Skip to content

Instantly share code, notes, and snippets.

@danehans

danehans/01_contour_1.7_ocp_4.6.yaml

Last active August 21, 2020 19:54
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save danehans/7e2f58f6dfb24ef0c45db8941a8cf93d to your computer and use it in GitHub Desktop.
Save danehans/7e2f58f6dfb24ef0c45db8941a8cf93d to your computer and use it in GitHub Desktop.
Download ZIP
contour_1.7_ocp_4.6
Raw
01_contour_1.7_ocp_4.6.yaml
# Manifest for running Contour 1.7 on OCP 4.6 based on https://projectcontour.io/quickstart/contour.yaml
#
# This file is generated from the individual YAML files by generate-deployment.sh. Do not
# edit this file directly but instead edit the source files and re-render.
#
# Generated from:
# examples/contour/00-common.yaml
# examples/contour/01-contour-config.yaml
# examples/contour/01-crds.yaml
# examples/contour/02-job-certgen.yaml
# examples/contour/02-rbac.yaml
# examples/contour/02-role-contour.yaml
# examples/contour/02-service-contour.yaml
# examples/contour/02-service-envoy.yaml
# examples/contour/03-contour.yaml
# examples/contour/03-envoy.yaml
#
---
apiVersion: v1
kind: Namespace
metadata:
name: projectcontour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour
namespace: projectcontour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: envoy
namespace: projectcontour
---
apiVersion: v1
kind: ConfigMap
metadata:
name: contour
namespace: projectcontour
data:
contour.yaml: |
# should contour expect to be running inside a k8s cluster
# incluster: true
#
# path to kubeconfig (if not running inside a k8s cluster)
# kubeconfig: /path/to/.kube/config
#
# disable HTTPProxy permitInsecure field
disablePermitInsecure: false
tls:
# minimum TLS version that Contour will negotiate
# minimum-protocol-version: "1.1"
# Defines the Kubernetes name/namespace matching a secret to use
# as the fallback certificate when requests which don't match the
# SNI defined for a vhost.
fallback-certificate:
# name: fallback-secret-name
# namespace: projectcontour
# The following config shows the defaults for the leader election.
# leaderelection:
# configmap-name: leader-elect
# configmap-namespace: projectcontour
### Logging options
# Default setting
accesslog-format: envoy
# To enable JSON logging in Envoy
# accesslog-format: json
# The default fields that will be logged are specified below.
# To customise this list, just add or remove entries.
# The canonical list is available at
# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
# json-fields:
# - "@timestamp"
# - "authority"
# - "bytes_received"
# - "bytes_sent"
# - "downstream_local_address"
# - "downstream_remote_address"
# - "duration"
# - "method"
# - "path"
# - "protocol"
# - "request_id"
# - "requested_server_name"
# - "response_code"
# - "response_flags"
# - "uber_trace_id"
# - "upstream_cluster"
# - "upstream_host"
# - "upstream_local_address"
# - "upstream_service_time"
# - "user_agent"
# - "x_forwarded_for"
#
# default-http-versions:
# - "HTTP/2"
# - "HTTP/1.1"
#
# The following shows the default proxy timeout settings.
# timeouts:
# request-timeout: infinity
# connection-idle-timeout: 60s
# stream-idle-timeout: 5m
# max-connection-duration: infinity
# connection-shutdown-grace-period: 5s
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.9
creationTimestamp: null
name: httpproxies.projectcontour.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.virtualhost.fqdn
description: Fully qualified domain name
name: FQDN
type: string
- JSONPath: .spec.virtualhost.tls.secretName
description: Secret with TLS credentials
name: TLS Secret
type: string
- JSONPath: .status.currentStatus
description: The current status of the HTTPProxy
name: Status
type: string
- JSONPath: .status.description
description: Description of the current status
name: Status Description
type: string
group: projectcontour.io
names:
kind: HTTPProxy
listKind: HTTPProxyList
plural: httpproxies
shortNames:
- proxy
- proxies
singular: httpproxy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: HTTPProxy is an Ingress CRD specification.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: HTTPProxySpec defines the spec of the CRD.
properties:
includes:
description: Includes allow for specific routing configuration to be
included from another HTTPProxy, possibly in another namespace.
items:
description: Include describes a set of policies that can be applied
to an HTTPProxy in a namespace.
properties:
conditions:
description: 'Conditions are a set of rules that are applied to
included HTTPProxies. In effect, they are added onto the Conditions
of included HTTPProxy Route structs. When applied, they are
merged using AND, with one exception: There can be only one
Prefix MatchCondition per Conditions slice. More than one Prefix,
or contradictory Conditions, will make the include invalid.'
items:
description: MatchCondition are a general holder for matching
rules for HTTPProxies. One of Prefix or Header must be provided.
properties:
header:
description: Header specifies the header condition to match.
properties:
contains:
description: Contains specifies a substring that must
be present in the header value.
type: string
exact:
description: Exact specifies a string that the header
value must be equal to.
type: string
name:
description: Name is the name of the header to match
against. Name is required. Header names are case insensitive.
type: string
notcontains:
description: NotContains specifies a substring that
must not be present in the header value.
type: string
notexact:
description: NoExact specifies a string that the header
value must not be equal to. The condition is true
if the header has any other value.
type: string
present:
description: Present specifies that condition is true
when the named header is present, regardless of its
value. Note that setting Present to false does not
make the condition true if the named header is absent.
type: boolean
required:
- name
type: object
prefix:
description: Prefix defines a prefix match for a request.
type: string
type: object
type: array
name:
description: Name of the HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults to
the current namespace if not supplied.
type: string
required:
- name
type: object
type: array
routes:
description: Routes are the ingress routes. If TCPProxy is present,
Routes is ignored.
items:
description: Route contains the set of routes for a virtual host.
properties:
conditions:
description: 'Conditions are a set of rules that are applied to
a Route. When applied, they are merged using AND, with one exception:
There can be only one Prefix MatchCondition per Conditions slice.
