is not found, the first value in the ConfigMap will be used. |
#### LuaValueType
@@ -2850,21 +2850,21 @@ OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
_Appears in:_
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `provider` | _[OIDCProvider](#oidcprovider)_ | true | The OIDC Provider configuration. |
-| `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
-| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
This is an Opaque secret. The client secret should be stored in the key
"client-secret". |
-| `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix |
-| `cookieDomain` | _string_ | false | The optional domain to set the access and ID token cookies on.
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. |
-| `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. |
-| `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
-| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
-| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" |
-| `forwardAccessToken` | _boolean_ | false | ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false. |
-| `defaultTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultTokenTTL is the default lifetime of the id token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.
If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail. |
-| `refreshToken` | _boolean_ | false | RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.
If not specified, defaults to false. |
-| `defaultRefreshTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.
If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `provider` | _[OIDCProvider](#oidcprovider)_ | true | | The OIDC Provider configuration. |
+| `clientID` | _string_ | true | | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
+| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
This is an Opaque secret. The client secret should be stored in the key
"client-secret". |
+| `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix |
+| `cookieDomain` | _string_ | false | | The optional domain to set the access and ID token cookies on.
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. |
+| `scopes` | _string array_ | false | | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. |
+| `resources` | _string array_ | false | | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
+| `redirectURL` | _string_ | true | | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
+| `logoutPath` | _string_ | true | | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" |
+| `forwardAccessToken` | _boolean_ | false | | ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false. |
+| `defaultTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DefaultTokenTTL is the default lifetime of the id token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.
If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail. |
+| `refreshToken` | _boolean_ | false | | RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.
If not specified, defaults to false. |
+| `defaultRefreshTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.
If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true. |
#### OIDCCookieNames
@@ -2876,10 +2876,10 @@ OIDCCookieNames defines the names of cookies to use in the Envoy OIDC filter.
_Appears in:_
- [OIDC](#oidc)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `accessToken` | _string_ | false | The name of the cookie used to store the AccessToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "AccessToken-(randomly generated uid)" |
-| `idToken` | _string_ | false | The name of the cookie used to store the IdToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "IdToken-(randomly generated uid)" |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `accessToken` | _string_ | false | | The name of the cookie used to store the AccessToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "AccessToken-(randomly generated uid)" |
+| `idToken` | _string_ | false | | The name of the cookie used to store the IdToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "IdToken-(randomly generated uid)" |
#### OIDCProvider
@@ -2891,14 +2891,14 @@ OIDCProvider defines the OIDC Provider configuration.
_Appears in:_
- [OIDC](#oidc)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. |
-| `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
-| `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `issuer` | _string_ | true | | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. |
+| `authorizationEndpoint` | _string_ | false | | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
+| `tokenEndpoint` | _string_ | false | | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
#### OpenTelemetryEnvoyProxyAccessLog
@@ -2910,14 +2910,14 @@ OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink.
_Appears in:_
- [ProxyAccessLogSink](#proxyaccesslogsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. |
-| `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRefs instead. |
-| `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `host` | _string_ | false | | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. |
+| `port` | _integer_ | false | 4317 | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRefs instead. |
+| `resources` | _object (keys:string, values:string)_ | false | | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). |
#### Origin
@@ -2954,15 +2954,15 @@ see https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/out
_Appears in:_
- [HealthCheck](#healthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `splitExternalLocalOriginErrors` | _boolean_ | false | SplitExternalLocalOriginErrors enables splitting of errors between external and local origin. |
-| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Interval defines the time between passive health checks. |
-| `consecutiveLocalOriginFailures` | _integer_ | false | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true. |
-| `consecutiveGatewayErrors` | _integer_ | false | ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection. |
-| `consecutive5XxErrors` | _integer_ | false | Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection. |
-| `baseEjectionTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. |
-| `maxEjectionPercent` | _integer_ | false | MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `splitExternalLocalOriginErrors` | _boolean_ | false | false | SplitExternalLocalOriginErrors enables splitting of errors between external and local origin. |
+| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 3s | Interval defines the time between passive health checks. |
+| `consecutiveLocalOriginFailures` | _integer_ | false | 5 | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true. |
+| `consecutiveGatewayErrors` | _integer_ | false | 0 | ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection. |
+| `consecutive5XxErrors` | _integer_ | false | 5 | Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection. |
+| `baseEjectionTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 30s | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. |
+| `maxEjectionPercent` | _integer_ | false | 10 | MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. |
#### PathEscapedSlashAction
@@ -2992,10 +2992,10 @@ PathSettings provides settings that managing how the incoming path set by client
_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `escapedSlashesAction` | _[PathEscapedSlashAction](#pathescapedslashaction)_ | false | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
should be handled.
The default is UnescapeAndRedirect. |
-| `disableMergeSlashes` | _boolean_ | false | DisableMergeSlashes allows disabling the default configuration of merging adjacent
slashes in the path.
Note that slash merging is not part of the HTTP spec and is provided for convenience. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `escapedSlashesAction` | _[PathEscapedSlashAction](#pathescapedslashaction)_ | false | | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
should be handled.
The default is UnescapeAndRedirect. |
+| `disableMergeSlashes` | _boolean_ | false | | DisableMergeSlashes allows disabling the default configuration of merging adjacent
slashes in the path.
Note that slash merging is not part of the HTTP spec and is provided for convenience. |
#### PerRetryPolicy
@@ -3007,10 +3007,10 @@ _Appears in:_
_Appears in:_
- [Retry](#retry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout is the timeout per retry attempt. |
-| `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | Timeout is the timeout per retry attempt. |
+| `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
#### PolicyTargetReferences
@@ -3025,11 +3025,11 @@ _Appears in:_
- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
#### Principal
@@ -3041,10 +3041,10 @@ If there are multiple principal types, all principals must match for the rule to
_Appears in:_
- [AuthorizationRule](#authorizationrule)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.
The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. |
-| `jwt` | _[JWTPrincipal](#jwtprincipal)_ | false | JWT authorize the request based on the JWT claims and scopes.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `clientCIDRs` | _[CIDR](#cidr) array_ | false | | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.
