Extension APIs

Packages

gateway.envoyproxy.io/v1alpha1

Package v1alpha1 contains API schema definitions for the gateway.envoyproxy.io API group.

Resource Types

AuthenticationFilter

FieldDescription
apiVersion stringgateway.envoyproxy.io/v1alpha1
kind stringAuthenticationFilter
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec AuthenticationFilterSpecSpec defines the desired state of the AuthenticationFilter type.

AuthenticationFilterSpec

AuthenticationFilterSpec defines the desired state of the AuthenticationFilter type.

Appears in:

FieldDescription
type AuthenticationFilterTypeType defines the type of authentication provider to use. Supported provider types are “JWT”.
jwtProviders JwtAuthenticationFilterProvider arrayJWT defines the JSON Web Token (JWT) authentication provider type. When multiple jwtProviders are specified, the JWT is considered valid if any of the providers successfully validate the JWT. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.

AuthenticationFilterType

Underlying type: string

AuthenticationFilterType is a type of authentication provider.

Appears in:

ClaimToHeader

ClaimToHeader defines a configuration to convert JWT claims into HTTP headers

Appears in:

FieldDescription
header stringHeader defines the name of the HTTP request header that the JWT Claim will be saved into.
claim stringClaim is the JWT Claim that should be saved into the header : it can be a nested claim of type (eg. “claim.nested.key”, “sub”). The nested claim name must use dot “.” to separate the JSON name path.

EnvoyJSONPatchConfig

EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource using JSONPatch semantic

Appears in:

FieldDescription
type EnvoyResourceTypeType is the typed URL of the Envoy xDS Resource
name stringName is the name of the resource
operation JSONPatchOperationPatch defines the JSON Patch Operation

EnvoyPatchPolicy

EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API

Appears in:

FieldDescription
apiVersion stringgateway.envoyproxy.io/v1alpha1
kind stringEnvoyPatchPolicy
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec EnvoyPatchPolicySpecSpec defines the desired state of EnvoyPatchPolicy.

EnvoyPatchPolicyList

EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources.

FieldDescription
apiVersion stringgateway.envoyproxy.io/v1alpha1
kind stringEnvoyPatchPolicyList
metadata ListMetaRefer to Kubernetes API documentation for fields of metadata.
items EnvoyPatchPolicy array

EnvoyPatchPolicySpec

EnvoyPatchPolicySpec defines the desired state of EnvoyPatchPolicy.

Appears in:

FieldDescription
type EnvoyPatchTypeType decides the type of patch. Valid EnvoyPatchType values are “JSONPatch”.
jsonPatches EnvoyJSONPatchConfig arrayJSONPatch defines the JSONPatch configuration.
targetRef PolicyTargetReferenceTargetRef is the name of the Gateway API resource this policy is being attached to. Currently only attaching to Gateway is supported This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway TargetRef
priority integerPriority of the EnvoyPatchPolicy. If multiple EnvoyPatchPolicies are applied to the same TargetRef, they will be applied in the ascending order of the priority i.e. int32.min has the highest priority and int32.max has the lowest priority. Defaults to 0.

EnvoyPatchType

Underlying type: string

EnvoyPatchType specifies the types of Envoy patching mechanisms.

Appears in:

EnvoyResourceType

Underlying type: string

EnvoyResourceType specifies the type URL of the Envoy resource.

Appears in:

GlobalRateLimit

GlobalRateLimit defines global rate limit configuration.

Appears in:

FieldDescription
rules RateLimitRule arrayRules are a list of RateLimit selectors and limits. Each rule and its associated limit is applied in a mutually exclusive way i.e. if multiple rules get selected, each of their associated limits get applied, so a single traffic request might increase the rate limit counters for multiple rules if selected.

HeaderMatch

HeaderMatch defines the match attributes within the HTTP Headers of the request.

Appears in:

FieldDescription
type HeaderMatchTypeType specifies how to match against the value of the header.
name stringName of the HTTP header.
value stringValue within the HTTP header. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent. Do not set this field when Type=“Distinct”, implying matching on any/all unique values within the header.