More than one Prefix, or contradictory Conditions, will make
the route invalid.'
items:
description: MatchCondition are a general holder for matching
rules for HTTPProxies. One of Prefix or Header must be provided.
properties:
header:
description: Header specifies the header condition to match.
properties:
contains:
description: Contains specifies a substring that must
be present in the header value.
type: string
exact:
description: Exact specifies a string that the header
value must be equal to.
type: string
name:
description: Name is the name of the header to match
against. Name is required. Header names are case insensitive.
type: string
notcontains:
description: NotContains specifies a substring that
must not be present in the header value.
type: string
notexact:
description: NoExact specifies a string that the header
value must not be equal to. The condition is true
if the header has any other value.
type: string
present:
description: Present specifies that condition is true
when the named header is present, regardless of its
value. Note that setting Present to false does not
make the condition true if the named header is absent.
type: boolean
required:
- name
type: object
prefix:
description: Prefix defines a prefix match for a request.
type: string
type: object
type: array
enableWebsockets:
description: Enables websocket support for the route.
type: boolean
healthCheckPolicy:
description: The health check policy for this route.
properties:
healthyThresholdCount:
description: The number of healthy health checks required
before a host is marked healthy
format: int64
minimum: 0
type: integer
host:
description: The value of the host header in the HTTP health
check request. If left empty (default value), the name "contour-envoy-healthcheck"
will be used.
type: string
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
path:
description: HTTP endpoint used to perform health checks on
upstream service
type: string
timeoutSeconds:
description: The time to wait (seconds) for a health check
response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int64
minimum: 0
type: integer
required:
- path
type: object
loadBalancerPolicy:
description: The load balancing policy for this route.
properties:
strategy:
description: Strategy specifies the policy used to balance
requests across the pool of backend pods. Valid policy names
are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Random`
and `Cookie`. If an unknown strategy name is specified or
no policy is supplied, the default `RoundRobin` policy is
used.
type: string
type: object
pathRewritePolicy:
description: The policy for rewriting the path of the request
URL after the request has been routed to a Service.
properties:
replacePrefix:
description: ReplacePrefix describes how the path prefix should
be replaced.
items:
description: ReplacePrefix describes a path prefix replacement.
properties:
prefix:
description: "Prefix specifies the URL path prefix to
be replaced. \n If Prefix is specified, it must exactly
match the MatchCondition prefix that is rendered by
the chain of including HTTPProxies and only that path
prefix will be replaced by Replacement. This allows
HTTPProxies that are included through multiple roots
to only replace specific path prefixes, leaving others
unmodified. \n If Prefix is not specified, all routing
prefixes rendered by the include chain will be replaced."
minLength: 1
type: string
replacement:
description: Replacement is the string that the routing
path prefix will be replaced with. This must not be
empty.
minLength: 1
type: string
required:
- replacement
type: object
type: array
type: object
permitInsecure:
description: Allow this path to respond to insecure requests over
HTTP which are normally not permitted when a `virtualhost.tls`
block is present.
type: boolean
requestHeadersPolicy:
description: The policy for managing request headers during proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove.
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values that
will be set in the HTTP header. If the header does not exist
it will be added, otherwise it will be overwritten with
the new value.
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove.
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values that
will be set in the HTTP header. If the header does not exist
it will be added, otherwise it will be overwritten with
the new value.
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
retryPolicy:
description: The retry policy for this route.
properties:
count:
description: NumRetries is maximum allowed number of retries.
If not supplied, the number of retries is one.
format: int64
minimum: 0
type: integer
perTryTimeout:
description: PerTryTimeout specifies the timeout per retry
attempt. Ignored if NumRetries is not supplied.
type: string
retriableStatusCodes:
description: "RetriableStatusCodes specifies the HTTP status
codes that should be retried. \n This field is only respected
when you include `retriable-status-codes` in the `RetryOn`
field."
items:
format: int32
type: integer
type: array
retryOn:
description: "RetryOn specifies the conditions on which to
retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on):
\n - `5xx` - `gateway-error` - `reset` - `connect-failure`
- `retriable-4xx` - `refused-stream` - `retriable-status-codes`
- `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on):
\n - `cancelled` - `deadline-exceeded` - `internal` - `resource-exhausted`
- `unavailable`"
items:
description: RetryOn is a string type alias with validation
to ensure that the value is valid.
enum:
- 5xx
- gateway-error
- reset
- connect-failure
- retriable-4xx
- refused-stream
- retriable-status-codes
- retriable-headers
- cancelled
- deadline-exceeded
- internal
- resource-exhausted
- unavailable
type: string
type: array
type: object
services:
description: Services are the services to proxy traffic.
items:
description: Service defines an Kubernetes Service to proxy
traffic.
properties:
mirror:
description: If Mirror is true the Service will receive
a read only mirror of the traffic for this route.
type: boolean
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic
to since a service can have multiple defined.
exclusiveMaximum: true
maximum: 65536
minimum: 1
type: integer
protocol:
description: Protocol may be used to specify (or override)
the protocol used to reach this Service. Values may be
tls, h2, h2c. If omitted, protocol-selection falls back
on Service annotations.
enum:
- h2
- h2c
- tls
type: string
requestHeadersPolicy:
description: The policy for managing request headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header
names to remove.
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header. If the header
does not exist it will be added, otherwise it will
be overwritten with the new value.
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header
names to remove.
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header. If the header
does not exist it will be added, otherwise it will
be overwritten with the new value.