The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. |
+| `jwt` | _[JWTPrincipal](#jwtprincipal)_ | false | | JWT authorize the request based on the JWT claims and scopes.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`. |
#### ProcessingModeOptions
@@ -3057,10 +3057,10 @@ and which attributes are sent to the processor
_Appears in:_
- [ExtProcProcessingMode](#extprocprocessingmode)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | Defines body processing mode |
-| `attributes` | _string array_ | false | Defines which attributes are sent to the external processor. Envoy Gateway currently
supports only the following attribute prefixes: connection, source, destination,
request, response, upstream and xds.route.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | | Defines body processing mode |
+| `attributes` | _string array_ | false | | Defines which attributes are sent to the external processor. Envoy Gateway currently
supports only the following attribute prefixes: connection, source, destination,
request, response, upstream and xds.route.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes |
#### ProviderType
@@ -3088,10 +3088,10 @@ _Appears in:_
_Appears in:_
- [ProxyTelemetry](#proxytelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `disable` | _boolean_ | true | Disable disables access logging for managed proxies if set to true. |
-| `settings` | _[ProxyAccessLogSetting](#proxyaccesslogsetting) array_ | false | Settings defines accesslog settings for managed proxies.
If unspecified, will send default format to stdout. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `disable` | _boolean_ | true | | Disable disables access logging for managed proxies if set to true. |
+| `settings` | _[ProxyAccessLogSetting](#proxyaccesslogsetting) array_ | false | | Settings defines accesslog settings for managed proxies.
If unspecified, will send default format to stdout. |
#### ProxyAccessLogFormat
@@ -3104,11 +3104,11 @@ By default accesslogs are written to standard output.
_Appears in:_
- [ProxyAccessLogSetting](#proxyaccesslogsetting)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ProxyAccessLogFormatType](#proxyaccesslogformattype)_ | true | Type defines the type of accesslog format. |
-| `text` | _string_ | false | Text defines the text accesslog format, following Envoy accesslog formatting,
It's required when the format type is "Text".
Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. |
-| `json` | _object (keys:string, values:string)_ | false | JSON is additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON". |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ProxyAccessLogFormatType](#proxyaccesslogformattype)_ | true | | Type defines the type of accesslog format. |
+| `text` | _string_ | false | | Text defines the text accesslog format, following Envoy accesslog formatting,
It's required when the format type is "Text".
Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. |
+| `json` | _object (keys:string, values:string)_ | false | | JSON is additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON". |
#### ProxyAccessLogFormatType
@@ -3135,12 +3135,12 @@ _Appears in:_
_Appears in:_
- [ProxyAccessLog](#proxyaccesslog)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. |
-| `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. |
-| `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. |
-| `type` | _[ProxyAccessLogType](#proxyaccesslogtype)_ | false | Type defines the component emitting the accesslog, such as Listener and Route.
If type not defined, the setting would apply to:
(1) All Routes.
(2) Listeners if and only if Envoy does not find a matching route for a request.
If type is defined, the accesslog settings would apply to the relevant component (as-is). |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | | Format defines the format of accesslog.
This will be ignored if sink type is ALS. |
+| `matches` | _string array_ | true | | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. |
+| `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | | Sinks defines the sinks of accesslog. |
+| `type` | _[ProxyAccessLogType](#proxyaccesslogtype)_ | false | | Type defines the component emitting the accesslog, such as Listener and Route.
If type not defined, the setting would apply to:
(1) All Routes.
(2) Listeners if and only if Envoy does not find a matching route for a request.
If type is defined, the accesslog settings would apply to the relevant component (as-is). |
#### ProxyAccessLogSink
@@ -3152,12 +3152,12 @@ ProxyAccessLogSink defines the sink of accesslog.
_Appears in:_
- [ProxyAccessLogSetting](#proxyaccesslogsetting)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[ProxyAccessLogSinkType](#proxyaccesslogsinktype)_ | true | Type defines the type of accesslog sink. |
-| `als` | _[ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog)_ | false | ALS defines the gRPC Access Log Service (ALS) sink. |
-| `file` | _[FileEnvoyProxyAccessLog](#fileenvoyproxyaccesslog)_ | false | File defines the file accesslog sink. |
-| `openTelemetry` | _[OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog)_ | false | OpenTelemetry defines the OpenTelemetry accesslog sink. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[ProxyAccessLogSinkType](#proxyaccesslogsinktype)_ | true | | Type defines the type of accesslog sink. |
+| `als` | _[ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog)_ | false | | ALS defines the gRPC Access Log Service (ALS) sink. |
+| `file` | _[FileEnvoyProxyAccessLog](#fileenvoyproxyaccesslog)_ | false | | File defines the file accesslog sink. |
+| `openTelemetry` | _[OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog)_ | false | | OpenTelemetry defines the OpenTelemetry accesslog sink. |
#### ProxyAccessLogSinkType
@@ -3200,11 +3200,11 @@ ProxyBootstrap defines Envoy Bootstrap configuration.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
If unspecified, it defaults to Replace. |
-| `value` | _string_ | false | Value is a YAML string of the bootstrap. |
-| `jsonPatches` | _[JSONPatchOperation](#jsonpatchoperation) array_ | true | JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
applied in the order in which they are defined. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[BootstrapType](#bootstraptype)_ | false | Replace | Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
If unspecified, it defaults to Replace. |
+| `value` | _string_ | false | | Value is a YAML string of the bootstrap. |
+| `jsonPatches` | _[JSONPatchOperation](#jsonpatchoperation) array_ | true | | JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
applied in the order in which they are defined. |
#### ProxyLogComponent
@@ -3239,9 +3239,9 @@ ProxyLogging defines logging parameters for managed proxies.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is a map of logging level per component, where the component is the key
and the log level is the value. If unspecified, defaults to "default: warn". |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | \{ default:warn \} | Level is a map of logging level per component, where the component is the key
and the log level is the value. If unspecified, defaults to "default: warn". |
#### ProxyMetricSink
@@ -3254,10 +3254,10 @@ Default metrics sink is OpenTelemetry.