HeaderMatchType

Underlying type: string

HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values are “Exact”, “RegularExpression”, and “Distinct”.

Appears in:

JSONPatchOperation

JSONPatchOperation defines the JSON Patch Operation as defined in https://datatracker.ietf.org/doc/html/rfc6902

Appears in:

FieldDescription
op JSONPatchOperationTypeOp is the type of operation to perform
path stringPath is the location of the target document/field where the operation will be performed Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
value JSONValue is the new value of the path location.

JSONPatchOperationType

Underlying type: string

JSONPatchOperationType specifies the JSON Patch operations that can be performed.

Appears in:

JwtAuthenticationFilterProvider

JwtAuthenticationFilterProvider defines the JSON Web Token (JWT) authentication provider type and how JWTs should be verified:

Appears in:

FieldDescription
name stringName defines a unique name for the JWT provider. A name can have a variety of forms, including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
issuer stringIssuer is the principal that issued the JWT and takes the form of a URL or email address. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided, the JWT issuer is not checked.
audiences string arrayAudiences is a list of JWT audiences allowed access. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences are not checked.
remoteJWKS RemoteJWKSRemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
claimToHeaders ClaimToHeader arrayClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported

RateLimitFilter

RateLimitFilter allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow.

FieldDescription
apiVersion stringgateway.envoyproxy.io/v1alpha1
kind stringRateLimitFilter
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec RateLimitFilterSpecSpec defines the desired state of RateLimitFilter.

RateLimitFilterSpec

RateLimitFilterSpec defines the desired state of RateLimitFilter.

Appears in:

FieldDescription
type RateLimitTypeType decides the scope for the RateLimits. Valid RateLimitType values are “Global”.
global GlobalRateLimitGlobal defines global rate limit configuration.

RateLimitRule

RateLimitRule defines the semantics for matching attributes from the incoming requests, and setting limits for them.

Appears in:

FieldDescription
clientSelectors RateLimitSelectCondition arrayClientSelectors holds the list of select conditions to select specific clients using attributes from the traffic flow. All individual select conditions must hold True for this rule and its limit to be applied. If this field is empty, it is equivalent to True, and the limit is applied.
limit RateLimitValueLimit holds the rate limit values. This limit is applied for traffic flows when the selectors compute to True, causing the request to be counted towards the limit. The limit is enforced and the request is ratelimited, i.e. a response with 429 HTTP status code is sent back to the client when the selected requests have reached the limit.

RateLimitSelectCondition

RateLimitSelectCondition specifies the attributes within the traffic flow that can be used to select a subset of clients to be ratelimited. All the individual conditions must hold True for the overall condition to hold True.

Appears in:

FieldDescription
headers HeaderMatch arrayHeaders is a list of request headers to match. Multiple header values are ANDed together, meaning, a request MUST match all the specified headers.
sourceIP stringDeprecated: Use SourceCIDR instead.
sourceCIDR SourceMatchSourceCIDR is the client IP Address range to match on.

RateLimitType

Underlying type: string

RateLimitType specifies the types of RateLimiting.

Appears in:

RateLimitUnit

Underlying type: string

RateLimitUnit specifies the intervals for setting rate limits. Valid RateLimitUnit values are “Second”, “Minute”, “Hour”, and “Day”.

Appears in:

RateLimitValue

RateLimitValue defines the limits for rate limiting.

Appears in:

FieldDescription
requests integer
unit RateLimitUnit

RemoteJWKS

RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.

Appears in:

FieldDescription
uri stringURI is the HTTPS URI to fetch the JWKS. Envoy’s system trust bundle is used to validate the server certificate.

SourceMatch

Appears in:

FieldDescription
type SourceMatchType
value stringValue is the IP CIDR that represents the range of Source IP Addresses of the client. These could also be the intermediate addresses through which the request has flown through and is part of the X-Forwarded-For header. For example, 192.168.0.1/32, 192.168.0.0/24, 001:db8::/64.

SourceMatchType

Underlying type: string

Appears in:


Last modified May 25, 2024: fix api wording (#3467) (5bc5e0f)