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
minItems: 1
type: array
timeoutPolicy:
description: The timeout policy for this route.
properties:
idle:
description: Timeout after which, if there are no active requests
for this route, the connection between Envoy and the backend
or Envoy and the external client will be closed. If not
specified, there is no per-route idle timeout, though a
connection manager-wide stream_idle_timeout default of 5m
still applies.
type: string
response:
description: Timeout for receiving a response from the server
after processing a request from client. If not supplied,
Envoy's default value of 15s applies.
type: string
type: object
required:
- services
type: object
type: array
tcpproxy:
description: TCPProxy holds TCP proxy information.
properties:
healthCheckPolicy:
description: The health check policy for this tcp proxy
properties:
healthyThresholdCount:
description: The number of healthy health checks required before
a host is marked healthy
format: int32
type: integer
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
timeoutSeconds:
description: The time to wait (seconds) for a health check response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int32
type: integer
type: object
include:
description: Include specifies that this tcpproxy should be delegated
to another HTTPProxy.
properties:
name:
description: Name of the child HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults
to the current namespace if not supplied.
type: string
required:
- name
type: object
includes:
description: "IncludesDeprecated allow for specific routing configuration
to be appended to another HTTPProxy in another namespace. \n Exists
due to a mistake when developing HTTPProxy and the field was marked
plural when it should have been singular. This field should stay
to not break backwards compatibility to v1 users."
properties:
name:
description: Name of the child HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults
to the current namespace if not supplied.
type: string
required:
- name
type: object
loadBalancerPolicy:
description: The load balancing policy for the backend services.
properties:
strategy:
description: Strategy specifies the policy used to balance requests
across the pool of backend pods. Valid policy names are `Random`,
`RoundRobin`, `WeightedLeastRequest`, `Random` and `Cookie`.
If an unknown strategy name is specified or no policy is supplied,
the default `RoundRobin` policy is used.
type: string
type: object
services:
description: Services are the services to proxy traffic
items:
description: Service defines an Kubernetes Service to proxy traffic.
properties:
mirror:
description: If Mirror is true the Service will receive a
read only mirror of the traffic for this route.
type: boolean
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic to
since a service can have multiple defined.
exclusiveMaximum: true
maximum: 65536
minimum: 1
type: integer
protocol:
description: Protocol may be used to specify (or override)
the protocol used to reach this Service. Values may be tls,
h2, h2c. If omitted, protocol-selection falls back on Service
annotations.
enum:
- h2
- h2c
- tls
type: string
requestHeadersPolicy:
description: The policy for managing request headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove.
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header. If the header does
not exist it will be added, otherwise it will be overwritten
with the new value.
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove.
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header. If the header does
not exist it will be added, otherwise it will be overwritten
with the new value.
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in the
'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
type: array
type: object
virtualhost:
description: Virtualhost appears at most once. If it is present, the
object is considered to be a "root" HTTPProxy.
properties:
fqdn:
description: The fully qualified domain name of the root of the
ingress tree all leaves of the DAG rooted at this object relate
to the fqdn.
type: string
tls:
description: If present describes tls properties. The SNI names
that will be matched on are described in fqdn, the tls.secretName
secret must contain a certificate that itself contains a name
that matches the FQDN.
properties:
clientValidation:
description: "ClientValidation defines how to verify the client
certificate when an external client establishes a TLS connection
to Envoy. \n This setting: \n 1. Enables TLS client certificate
validation. 2. Requires clients to present a TLS certificate
(i.e. not optional validation). 3. Specifies how the client
certificate will be validated."
properties:
caSecret:
description: Name of a Kubernetes secret that contains a
CA certificate bundle. The client certificate must validate
against the certificates in the bundle.
minLength: 1
type: string
required:
- caSecret
type: object
enableFallbackCertificate:
description: EnableFallbackCertificate defines if the vhost
should allow a default certificate to be applied which handles
all requests which don't match the SNI defined in this vhost.
type: boolean
minimumProtocolVersion:
description: Minimum TLS version this vhost should negotiate
type: string
passthrough:
description: If Passthrough is set to true, the SecretName will
be ignored and the encrypted handshake will be passed through
to the backing cluster.
type: boolean
secretName:
description: required, the name of a secret in the current namespace
type: string
type: object
required:
- fqdn
type: object
type: object
status:
description: Status is a container for computed information about the HTTPProxy.
properties:
conditions:
description: "Conditions contains information about the current status
of the HTTPProxy, in an upstream-friendly container. \n Contour will
update a single condition, `Valid`, that is in normal-true polarity.
That is, when `currentStatus` is `valid`, the `Valid` condition will
be `status: true`, and vice versa. \n Contour will leave untouched
any other Conditions set in this block, in case some other controller
wants to add a Condition. \n If you are another controller owner and
wish to add a condition, you *should* namespace your condition with
a label, like `controller.domain.com/ConditionName`."
items:
description: "DetailedCondition is an extension of the normal Kubernetes
conditions, with two extra fields to hold sub-conditions, which
provide more detailed reasons for the state (True or False) of the
condition. \n `errors` holds information about sub-conditions which
are fatal to that condition and render its state False. \n `warnings`
holds information about sub-conditions which are not fatal to that
condition and do not force the state to be False. \n Remember that
Conditions have a type, a status, and a reason. \n The type is the
type of the condition, the most important one in this CRD set is
`Valid`. \n In the case of `Valid`, `status: true` means that the
object is has been ingested into Contour with no errors. `warnings`
may still be present, and will be indicated in the Reason field.
\n `Valid`, `status: false` means that the object has had one or
more fatal errors during processing into Contour. The details of
the errors will be present under the `errors` field. \n There should
never be subconditions under `errors` when `status` is `true`."
properties:
errors:
description: "Errors contains a slice of relevant error subconditions
for this object. \n Subconditions are expected to appear when
relevant (when there is a error), and disappear when not relevant.
An empty slice here indicates no errors."
items:
description: "SubCondition is a Condition-like type intended
for use as a subcondition inside a DetailedCondition. \n It
contains a subset of the Condition fields. \n It is intended
for warnings and errors, so `type` names should use abnormal-true
polarity, that is, they should be of the form \"ErrorPresent:
true\". \n The expected lifecycle for these errors is that
they should only be present when the error or warning is,
and should be removed when they are not relevant."
properties:
message:
description: "Message is a human readable message indicating
details about the transition. \n This may be an empty
string."
maxLength: 32768
type: string
reason:
description: "Reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the values
are considered a guaranteed API. \n The value should be
a CamelCase string. \n This field may not be empty."