_Appears in:_
- [ProxyMetrics](#proxymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG currently only supports OpenTelemetry. |
-| `openTelemetry` | _[ProxyOpenTelemetrySink](#proxyopentelemetrysink)_ | false | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[MetricSinkType](#metricsinktype)_ | true | OpenTelemetry | Type defines the metric sink type.
EG currently only supports OpenTelemetry. |
+| `openTelemetry` | _[ProxyOpenTelemetrySink](#proxyopentelemetrysink)_ | false | | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. |
#### ProxyMetrics
@@ -3269,14 +3269,14 @@ _Appears in:_
_Appears in:_
- [ProxyTelemetry](#proxytelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. |
-| `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. |
-| `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 |
-| `enableVirtualHostStats` | _boolean_ | false | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. |
-| `enablePerEndpointStats` | _boolean_ | false | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. |
-| `enableRequestResponseSizesStats` | _boolean_ | false | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. |
+| `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | | Sinks defines the metric sinks where metrics are sent to. |
+| `matches` | _[StringMatch](#stringmatch) array_ | true | | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 |
+| `enableVirtualHostStats` | _boolean_ | false | | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. |
+| `enablePerEndpointStats` | _boolean_ | false | | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. |
+| `enableRequestResponseSizesStats` | _boolean_ | false | | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. |
#### ProxyOpenTelemetrySink
@@ -3288,13 +3288,13 @@ ProxyOpenTelemetrySink defines the configuration for OpenTelemetry sink.
_Appears in:_
- [ProxyMetricSink](#proxymetricsink)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRefs instead. |
-| `port` | _integer_ | false | Port defines the port the service is exposed on.
Deprecated: Use BackendRefs instead. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `host` | _string_ | false | | Host define the service hostname.
Deprecated: Use BackendRefs instead. |
+| `port` | _integer_ | false | 4317 | Port defines the port the service is exposed on.
Deprecated: Use BackendRefs instead. |
#### ProxyPrometheusProvider
@@ -3306,10 +3306,10 @@ _Appears in:_
_Appears in:_
- [ProxyMetrics](#proxymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `disable` | _boolean_ | true | Disable the Prometheus endpoint. |
-| `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `disable` | _boolean_ | true | | Disable the Prometheus endpoint. |
+| `compression` | _[Compression](#compression)_ | false | | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. |
#### ProxyProtocol
@@ -3323,9 +3323,9 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" |
#### ProxyProtocolVersion
@@ -3352,11 +3352,11 @@ _Appears in:_
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `accessLog` | _[ProxyAccessLog](#proxyaccesslog)_ | false | AccessLogs defines accesslog parameters for managed proxies.
If unspecified, will send default format to stdout. |
-| `tracing` | _[ProxyTracing](#proxytracing)_ | false | Tracing defines tracing configuration for managed proxies.
If unspecified, will not send tracing data. |
-| `metrics` | _[ProxyMetrics](#proxymetrics)_ | true | Metrics defines metrics configuration for managed proxies. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `accessLog` | _[ProxyAccessLog](#proxyaccesslog)_ | false | | AccessLogs defines accesslog parameters for managed proxies.
If unspecified, will send default format to stdout. |
+| `tracing` | _[ProxyTracing](#proxytracing)_ | false | | Tracing defines tracing configuration for managed proxies.
If unspecified, will not send tracing data. |
+| `metrics` | _[ProxyMetrics](#proxymetrics)_ | true | | Metrics defines metrics configuration for managed proxies. |
#### ProxyTracing
@@ -3368,11 +3368,11 @@ _Appears in:_
_Appears in:_
- [ProxyTelemetry](#proxytelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
-| `customTags` | _object (keys:string, values:[CustomTag](#customtag))_ | true | CustomTags defines the custom tags to add to each span.
If provider is kubernetes, pod name and namespace are added by default. |
-| `provider` | _[TracingProvider](#tracingprovider)_ | true | Provider defines the tracing provider. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `samplingRate` | _integer_ | false | 100 | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
+| `customTags` | _object (keys:string, values:[CustomTag](#customtag))_ | true | | CustomTags defines the custom tags to add to each span.
If provider is kubernetes, pod name and namespace are added by default. |
+| `provider` | _[TracingProvider](#tracingprovider)_ | true | | Provider defines the tracing provider. |
#### RateLimit
@@ -3386,12 +3386,12 @@ _Appears in:_
- [EnvoyGateway](#envoygateway)
- [EnvoyGatewaySpec](#envoygatewayspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | Backend holds the configuration associated with the
database backend used by the rate limit service to store
state associated with global ratelimiting. |
-| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. |
-| `failClosed` | _boolean_ | true | FailClosed is a switch used to control the flow of traffic
when the response from the ratelimit server cannot be obtained.
If FailClosed is false, let the traffic pass,
otherwise, don't let the traffic pass and return 500.
If not set, FailClosed is False. |
-| `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | Telemetry defines telemetry configuration for RateLimit. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | | Backend holds the configuration associated with the
database backend used by the rate limit service to store
state associated with global ratelimiting. |
+| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. |
+| `failClosed` | _boolean_ | true | | FailClosed is a switch used to control the flow of traffic
when the response from the ratelimit server cannot be obtained.
If FailClosed is false, let the traffic pass,
otherwise, don't let the traffic pass and return 500.
If not set, FailClosed is False. |
+| `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | | Telemetry defines telemetry configuration for RateLimit. |
#### RateLimitCost
@@ -3403,8 +3403,8 @@ _Appears in:_
_Appears in:_
- [RateLimitRule](#ratelimitrule)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
#### RateLimitCostFrom
@@ -3432,10 +3432,10 @@ RateLimitCostMetadata specifies the filter metadata to retrieve the usage number
_Appears in:_
- [RateLimitCostSpecifier](#ratelimitcostspecifier)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `namespace` | _string_ | true | Namespace is the namespace of the dynamic metadata. |
-| `key` | _string_ | true | Key is the key to retrieve the usage number from the filter metadata. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `namespace` | _string_ | true | | Namespace is the namespace of the dynamic metadata. |
+| `key` | _string_ | true | | Key is the key to retrieve the usage number from the filter metadata. |
#### RateLimitCostSpecifier
@@ -3447,9 +3447,9 @@ RateLimitCostSpecifier specifies where the Envoy retrieves the number to reduce
_Appears in:_
- [RateLimitCost](#ratelimitcost)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `from` | _[RateLimitCostFrom](#ratelimitcostfrom)_ | true | From specifies where to get the rate limit cost. Currently, only "Number" and "Metadata" are supported. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `from` | _[RateLimitCostFrom](#ratelimitcostfrom)_ | true | | From specifies where to get the rate limit cost. Currently, only "Number" and "Metadata" are supported. |
#### RateLimitDatabaseBackend
@@ -3462,10 +3462,10 @@ the database backend used by the rate limit service.
_Appears in:_
- [RateLimit](#ratelimit)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | true | Type is the type of database backend to use. Supported types are:
* Redis: Connects to a Redis database. |
-| `redis` | _[RateLimitRedisSettings](#ratelimitredissettings)_ | false | Redis defines the settings needed to connect to a Redis database. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | true | | Type is the type of database backend to use. Supported types are:
* Redis: Connects to a Redis database. |
+| `redis` | _[RateLimitRedisSettings](#ratelimitredissettings)_ | false | | Redis defines the settings needed to connect to a Redis database. |
#### RateLimitDatabaseBackendType
@@ -3492,9 +3492,9 @@ _Appears in:_
_Appears in:_
- [RateLimitTelemetry](#ratelimittelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | | Prometheus defines the configuration for prometheus endpoint. |
#### RateLimitMetricsPrometheusProvider
@@ -3506,9 +3506,9 @@ _Appears in:_
_Appears in:_
- [RateLimitMetrics](#ratelimitmetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `disable` | _boolean_ | true | Disable the Prometheus endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `disable` | _boolean_ | true | | Disable the Prometheus endpoint. |
#### RateLimitRedisSettings
@@ -3520,10 +3520,10 @@ RateLimitRedisSettings defines the configuration for connecting to redis databas
_Appears in:_
- [RateLimitDatabaseBackend](#ratelimitdatabasebackend)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `url` | _string_ | true | URL of the Redis Database. |
-| `tls` | _[RedisTLSSettings](#redistlssettings)_ | false | TLS defines TLS configuration for connecting to redis database. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `url` | _string_ | true | | URL of the Redis Database. |
+| `tls` | _[RedisTLSSettings](#redistlssettings)_ | false | | TLS defines TLS configuration for connecting to redis database. |
#### RateLimitRule
@@ -3537,10 +3537,10 @@ _Appears in:_
- [GlobalRateLimit](#globalratelimit)
- [LocalRateLimit](#localratelimit)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `clientSelectors` | _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | false | ClientSelectors holds the list of select conditions to select
specific clients using attributes from the traffic flow.
All individual select conditions must hold True for this rule
and its limit to be applied.
If no client selectors are specified, the rule applies to all traffic of
the targeted Route.
If the policy targets a Gateway, the rule applies to each Route of the Gateway.
Please note that each Route has its own rate limit counters. For example,
if a Gateway has two Routes, and the policy has a rule with limit 10rps,
each Route will have its own 10rps limit. |
-| `limit` | _[RateLimitValue](#ratelimitvalue)_ | true | Limit holds the rate limit values.
This limit is applied for traffic flows when the selectors
compute to True, causing the request to be counted towards the limit.
The limit is enforced and the request is ratelimited, i.e. a response with
429 HTTP status code is sent back to the client when
the selected requests have reached the limit. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `clientSelectors` | _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | false | | ClientSelectors holds the list of select conditions to select
specific clients using attributes from the traffic flow.
All individual select conditions must hold True for this rule
and its limit to be applied.
If no client selectors are specified, the rule applies to all traffic of
the targeted Route.
If the policy targets a Gateway, the rule applies to each Route of the Gateway.
Please note that each Route has its own rate limit counters. For example,
if a Gateway has two Routes, and the policy has a rule with limit 10rps,
each Route will have its own 10rps limit. |
+| `limit` | _[RateLimitValue](#ratelimitvalue)_ | true | | Limit holds the rate limit values.
This limit is applied for traffic flows when the selectors
compute to True, causing the request to be counted towards the limit.
The limit is enforced and the request is ratelimited, i.e. a response with
429 HTTP status code is sent back to the client when
the selected requests have reached the limit. |
#### RateLimitSelectCondition
@@ -3554,10 +3554,10 @@ All the individual conditions must hold True for the overall condition to hold T
_Appears in:_
- [RateLimitRule](#ratelimitrule)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `headers` | _[HeaderMatch](#headermatch) array_ | false | Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
At least one of headers or sourceCIDR condition must be specified. |
-| `sourceCIDR` | _[SourceMatch](#sourcematch)_ | false | SourceCIDR is the client IP Address range to match on.
At least one of headers or sourceCIDR condition must be specified. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `headers` | _[HeaderMatch](#headermatch) array_ | false | | Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
At least one of headers or sourceCIDR condition must be specified. |
+| `sourceCIDR` | _[SourceMatch](#sourcematch)_ | false | | SourceCIDR is the client IP Address range to match on.
At least one of headers or sourceCIDR condition must be specified. |
#### RateLimitSpec
@@ -3569,11 +3569,11 @@ RateLimitSpec defines the desired state of RateLimitSpec.