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: Status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
\n This must be in abnormal-true polarity, that is, `ErrorFound`
or `controller.io/ErrorFound`. \n The regex it matches
is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
lastTransitionTime:
description: "lastTransitionTime is the last time the condition
transitioned from one status to another. \n This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable."
format: date-time
type: string
message:
description: "message is a human readable message indicating details
about the transition. \n This may be an empty string."
maxLength: 32768
type: string
observedGeneration:
description: "observedGeneration represents the .metadata.generation
that the condition was set based upon. \n For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance."
format: int64
minimum: 0
type: integer
reason:
description: "Reason contains a programmatic identifier indicating
the reason for the condition's last transition. \n Producers
of specific condition types may define expected values and meanings
for this field, and whether the values are considered a guaranteed
API. \n The value should be a CamelCase string. \n This field
may not be empty."
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: "Type of condition in CamelCase or in foo.example.com/CamelCase.
\n Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. \n The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
warnings:
description: "Warnings contains a slice of relevant warning subconditions
for this object. \n Subconditions are expected to appear when
relevant (when there is a warning), and disappear when not relevant.
An empty slice here indicates no warnings."
items:
description: "SubCondition is a Condition-like type intended
for use as a subcondition inside a DetailedCondition. \n It
contains a subset of the Condition fields. \n It is intended
for warnings and errors, so `type` names should use abnormal-true
polarity, that is, they should be of the form \"ErrorPresent:
true\". \n The expected lifecycle for these errors is that
they should only be present when the error or warning is,
and should be removed when they are not relevant."
properties:
message:
description: "Message is a human readable message indicating
details about the transition. \n This may be an empty
string."
maxLength: 32768
type: string
reason:
description: "Reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the values
are considered a guaranteed API. \n The value should be
a CamelCase string. \n This field may not be empty."
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: Status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
\n This must be in abnormal-true polarity, that is, `ErrorFound`
or `controller.io/ErrorFound`. \n The regex it matches
is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
currentStatus:
type: string
description:
type: string
loadBalancer:
description: LoadBalancer contains the current status of the load balancer.
properties:
ingress:
description: Ingress is a list containing ingress points for the
load-balancer. Traffic intended for the service should be sent
to these ingress points.
items:
description: 'LoadBalancerIngress represents the status of a load-balancer
ingress point: traffic intended for the service should be sent
to an ingress point.'
properties:
hostname:
description: Hostname is set for load-balancer ingress points
that are DNS based (typically AWS load-balancers)
type: string
ip:
description: IP is set for load-balancer ingress points that
are IP based (typically GCE or OpenStack load-balancers)
type: string
type: object
type: array
type: object
type: object
required:
- metadata
- spec
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.9
creationTimestamp: null
name: tlscertificatedelegations.projectcontour.io
spec:
group: projectcontour.io
names:
kind: TLSCertificateDelegation
listKind: TLSCertificateDelegationList
plural: tlscertificatedelegations
shortNames:
- tlscerts
singular: tlscertificatedelegation
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation.
See design/tls-certificate-delegation.md for details.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TLSCertificateDelegationSpec defines the spec of the CRD
properties:
delegations:
items:
description: CertificateDelegation maps the authority to reference
a secret in the current namespace to a set of namespaces.
properties:
secretName:
description: required, the name of a secret in the current namespace.
type: string
targetNamespaces:
description: required, the namespaces the authority to reference
the the secret will be delegated to. If TargetNamespaces is
nil or empty, the CertificateDelegation' is ignored. If the
TargetNamespace list contains the character, "*" the secret
will be delegated to all namespaces.
items:
type: string
type: array
required:
- secretName
- targetNamespaces
type: object
type: array
required:
- delegations
type: object
status:
description: TLSCertificateDelegationStatus allows for the status of the
delegation to be presented to the user.
properties:
conditions:
description: "Conditions contains information about the current status
of the HTTPProxy, in an upstream-friendly container. \n Contour will
update a single condition, `Valid`, that is in normal-true polarity.
That is, when `currentStatus` is `valid`, the `Valid` condition will
be `status: true`, and vice versa. \n Contour will leave untouched
any other Conditions set in this block, in case some other controller
wants to add a Condition. \n If you are another controller owner and
wish to add a condition, you *should* namespace your condition with
a label, like `controller.domain.com\\ConditionName`."
items:
description: "DetailedCondition is an extension of the normal Kubernetes
conditions, with two extra fields to hold sub-conditions, which
provide more detailed reasons for the state (True or False) of the
condition. \n `errors` holds information about sub-conditions which
are fatal to that condition and render its state False. \n `warnings`
holds information about sub-conditions which are not fatal to that
condition and do not force the state to be False. \n Remember that
Conditions have a type, a status, and a reason. \n The type is the
type of the condition, the most important one in this CRD set is
`Valid`. \n In the case of `Valid`, `status: true` means that the
object is has been ingested into Contour with no errors. `warnings`
may still be present, and will be indicated in the Reason field.
\n `Valid`, `status: false` means that the object has had one or
more fatal errors during processing into Contour. The details of
the errors will be present under the `errors` field. \n There should
never be subconditions under `errors` when `status` is `true`."
properties:
errors:
description: "Errors contains a slice of relevant error subconditions
for this object. \n Subconditions are expected to appear when
relevant (when there is a error), and disappear when not relevant.
An empty slice here indicates no errors."
items:
description: "SubCondition is a Condition-like type intended
for use as a subcondition inside a DetailedCondition. \n It
contains a subset of the Condition fields. \n It is intended
for warnings and errors, so `type` names should use abnormal-true
polarity, that is, they should be of the form \"ErrorPresent:
true\". \n The expected lifecycle for these errors is that
they should only be present when the error or warning is,
and should be removed when they are not relevant."
properties:
message:
description: "Message is a human readable message indicating
details about the transition. \n This may be an empty
string."
maxLength: 32768
type: string
reason:
description: "Reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the values
are considered a guaranteed API. \n The value should be
a CamelCase string. \n This field may not be empty."