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[RateLimitType](#ratelimittype)_ | true | Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local". |
-| `global` | _[GlobalRateLimit](#globalratelimit)_ | false | Global defines global rate limit configuration. |
-| `local` | _[LocalRateLimit](#localratelimit)_ | false | Local defines local rate limit configuration. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[RateLimitType](#ratelimittype)_ | true | | Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local". |
+| `global` | _[GlobalRateLimit](#globalratelimit)_ | false | | Global defines global rate limit configuration. |
+| `local` | _[LocalRateLimit](#localratelimit)_ | false | | Local defines local rate limit configuration. |
#### RateLimitTelemetry
@@ -3585,10 +3585,10 @@ _Appears in:_
_Appears in:_
- [RateLimit](#ratelimit)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `metrics` | _[RateLimitMetrics](#ratelimitmetrics)_ | true | Metrics defines metrics configuration for RateLimit. |
-| `tracing` | _[RateLimitTracing](#ratelimittracing)_ | true | Tracing defines traces configuration for RateLimit. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `metrics` | _[RateLimitMetrics](#ratelimitmetrics)_ | true | | Metrics defines metrics configuration for RateLimit. |
+| `tracing` | _[RateLimitTracing](#ratelimittracing)_ | true | | Tracing defines traces configuration for RateLimit. |
#### RateLimitTracing
@@ -3600,10 +3600,10 @@ _Appears in:_
_Appears in:_
- [RateLimitTelemetry](#ratelimittelemetry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
-| `provider` | _[RateLimitTracingProvider](#ratelimittracingprovider)_ | true | Provider defines the rateLimit tracing provider.
Only OpenTelemetry is supported currently. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `samplingRate` | _integer_ | false | | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. |
+| `provider` | _[RateLimitTracingProvider](#ratelimittracingprovider)_ | true | | Provider defines the rateLimit tracing provider.
Only OpenTelemetry is supported currently. |
#### RateLimitTracingProvider
@@ -3615,10 +3615,10 @@ RateLimitTracingProvider defines the tracing provider configuration of RateLimit
_Appears in:_
- [RateLimitTracing](#ratelimittracing)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[RateLimitTracingProviderType](#ratelimittracingprovidertype)_ | true | Type defines the tracing provider type.
Since to RateLimit Exporter currently using OpenTelemetry, only OpenTelemetry is supported |
-| `url` | _string_ | true | URL is the endpoint of the trace collector that supports the OTLP protocol |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[RateLimitTracingProviderType](#ratelimittracingprovidertype)_ | true | | Type defines the tracing provider type.
Since to RateLimit Exporter currently using OpenTelemetry, only OpenTelemetry is supported |
+| `url` | _string_ | true | | URL is the endpoint of the trace collector that supports the OTLP protocol |
#### RateLimitTracingProviderType
@@ -3674,10 +3674,10 @@ RateLimitValue defines the limits for rate limiting.
_Appears in:_
- [RateLimitRule](#ratelimitrule)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `requests` | _integer_ | true | |
-| `unit` | _[RateLimitUnit](#ratelimitunit)_ | true | |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `requests` | _integer_ | true | | |
+| `unit` | _[RateLimitUnit](#ratelimitunit)_ | true | | |
#### RedisTLSSettings
@@ -3689,9 +3689,9 @@ RedisTLSSettings defines the TLS configuration for connecting to redis database.
_Appears in:_
- [RateLimitRedisSettings](#ratelimitredissettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | CertificateRef defines the client certificate reference for TLS connections.
Currently only a Kubernetes Secret of type TLS is supported. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | | CertificateRef defines the client certificate reference for TLS connections.
Currently only a Kubernetes Secret of type TLS is supported. |
#### RemoteJWKS
@@ -3704,9 +3704,9 @@ HTTP/HTTPS endpoint.
_Appears in:_
- [JWTProvider](#jwtprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `uri` | _string_ | true | | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. |
#### ReplaceRegexMatch
@@ -3718,10 +3718,10 @@ _Appears in:_
_Appears in:_
- [HTTPPathModifier](#httppathmodifier)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `pattern` | _string_ | true | Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. |
-| `substitution` | _string_ | true | Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `pattern` | _string_ | true | | Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. |
+| `substitution` | _string_ | true | | Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. |
#### RequestHeaderCustomTag
@@ -3733,10 +3733,10 @@ RequestHeaderCustomTag adds value from request header to each span.
_Appears in:_
- [CustomTag](#customtag)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | true | Name defines the name of the request header which to extract the value from. |
-| `defaultValue` | _string_ | false | DefaultValue defines the default value to use if the request header is not set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | true | | Name defines the name of the request header which to extract the value from. |
+| `defaultValue` | _string_ | false | | DefaultValue defines the default value to use if the request header is not set. |
#### ResourceProviderType
@@ -3762,10 +3762,10 @@ ResponseOverride defines the configuration to override specific responses with a
_Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | Match configuration. |
-| `response` | _[CustomResponse](#customresponse)_ | true | Response configuration. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | | Match configuration. |
+| `response` | _[CustomResponse](#customresponse)_ | true | | Response configuration. |
#### ResponseValueType
@@ -3793,11 +3793,11 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. |
-| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.
If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). |
-| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `numRetries` | _integer_ | false | 2 | NumRetries is the number of retries to be attempted. Defaults to 2. |
+| `retryOn` | _[RetryOn](#retryon)_ | false | | RetryOn specifies the retry trigger condition.
If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). |
+| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | | PerRetry is the retry policy to be applied per retry attempt. |
#### RetryOn
@@ -3809,10 +3809,10 @@ _Appears in:_
_Appears in:_
- [Retry](#retry)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `triggers` | _[TriggerEnum](#triggerenum) array_ | false | Triggers specifies the retry trigger condition(Http/Grpc). |
-| `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ | false | HttpStatusCodes specifies the http status codes to be retried.
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `triggers` | _[TriggerEnum](#triggerenum) array_ | false | | Triggers specifies the retry trigger condition(Http/Grpc). |
+| `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ | false | | HttpStatusCodes specifies the http status codes to be retried.
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. |
#### RoutingType
@@ -3839,13 +3839,13 @@ Gateway.
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1`
| `kind` | _string_ | |`SecurityPolicy`
-| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` | _[SecurityPolicySpec](#securitypolicyspec)_ | true | Spec defines the desired state of SecurityPolicy. |
-| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. |
+| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` | _[SecurityPolicySpec](#securitypolicyspec)_ | true | | Spec defines the desired state of SecurityPolicy. |
+| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | | Status defines the current status of SecurityPolicy. |
#### SecurityPolicySpec
@@ -3857,17 +3857,17 @@ SecurityPolicySpec defines the desired state of SecurityPolicy.