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: Status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
\n This must be in abnormal-true polarity, that is, `ErrorFound`
or `controller.io/ErrorFound`. \n The regex it matches
is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
lastTransitionTime:
description: "lastTransitionTime is the last time the condition
transitioned from one status to another. \n This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable."
format: date-time
type: string
message:
description: "message is a human readable message indicating details
about the transition. \n This may be an empty string."
maxLength: 32768
type: string
observedGeneration:
description: "observedGeneration represents the .metadata.generation
that the condition was set based upon. \n For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance."
format: int64
minimum: 0
type: integer
reason:
description: "Reason contains a programmatic identifier indicating
the reason for the condition's last transition. \n Producers
of specific condition types may define expected values and meanings
for this field, and whether the values are considered a guaranteed
API. \n The value should be a CamelCase string. \n This field
may not be empty."
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: "Type of condition in CamelCase or in foo.example.com/CamelCase.
\n Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. \n The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
warnings:
description: "Warnings contains a slice of relevant warning subconditions
for this object. \n Subconditions are expected to appear when
relevant (when there is a warning), and disappear when not relevant.
An empty slice here indicates no warnings."
items:
description: "SubCondition is a Condition-like type intended
for use as a subcondition inside a DetailedCondition. \n It
contains a subset of the Condition fields. \n It is intended
for warnings and errors, so `type` names should use abnormal-true
polarity, that is, they should be of the form \"ErrorPresent:
true\". \n The expected lifecycle for these errors is that
they should only be present when the error or warning is,
and should be removed when they are not relevant."
properties:
message:
description: "Message is a human readable message indicating
details about the transition. \n This may be an empty
string."
maxLength: 32768
type: string
reason:
description: "Reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the values
are considered a guaranteed API. \n The value should be
a CamelCase string. \n This field may not be empty."
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: Status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
\n This must be in abnormal-true polarity, that is, `ErrorFound`
or `controller.io/ErrorFound`. \n The regex it matches
is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- metadata
- spec
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour-certgen
namespace: projectcontour
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: contour
namespace: projectcontour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: contour-certgen
subjects:
- kind: ServiceAccount
name: contour-certgen
namespace: projectcontour
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: contour-certgen
namespace: projectcontour
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- update
---
apiVersion: batch/v1
kind: Job
metadata:
name: contour-certgen-v1.7.0
namespace: projectcontour
spec:
ttlSecondsAfterFinished: 0
template:
metadata:
labels:
app: "contour-certgen"
spec:
containers:
- name: contour
# This version is set to latest because Job specs are immutable;
# if we change this on each version, you can no longer upgrade
# just by applying the deployment YAML.
# See #2423, #2395, #2150, and #2030 for earlier questions about this.
image: docker.io/projectcontour/contour:latest
imagePullPolicy: Always
command:
- contour
- certgen
- --kube
- --incluster
- --overwrite
- --secrets-format=compact
- --namespace=$(CONTOUR_NAMESPACE)
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: Never
serviceAccountName: contour-certgen
securityContext:
runAsNonRoot: true
#runAsUser: 65534
#runAsGroup: 65534
parallelism: 1
completions: 1
backoffLimit: 1
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: contour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: contour
subjects:
- kind: ServiceAccount
name: contour
namespace: projectcontour
# The following ClusterRole is generated from kubebuilder RBAC tags by
# generate-rbac.sh. Do not edit this file directly but instead edit the source
# files and re-render.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: contour
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- gatewayclasses
- gateways
- httproutes
- tcproutes
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- create
- get
- update
- apiGroups:
- projectcontour.io
resources:
- httpproxies
- tlscertificatedelegations
verbs:
- get
- list
- watch
- apiGroups:
- projectcontour.io
resources:
- httpproxies/status
verbs:
- create
- get
- update
---
apiVersion: v1
kind: Service
metadata:
name: contour
namespace: projectcontour
spec:
ports:
- port: 8001
name: xds
protocol: TCP
targetPort: 8001
selector:
app: contour
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: envoy
namespace: projectcontour
annotations:
# This annotation puts the AWS ELB into "TCP" mode so that it does not
# do HTTP negotiation for HTTPS connections at the ELB edge.
# The downside of this is the remote IP address of all connections will
# appear to be the internal address of the ELB. See docs/proxy-proto.md
# for information about enabling the PROXY protocol on the ELB to recover
# the original remote IP address.
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
spec:
externalTrafficPolicy: Local
ports:
- port: 80
name: http
protocol: TCP
targetPort: 8080
- port: 443
name: https
protocol: TCP
targetPort: 8443
selector:
app: envoy
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: contour
name: contour
namespace: projectcontour
spec:
replicas: 2
strategy:
type: RollingUpdate
rollingUpdate:
# This value of maxSurge means that during a rolling update
# the new ReplicaSet will be created first.
maxSurge: 50%
selector:
matchLabels:
app: contour
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8000"
labels:
app: contour
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: contour
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- args:
- serve
- --incluster
- --xds-address=0.0.0.0
- --xds-port=8001
- --envoy-service-http-port=8080
- --envoy-service-https-port=8443
- --contour-cafile=/certs/ca.crt
- --contour-cert-file=/certs/tls.crt
- --contour-key-file=/certs/tls.key
- --config-path=/config/contour.yaml
command: ["contour"]
image: docker.io/projectcontour/contour:v1.7.0
imagePullPolicy: IfNotPresent
name: contour
ports:
- containerPort: 8001
name: xds
protocol: TCP
- containerPort: 8000
name: debug
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8000
readinessProbe:
tcpSocket:
port: 8001
initialDelaySeconds: 15
periodSeconds: 10
volumeMounts:
- name: contourcert
mountPath: /certs
readOnly: true
- name: contour-config
mountPath: /config
readOnly: true
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
dnsPolicy: ClusterFirst
serviceAccountName: contour
securityContext:
runAsNonRoot: true
#runAsUser: 65534
#runAsGroup: 65534
volumes:
- name: contourcert
secret:
secretName: contourcert
- name: contour-config
configMap:
name: contour
defaultMode: 0644
items:
- key: contour.yaml
path: contour.yaml
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: envoy
name: envoy
namespace: projectcontour
spec:
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 10%
selector:
matchLabels:
app: envoy
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8002"
prometheus.io/path: "/stats/prometheus"
labels:
app: envoy
spec:
containers:
- command:
- /bin/contour
args:
- envoy
- shutdown-manager
image: docker.io/projectcontour/contour:v1.7.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /bin/contour
- envoy
- shutdown
livenessProbe:
httpGet:
path: /healthz
port: 8090
initialDelaySeconds: 3
periodSeconds: 10
name: shutdown-manager
- args:
- -c
- /config/envoy.json
- --service-cluster $(CONTOUR_NAMESPACE)
- --service-node $(ENVOY_POD_NAME)
- --log-level info
command:
- envoy
image: docker.io/envoyproxy/envoy:v1.15.0
imagePullPolicy: IfNotPresent
name: envoy
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: ENVOY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
ports:
# modified from original 80
- containerPort: 8080
#hostPort: 80
# end modified from original
name: http
protocol: TCP
# modified from original 443
- containerPort: 8443
#hostPort: 443
# end modified from original
name: https
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8002
initialDelaySeconds: 3
periodSeconds: 4
volumeMounts:
- name: envoy-config
mountPath: /config
- name: envoycert
mountPath: /certs
lifecycle:
preStop:
httpGet:
path: /shutdown
port: 8090
scheme: HTTP
initContainers:
- args:
- bootstrap
- /config/envoy.json
- --xds-address=contour
- --xds-port=8001
- --resources-dir=/config/resources
- --envoy-cafile=/certs/ca.crt
- --envoy-cert-file=/certs/tls.crt
- --envoy-key-file=/certs/tls.key
command:
- contour
image: docker.io/projectcontour/contour:v1.7.0
imagePullPolicy: IfNotPresent
name: envoy-initconfig
volumeMounts:
- name: envoy-config
mountPath: /config
- name: envoycert
mountPath: /certs
readOnly: true
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Modified from original
#automountServiceAccountToken: false
# End modified from original
serviceAccountName: envoy
terminationGracePeriodSeconds: 300
volumes:
- name: envoy-config
emptyDir: {}
- name: envoycert
secret:
secretName: envoycert
restartPolicy: Always
Raw
02_hello_ocp_app.yaml
# Change the following:
# dhansen.devcluster.openshift.com is the name of a route 53 public zone.
# a1abc3ad43ce94b88a75dab8c0473033-1934013951.us-west-2.elb.amazonaws.com is the
# name of ELB created by the enovy service.
#
kind: Pod
apiVersion: v1
metadata:
name: hello-openshift
labels:
name: hello-openshift
spec:
containers:
- name: hello-openshift
image: openshift/hello-openshift
ports:
- containerPort: 8080
protocol: TCP
volumeMounts:
- name: tmp
mountPath: "/tmp"
terminationMessagePath: "/dev/termination-log"
volumes:
- name: tmp
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: hello-openshift
spec:
# Remove after https://github.com/openshift/cluster-dns-operator/pull/182
# testing is done.
#clusterIP: 172.30.0.10
selector:
name: hello-openshift
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
apiVersion: ingress.operator.openshift.io/v1
kind: DNSRecord
metadata:
finalizers:
- operator.openshift.io/ingress-dns
labels:
ingresscontroller.operator.openshift.io/owning-ingresscontroller: default
name: hello-openshift
namespace: openshift-ingress-operator
spec:
# dhansen.devcluster.openshift.com. is the cluster base domain.
dnsName: 'hello.contour.dhansen.devcluster.openshift.com.'
recordTTL: 30
# Create an Alias record in AWS.
recordType: CNAME
# Targets are the external IP of the router(s), i.e. AWS ELB.
targets:
- a1abc3ad43ce94b88a75dab8c0473033-1934013951.us-west-2.elb.amazonaws.com
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: hello-openshift
labels:
app: hello
annotations:
kubernetes.io/ingress.class: contour
spec:
rules:
# Uncomment with your own host from OCP base domain.
# Create an alias A record for host that points to
# the EXTERNAL IP of the envoy service.
- host: hello.contour.dhansen.devcluster.openshift.com
http:
paths:
- backend:
serviceName: hello-openshift
servicePort: 80
Raw
03_contour_ocp_notes.txt
# Testing get started guide: https://projectcontour.io/getting-started/
## Issues
# Contour deploy fails:
```
$ oc get deploy/contour -n projectcontour -o yaml
...
- lastTransitionTime: "2020-01-30T22:53:27Z"
lastUpdateTime: "2020-01-30T22:53:27Z"
message: 'pods "contour-7cc74f4778-" is forbidden: unable to validate against
any security context constraint: [spec.containers[0].securityContext.securityContext.runAsUser:
Invalid value: 65534: must be in the ranges: [1000590000, 1000599999]]'
reason: FailedCreate
status: "True"