_Appears in:_
- [SecurityPolicy](#securitypolicy)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
-| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
-| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels |
-| `cors` | _[CORS](#cors)_ | false | CORS defines the configuration for Cross-Origin Resource Sharing (CORS). |
-| `basicAuth` | _[BasicAuth](#basicauth)_ | false | BasicAuth defines the configuration for the HTTP Basic Authentication. |
-| `jwt` | _[JWT](#jwt)_ | false | JWT defines the configuration for JSON Web Token (JWT) authentication. |
-| `oidc` | _[OIDC](#oidc)_ | false | OIDC defines the configuration for the OpenID Connect (OIDC) authentication. |
-| `extAuth` | _[ExtAuth](#extauth)_ | false | ExtAuth defines the configuration for External Authorization. |
-| `authorization` | _[Authorization](#authorization)_ | false | Authorization defines the authorization configuration. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect
Deprecated: use targetRefs/targetSelectors instead |
+| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | | TargetRefs are the names of the Gateway resources this policy
is being attached to. |
+| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | | TargetSelectors allow targeting resources for this policy based on labels |
+| `cors` | _[CORS](#cors)_ | false | | CORS defines the configuration for Cross-Origin Resource Sharing (CORS). |
+| `basicAuth` | _[BasicAuth](#basicauth)_ | false | | BasicAuth defines the configuration for the HTTP Basic Authentication. |
+| `jwt` | _[JWT](#jwt)_ | false | | JWT defines the configuration for JSON Web Token (JWT) authentication. |
+| `oidc` | _[OIDC](#oidc)_ | false | | OIDC defines the configuration for the OpenID Connect (OIDC) authentication. |
+| `extAuth` | _[ExtAuth](#extauth)_ | false | | ExtAuth defines the configuration for External Authorization. |
+| `authorization` | _[Authorization](#authorization)_ | false | | Authorization defines the authorization configuration. |
#### ServiceExternalTrafficPolicy
@@ -3912,9 +3912,9 @@ Session defines settings related to TLS session management.
_Appears in:_
- [ClientTLSSettings](#clienttlssettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `resumption` | _[SessionResumption](#sessionresumption)_ | false | Resumption determines the proxy's supported TLS session resumption option.
By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
enable stateful and stateless session resumption. Users should consider security impacts
of different resumption methods. Performance gains from resumption are diminished when
Envoy proxy is deployed with more than one replica. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `resumption` | _[SessionResumption](#sessionresumption)_ | false | | Resumption determines the proxy's supported TLS session resumption option.
By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
enable stateful and stateless session resumption. Users should consider security impacts
of different resumption methods. Performance gains from resumption are diminished when
Envoy proxy is deployed with more than one replica. |
#### SessionResumption
@@ -3926,10 +3926,10 @@ SessionResumption defines supported tls session resumption methods and their ass
_Appears in:_
- [Session](#session)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `stateless` | _[StatelessTLSSessionResumption](#statelesstlssessionresumption)_ | false | Stateless defines setting for stateless (session-ticket based) session resumption |
-| `stateful` | _[StatefulTLSSessionResumption](#statefultlssessionresumption)_ | false | Stateful defines setting for stateful (session-id based) session resumption |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `stateless` | _[StatelessTLSSessionResumption](#statelesstlssessionresumption)_ | false | | Stateless defines setting for stateless (session-ticket based) session resumption |
+| `stateful` | _[StatefulTLSSessionResumption](#statefultlssessionresumption)_ | false | | Stateful defines setting for stateful (session-id based) session resumption |
#### ShutdownConfig
@@ -3941,10 +3941,10 @@ ShutdownConfig defines configuration for graceful envoy shutdown process.
_Appears in:_
- [EnvoyProxySpec](#envoyproxyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. |
-| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. |
+| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. |
#### ShutdownManager
@@ -3956,9 +3956,9 @@ ShutdownManager defines the configuration for the shutdown manager.
_Appears in:_
- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `image` | _string_ | true | Image specifies the ShutdownManager container image to be used, instead of the default image. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `image` | _string_ | true | | Image specifies the ShutdownManager container image to be used, instead of the default image. |
#### SlowStart
@@ -3970,9 +3970,9 @@ SlowStart defines the configuration related to the slow start load balancer poli
_Appears in:_
- [LoadBalancer](#loadbalancer)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig |
#### SourceMatch
@@ -3984,10 +3984,10 @@ _Appears in:_
_Appears in:_
- [RateLimitSelectCondition](#ratelimitselectcondition)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[SourceMatchType](#sourcematchtype)_ | false | |
-| `value` | _string_ | true | Value is the IP CIDR that represents the range of Source IP Addresses of the client.
These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[SourceMatchType](#sourcematchtype)_ | false | Exact | |
+| `value` | _string_ | true | | Value is the IP CIDR that represents the range of Source IP Addresses of the client.
These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. |
#### SourceMatchType
@@ -4045,11 +4045,11 @@ StatusCodeMatch defines the configuration for matching a status code.
_Appears in:_
- [CustomResponseMatch](#customresponsematch)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value.
Valid values are Value and Range, default is Value. |
-| `value` | _integer_ | false | Value contains the value of the status code. |
-| `range` | _[StatusCodeRange](#statuscoderange)_ | false | Range contains the range of status codes. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Value | Type is the type of value.
Valid values are Value and Range, default is Value. |
+| `value` | _integer_ | false | | Value contains the value of the status code. |
+| `range` | _[StatusCodeRange](#statuscoderange)_ | false | | Range contains the range of status codes. |
#### StatusCodeRange
@@ -4061,10 +4061,10 @@ StatusCodeRange defines the configuration for define a range of status codes.
_Appears in:_
- [StatusCodeMatch](#statuscodematch)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `start` | _integer_ | true | Start of the range, including the start value. |
-| `end` | _integer_ | true | End of the range, including the end value. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `start` | _integer_ | true | | Start of the range, including the start value. |
+| `end` | _integer_ | true | | End of the range, including the end value. |
#### StatusCodeValueType
@@ -4093,10 +4093,10 @@ that need to match against a string.
_Appears in:_
- [ProxyMetrics](#proxymetrics)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[StringMatchType](#stringmatchtype)_ | false | Type specifies how to match against a string. |
-| `value` | _string_ | true | Value specifies the string value that the match must have. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[StringMatchType](#stringmatchtype)_ | false | Exact | Type specifies how to match against a string. |
+| `value` | _string_ | true | | Value specifies the string value that the match must have. |
#### StringMatchType
@@ -4126,10 +4126,10 @@ TCPActiveHealthChecker defines the settings of tcp health check.
_Appears in:_
- [ActiveHealthCheck](#activehealthcheck)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `send` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | Send defines the request payload. |
-| `receive` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | Receive defines the expected response payload. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `send` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | | Send defines the request payload. |
+| `receive` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | | Receive defines the expected response payload. |
#### TCPClientTimeout
@@ -4141,9 +4141,9 @@ TCPClientTimeout only provides timeout configuration on the listener whose proto
_Appears in:_
- [ClientTimeout](#clienttimeout)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. |
#### TCPKeepalive
@@ -4157,11 +4157,11 @@ _Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. |
-| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. |
-| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `probes` | _integer_ | false | | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. |
+| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. |
+| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The duration between keep-alive probes.
Defaults to `75s`. |
#### TCPTimeout
@@ -4173,9 +4173,9 @@ _Appears in:_
_Appears in:_
- [Timeout](#timeout)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `connectTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `connectTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. |
#### TLSSettings
@@ -4188,14 +4188,14 @@ _Appears in:_
- [BackendTLSConfig](#backendtlsconfig)
- [ClientTLSSettings](#clienttlssettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
-| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
-| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
-| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
-| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
-| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `minVersion` | _[TLSVersion](#tlsversion)_ | false | | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
+| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
+| `ciphers` | _string array_ | false | | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 |
+| `ecdhCurves` | _string array_ | false | | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 |
+| `signatureAlgorithms` | _string array_ | false | | SignatureAlgorithms specifies which signature algorithms the listener should
support. |
+| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 |
#### TLSVersion
@@ -4231,11 +4231,11 @@ _Appears in:_
- [PolicyTargetReferences](#policytargetreferences)
- [SecurityPolicySpec](#securitypolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `group` | _[Group](#group)_ | true | Group is the group that this selector targets. Defaults to gateway.networking.k8s.io |
-| `kind` | _[Kind](#kind)_ | true | Kind is the resource kind that this selector targets. |
-| `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `group` | _[Group](#group)_ | true | gateway.networking.k8s.io | Group is the group that this selector targets. Defaults to gateway.networking.k8s.io |
+| `kind` | _[Kind](#kind)_ | true | | Kind is the resource kind that this selector targets. |
+| `matchLabels` | _object (keys:string, values:string)_ | true | | MatchLabels are the set of label selectors for identifying the targeted resource |
#### Timeout
@@ -4248,10 +4248,10 @@ _Appears in:_
- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
- [ClusterSettings](#clustersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. |
-| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | | Timeout settings for TCP. |
+| `http` | _[HTTPTimeout](#httptimeout)_ | false | | Timeout settings for HTTP. |
#### TracingProvider
@@ -4263,15 +4263,15 @@ TracingProvider defines the tracing provider configuration.
_Appears in:_
- [ProxyTracing](#proxytracing)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
-| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
-| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. |
-| `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. |
-| `host` | _string_ | false | Host define the provider service hostname.
Deprecated: Use BackendRefs instead. |
-| `port` | _integer_ | false | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRefs instead. |
-| `zipkin` | _[ZipkinTracingProvider](#zipkintracingprovider)_ | false | Zipkin defines the Zipkin tracing provider configuration |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Deprecated: Use BackendRefs instead. |
+| `backendRefs` | _[BackendRef](#backendref) array_ | false | | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. |
+| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | | BackendSettings holds configuration for managing the connection
to the backend. |
+| `type` | _[TracingProviderType](#tracingprovidertype)_ | true | OpenTelemetry | Type defines the tracing provider type. |
+| `host` | _string_ | false | | Host define the provider service hostname.
Deprecated: Use BackendRefs instead. |
+| `port` | _integer_ | false | 4317 | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRefs instead. |
+| `zipkin` | _[ZipkinTracingProvider](#zipkintracingprovider)_ | false | | Zipkin defines the Zipkin tracing provider configuration |
#### TracingProviderType
@@ -4327,9 +4327,9 @@ _Appears in:_
- [BackendEndpoint](#backendendpoint)
- [ExtensionService](#extensionservice)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `path` | _string_ | true | Path defines the unix domain socket path of the backend endpoint. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `path` | _string_ | true | | Path defines the unix domain socket path of the backend endpoint. |
#### Wasm
@@ -4345,14 +4345,14 @@ v8 is used as the VM runtime for the Wasm extensions.
_Appears in:_
- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `name` | _string_ | false | Name is a unique name for this Wasm extension. It is used to identify the
Wasm extension if multiple extensions are handled by the same vm_id and root_id.
It's also used for logging/debugging.
If not specified, EG will generate a unique name for the Wasm extension. |
-| `rootID` | _string_ | true | RootID is a unique ID for a set of extensions in a VM which will share a
RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
Note: RootID must match the root_id parameter used to register the Context in the Wasm code. |
-| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. |
-| `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. |
-| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. |
-| `env` | _[WasmEnv](#wasmenv)_ | false | Env configures the environment for the Wasm extension |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | false | | Name is a unique name for this Wasm extension. It is used to identify the
Wasm extension if multiple extensions are handled by the same vm_id and root_id.
It's also used for logging/debugging.
If not specified, EG will generate a unique name for the Wasm extension. |
+| `rootID` | _string_ | true | | RootID is a unique ID for a set of extensions in a VM which will share a
RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
Note: RootID must match the root_id parameter used to register the Context in the Wasm code. |
+| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | | Code is the Wasm code for the extension. |
+| `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. |
+| `failOpen` | _boolean_ | false | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. |
+| `env` | _[WasmEnv](#wasmenv)_ | false | | Env configures the environment for the Wasm extension |
#### WasmCodeSource
@@ -4364,12 +4364,12 @@ WasmCodeSource defines the source of the Wasm code.
_Appears in:_
- [Wasm](#wasm)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `type` | _[WasmCodeSourceType](#wasmcodesourcetype)_ | true | Type is the type of the source of the Wasm code.
Valid WasmCodeSourceType values are "HTTP" or "Image". |
-| `http` | _[HTTPWasmCodeSource](#httpwasmcodesource)_ | false | HTTP is the HTTP URL containing the Wasm code.
Note that the HTTP server must be accessible from the Envoy proxy. |
-| `image` | _[ImageWasmCodeSource](#imagewasmcodesource)_ | false | Image is the OCI image containing the Wasm code.
Note that the image must be accessible from the Envoy Gateway. |
-| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
This field is only applicable when the SHA256 field is not set.
If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
Note: EG does not update the Wasm module every time an Envoy proxy requests
the Wasm module even if the pull policy is set to Always.
It only updates the Wasm module when the EnvoyExtension resource version changes. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `type` | _[WasmCodeSourceType](#wasmcodesourcetype)_ | true | | Type is the type of the source of the Wasm code.
Valid WasmCodeSourceType values are "HTTP" or "Image". |
+| `http` | _[HTTPWasmCodeSource](#httpwasmcodesource)_ | false | | HTTP is the HTTP URL containing the Wasm code.
Note that the HTTP server must be accessible from the Envoy proxy. |
+| `image` | _[ImageWasmCodeSource](#imagewasmcodesource)_ | false | | Image is the OCI image containing the Wasm code.
Note that the image must be accessible from the Envoy Gateway. |
+| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
This field is only applicable when the SHA256 field is not set.
If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
Note: EG does not update the Wasm module every time an Envoy proxy requests
the Wasm module even if the pull policy is set to Always.
It only updates the Wasm module when the EnvoyExtension resource version changes. |
#### WasmCodeSourceType
@@ -4396,9 +4396,9 @@ WasmEnv defines the environment variables for the VM of a Wasm extension
_Appears in:_
- [Wasm](#wasm)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `hostKeys` | _string array_ | false | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `hostKeys` | _string array_ | false | | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. |
#### WithUnderscoresAction
@@ -4445,10 +4445,10 @@ XDSTranslatorHooks contains all the pre and post hooks for the xds-translator ru
_Appears in:_
- [ExtensionHooks](#extensionhooks)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `pre` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | |
-| `post` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `pre` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | | |
+| `post` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | | |
#### XFCCCertData
@@ -4496,10 +4496,10 @@ XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-ce
_Appears in:_
- [HeaderSettings](#headersettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `mode` | _[XFCCForwardMode](#xfccforwardmode)_ | false | Mode defines how XFCC header is handled by Envoy Proxy.
If not set, the default mode is `Sanitize`. |
-| `certDetailsToAdd` | _[XFCCCertData](#xfcccertdata) array_ | false | CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.
Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)
are always included if the client certificate is forwarded.
This field is only applicable when the mode is set to `AppendForward` or
`SanitizeSet` and the client connection is mTLS. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `mode` | _[XFCCForwardMode](#xfccforwardmode)_ | false | | Mode defines how XFCC header is handled by Envoy Proxy.
If not set, the default mode is `Sanitize`. |
+| `certDetailsToAdd` | _[XFCCCertData](#xfcccertdata) array_ | false | | CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.
Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)
are always included if the client certificate is forwarded.
This field is only applicable when the mode is set to `AppendForward` or
`SanitizeSet` and the client connection is mTLS. |
#### XForwardedForSettings
@@ -4513,9 +4513,9 @@ for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `numTrustedHops` | _integer_ | false | | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. |
#### ZipkinTracingProvider
@@ -4527,9 +4527,9 @@ ZipkinTracingProvider defines the Zipkin tracing provider configuration.
_Appears in:_
- [TracingProvider](#tracingprovider)
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
-| `enable128BitTraceId` | _boolean_ | false | Enable128BitTraceID determines whether a 128bit trace id will be used
when creating a new trace instance. If set to false, a 64bit trace
id will be used. |
-| `disableSharedSpanContext` | _boolean_ | false | DisableSharedSpanContext determines whether the default Envoy behaviour of
client and server spans sharing the same span context should be disabled. |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `enable128BitTraceId` | _boolean_ | false | | Enable128BitTraceID determines whether a 128bit trace id will be used
when creating a new trace instance. If set to false, a 64bit trace
id will be used. |
+| `disableSharedSpanContext` | _boolean_ | false | | DisableSharedSpanContext determines whether the default Envoy behaviour of
client and server spans sharing the same span context should be disabled. |
diff --git a/tools/crd-ref-docs/templates/type.tpl b/tools/crd-ref-docs/templates/type.tpl
index a1bb44833a7..45828532dee 100644
--- a/tools/crd-ref-docs/templates/type.tpl
+++ b/tools/crd-ref-docs/templates/type.tpl
@@ -16,8 +16,8 @@ _Appears in:_
{{- end }}
{{ if $type.Members -}}
-| Field | Type | Required | Description |
-| --- | --- | --- | --- |
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
{{ if $type.GVK -}}
| `apiVersion` | _string_ | |`{{ $type.GVK.Group }}/{{ $type.GVK.Version }}`
| `kind` | _string_ | |`{{ $type.GVK.Kind }}`
@@ -26,7 +26,7 @@ _Appears in:_
{{ range $type.Members -}}
{{- with .Markers.notImplementedHide -}}
{{- else -}}
-| `{{ .Name }}` | _{{ markdownRenderType .Type }}_ | {{ with .Markers.optional }} {{ "false" }} {{ else }} {{ "true" }} {{end}} | {{ template "type_members" . }} |
+| `{{ .Name }}` | _{{ markdownRenderType .Type }}_ | {{ with .Markers.optional }} {{ "false" }} {{ else }} {{ "true" }} {{end}} | {{ markdownRenderDefault .Default }} | {{ template "type_members" . }} |
{{ end -}}
{{- end -}}
{{- end -}}