type: ReplicaFailure
```
# Removed security context user uuid to fix issue.
# Envoy ds fails:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 103s (x16 over 3m5s) daemonset-controller Error creating: pods "envoy-" is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.containers[0].hostPort: Invalid value: 80: Host ports are not allowed to be used spec.initContainers[0].securityContext.containers[0].hostPort: Invalid value: 443: Host ports are not allowed to be used spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 80: Host ports are not allowed to be used spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 443: Host ports are not allowed to be used]
# Removed hostPort: 80 and hostPort: 443 from daemonset/envoy
# Envoy fails to bind
$ oc logs ds/envoy -n projectcontour
Found 3 pods, using pod/envoy-sm9ss
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:249] initializing epoch 0 (hot restart version=11.104)
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:251] statically linked extensions:
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:253] access_loggers: envoy.file_access_log,envoy.http_grpc_access_log,envoy.tcp_grpc_access_log
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:256] filters.http: envoy.buffer,envoy.cors,envoy.csrf,envoy.ext_authz,envoy.fault,envoy.filters.http.adaptive_concurrency,envoy.filters.http.dynamic_forward_proxy,envoy.filters.http.grpc_http1_reverse_bridge,envoy.filters.http.grpc_stats,envoy.filters.http.header_to_metadata,envoy.filters.http.jwt_authn,envoy.filters.http.original_src,envoy.filters.http.rbac,envoy.filters.http.tap,envoy.grpc_http1_bridge,envoy.grpc_json_transcoder,envoy.grpc_web,envoy.gzip,envoy.health_check,envoy.http_dynamo_filter,envoy.ip_tagging,envoy.lua,envoy.rate_limit,envoy.router,envoy.squash
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:259] filters.listener: envoy.listener.http_inspector,envoy.listener.original_dst,envoy.listener.original_src,envoy.listener.proxy_protocol,envoy.listener.tls_inspector
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:262] filters.network: envoy.client_ssl_auth,envoy.echo,envoy.ext_authz,envoy.filters.network.dubbo_proxy,envoy.filters.network.mysql_proxy,envoy.filters.network.rbac,envoy.filters.network.sni_cluster,envoy.filters.network.thrift_proxy,envoy.filters.network.zookeeper_proxy,envoy.http_connection_manager,envoy.mongo_proxy,envoy.ratelimit,envoy.redis_proxy,envoy.tcp_proxy
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:264] stat_sinks: envoy.dog_statsd,envoy.metrics_service,envoy.stat_sinks.hystrix,envoy.statsd
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:266] tracers: envoy.dynamic.ot,envoy.lightstep,envoy.tracers.datadog,envoy.tracers.opencensus,envoy.tracers.xray,envoy.zipkin
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:269] transport_sockets.downstream: envoy.transport_sockets.alts,envoy.transport_sockets.raw_buffer,envoy.transport_sockets.tap,envoy.transport_sockets.tls,raw_buffer,tls
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:272] transport_sockets.upstream: envoy.transport_sockets.alts,envoy.transport_sockets.raw_buffer,envoy.transport_sockets.tap,envoy.transport_sockets.tls,raw_buffer,tls
[2020-02-21 18:49:46.524][1][info][main] [source/server/server.cc:278] buffer implementation: new
[2020-02-21 18:49:46.527][1][info][main] [source/server/server.cc:344] admin address: 127.0.0.1:9001
[2020-02-21 18:49:46.528][1][info][main] [source/server/server.cc:458] runtime: layers:
- name: base
static_layer:
{}
- name: admin
admin_layer:
{}
[2020-02-21 18:49:46.528][1][info][config] [source/server/configuration_impl.cc:62] loading 0 static secret(s)
[2020-02-21 18:49:46.528][1][info][config] [source/server/configuration_impl.cc:68] loading 2 cluster(s)
[2020-02-21 18:49:46.531][1][info][config] [source/server/configuration_impl.cc:72] loading 0 listener(s)
[2020-02-21 18:49:46.531][1][info][config] [source/server/configuration_impl.cc:97] loading tracing configuration
[2020-02-21 18:49:46.531][1][info][config] [source/server/configuration_impl.cc:117] loading stats sink configuration
[2020-02-21 18:49:46.531][1][info][main] [source/server/server.cc:549] starting main dispatch loop
[2020-02-21 18:49:46.549][1][info][upstream] [source/common/upstream/cluster_manager_impl.cc:157] cm init: initializing cds
[2020-02-21 18:49:46.556][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 18:49:46.556][1][info][upstream] [source/common/upstream/cluster_manager_impl.cc:161] cm init: all clusters initialized
[2020-02-21 18:49:46.556][1][info][main] [source/server/server.cc:528] all clusters initialized. initializing init manager
[2020-02-21 18:49:46.558][1][info][upstream] [source/server/lds_api.cc:63] lds: add/update listener 'stats-health'
[2020-02-21 18:49:46.558][1][info][config] [source/server/listener_manager_impl.cc:578] all dependencies initialized. starting workers
[2020-02-21 19:04:46.558][1][info][main] [source/server/drain_manager_impl.cc:63] shutting down parent after drain
[2020-02-21 19:06:19.546][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:06:21.664][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:16.421][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:18.985][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:20.203][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:20.700][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:21.227][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:23.586][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:23.908][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:24.302][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:25.614][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:25.949][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:55.640][1][warning][config] [source/common/config/grpc_mux_subscription_impl.cc:82] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) ingress_http: cannot bind '0.0.0.0:80': Permission denied
[2020-02-21 19:11:55.640][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 1 cluster(s), remove 2 cluster(s)
[2020-02-21 19:11:55.641][1][info][upstream] [source/common/upstream/cds_api_impl.cc:83] cds: add/update cluster 'default/guestbook/3000/da39a3ee5e'
[2020-02-21 19:13:48.455][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 3 cluster(s)
[2020-02-21 19:13:48.456][1][info][upstream] [source/common/upstream/cluster_manager_impl.cc:613] removing cluster default/guestbook/3000/da39a3ee5e
[2020-02-21 19:13:48.456][1][info][upstream] [source/common/upstream/cds_api_impl.cc:94] cds: remove cluster 'default/guestbook/3000/da39a3ee5e'
[2020-02-21 19:15:49.516][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:15:49.629][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-21 19:15:56.190][1][warning][config] [source/common/config/grpc_mux_subscription_impl.cc:82] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) ingress_http: cannot bind '0.0.0.0:80': Permission denied
[2020-02-21 19:15:56.191][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 1 cluster(s), remove 2 cluster(s)
[2020-02-21 19:15:56.191][1][info][upstream] [source/common/upstream/cds_api_impl.cc:83] cds: add/update cluster 'default/guestbook/3000/da39a3ee5e'
[2020-02-21 19:17:12.004][1][warning][config] [source/common/config/grpc_mux_subscription_impl.cc:82] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) ingress_http: cannot bind '0.0.0.0:80': Permission denied
[2020-02-21 19:17:12.004][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 1 cluster(s), remove 2 cluster(s)
[2020-02-21 19:17:59.449][1][warning][config] [source/common/config/grpc_mux_subscription_impl.cc:82] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) ingress_http: cannot bind '0.0.0.0:80': Permission denied
[2020-02-21 19:17:59.449][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 1 cluster(s), remove 2 cluster(s)
[2020-02-21 19:17:59.563][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 1 cluster(s), remove 2 cluster(s)
[2020-02-21 19:17:59.565][1][warning][config] [source/common/config/grpc_mux_subscription_impl.cc:82] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) ingress_http: cannot bind '0.0.0.0:80': Permission denied
# After adding envoy svc acct and ref'ing account from ds/envoy:
$ oc logs envoy-f8jrf -n projectcontour
[2020-02-24 18:59:34.094][1][info][main] [source/server/server.cc:249] initializing epoch 0 (hot restart version=11.104)
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:251] statically linked extensions:
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:253] access_loggers: envoy.file_access_log,envoy.http_grpc_access_log,envoy.tcp_grpc_access_log
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:256] filters.http: envoy.buffer,envoy.cors,envoy.csrf,envoy.ext_authz,envoy.fault,envoy.filters.http.adaptive_concurrency,envoy.filters.http.dynamic_forward_proxy,envoy.filters.http.grpc_http1_reverse_bridge,envoy.filters.http.grpc_stats,envoy.filters.http.header_to_metadata,envoy.filters.http.jwt_authn,envoy.filters.http.original_src,envoy.filters.http.rbac,envoy.filters.http.tap,envoy.grpc_http1_bridge,envoy.grpc_json_transcoder,envoy.grpc_web,envoy.gzip,envoy.health_check,envoy.http_dynamo_filter,envoy.ip_tagging,envoy.lua,envoy.rate_limit,envoy.router,envoy.squash
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:259] filters.listener: envoy.listener.http_inspector,envoy.listener.original_dst,envoy.listener.original_src,envoy.listener.proxy_protocol,envoy.listener.tls_inspector
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:262] filters.network: envoy.client_ssl_auth,envoy.echo,envoy.ext_authz,envoy.filters.network.dubbo_proxy,envoy.filters.network.mysql_proxy,envoy.filters.network.rbac,envoy.filters.network.sni_cluster,envoy.filters.network.thrift_proxy,envoy.filters.network.zookeeper_proxy,envoy.http_connection_manager,envoy.mongo_proxy,envoy.ratelimit,envoy.redis_proxy,envoy.tcp_proxy
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:264] stat_sinks: envoy.dog_statsd,envoy.metrics_service,envoy.stat_sinks.hystrix,envoy.statsd
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:266] tracers: envoy.dynamic.ot,envoy.lightstep,envoy.tracers.datadog,envoy.tracers.opencensus,envoy.tracers.xray,envoy.zipkin
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:269] transport_sockets.downstream: envoy.transport_sockets.alts,envoy.transport_sockets.raw_buffer,envoy.transport_sockets.tap,envoy.transport_sockets.tls,raw_buffer,tls
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:272] transport_sockets.upstream: envoy.transport_sockets.alts,envoy.transport_sockets.raw_buffer,envoy.transport_sockets.tap,envoy.transport_sockets.tls,raw_buffer,tls
[2020-02-24 18:59:34.095][1][info][main] [source/server/server.cc:278] buffer implementation: new
[2020-02-24 18:59:34.097][1][info][main] [source/server/server.cc:344] admin address: 127.0.0.1:9001
[2020-02-24 18:59:34.098][1][info][main] [source/server/server.cc:458] runtime: layers:
- name: base
static_layer:
{}
- name: admin
admin_layer:
{}
[2020-02-24 18:59:34.098][1][info][config] [source/server/configuration_impl.cc:62] loading 0 static secret(s)
[2020-02-24 18:59:34.098][1][info][config] [source/server/configuration_impl.cc:68] loading 2 cluster(s)
[2020-02-24 18:59:34.100][1][info][config] [source/server/configuration_impl.cc:72] loading 0 listener(s)
[2020-02-24 18:59:34.101][1][info][config] [source/server/configuration_impl.cc:97] loading tracing configuration
[2020-02-24 18:59:34.101][1][info][config] [source/server/configuration_impl.cc:117] loading stats sink configuration
[2020-02-24 18:59:34.101][1][info][main] [source/server/server.cc:549] starting main dispatch loop
[2020-02-24 18:59:34.117][1][info][upstream] [source/common/upstream/cluster_manager_impl.cc:157] cm init: initializing cds
[2020-02-24 18:59:35.181][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:91] gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-02-24 18:59:36.523][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:91] gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-02-24 18:59:38.646][1][info][upstream] [source/common/upstream/cds_api_impl.cc:67] cds: add 0 cluster(s), remove 2 cluster(s)
[2020-02-24 18:59:38.646][1][info][upstream] [source/common/upstream/cluster_manager_impl.cc:161] cm init: all clusters initialized
[2020-02-24 18:59:38.646][1][info][main] [source/server/server.cc:528] all clusters initialized. initializing init manager
[2020-02-24 18:59:38.650][1][info][upstream] [source/server/lds_api.cc:63] lds: add/update listener 'stats-health'
[2020-02-24 18:59:38.650][1][info][config] [source/server/listener_manager_impl.cc:578] all dependencies initialized. starting workers
# Change the http/https listener port used by envoy (80/443 to 8080 8443):
# Update contour deploy:
# --envoy-service-https-port=8443
# --envoy-service-http-port=8080
# Update ds/envoy container: containerPort: 8080 and containerPort: 8443
# Update svc/envoy target ports: targetPort: 8080 and targetPort: 8443
# Envoy starts, listeners bind, and example ingress works:
$ oc logs envoy-xbt5j -n projectcontour
<SNIP>
[2020-02-24 23:06:53.903][1][info][upstream] [source/server/lds_api.cc:63] lds: add/update listener 'ingress_http'
[2020-02-24 23:06:53.904][1][info][config] [source/server/listener_manager_impl.cc:578] all dependencies initialized. starting workers
[2020-02-24T23:10:44.714Z] "GET / HTTP/1.1" 0 DC 0 0 0 - "10.0.43.33" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" "d03f4870-6a86-4116-8875-d47547021d81" "guestbook.dhansen.devcluster.openshift.com" "-"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment