This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

API

This section includes APIs of Envoy Gateway.

1 - Config APIs

Packages

config.gateway.envoyproxy.io/v1alpha1

Package v1alpha1 contains API schema definitions for the config.gateway.envoyproxy.io API group.

Resource Types

CustomTag

Appears in:

FieldDescription
type CustomTagTypeType defines the type of custom tag.
literal LiteralCustomTagLiteral adds hard-coded value to each span. It’s required when the type is “Literal”.
environment EnvironmentCustomTagEnvironment adds value from environment variable to each span. It’s required when the type is “Environment”.
requestHeader RequestHeaderCustomTagRequestHeader adds value from request header to each span. It’s required when the type is “RequestHeader”.

CustomTagType

Underlying type: string

Appears in:

EnvironmentCustomTag

EnvironmentCustomTag adds value from environment variable to each span.

Appears in:

FieldDescription
name stringName defines the name of the environment variable which to extract the value from.
defaultValue stringDefaultValue defines the default value to use if the environment variable is not set.

EnvoyGateway

EnvoyGateway is the schema for the envoygateways API.

FieldDescription
apiVersion stringconfig.gateway.envoyproxy.io/v1alpha1
kind stringEnvoyGateway
gateway GatewayGateway defines desired Gateway API specific configuration. If unset, default configuration parameters will apply.
provider EnvoyGatewayProviderProvider defines the desired provider and provider-specific configuration. If unspecified, the Kubernetes provider is used with default configuration parameters.
logging EnvoyGatewayLoggingLogging defines logging parameters for Envoy Gateway.
admin EnvoyGatewayAdminAdmin defines the desired admin related abilities. If unspecified, the Admin is used with default configuration parameters.
rateLimit RateLimitRateLimit defines the configuration associated with the Rate Limit service deployed by Envoy Gateway required to implement the Global Rate limiting functionality. The specific rate limit service used here is the reference implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit. This configuration is unneeded for “Local” rate limiting.
extensionManager ExtensionManagerExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane.
extensionApis ExtensionAPISettingsExtensionAPIs defines the settings related to specific Gateway API Extensions implemented by Envoy Gateway

EnvoyGatewayAdmin

EnvoyGatewayAdmin defines the Envoy Gateway Admin configuration.

Appears in:

FieldDescription
address EnvoyGatewayAdminAddressAddress defines the address of Envoy Gateway Admin Server.
debug booleanDebug defines if enable the /debug endpoint of Envoy Gateway.

EnvoyGatewayAdminAddress

EnvoyGatewayAdminAddress defines the Envoy Gateway Admin Address configuration.

Appears in:

FieldDescription
port integerPort defines the port the admin server is exposed on.
host stringHost defines the admin server hostname.

EnvoyGatewayCustomProvider

EnvoyGatewayCustomProvider defines configuration for the Custom provider.

Appears in:

FieldDescription
resource EnvoyGatewayResourceProviderResource defines the desired resource provider. This provider is used to specify the provider to be used to retrieve the resource configurations such as Gateway API resources
infrastructure EnvoyGatewayInfrastructureProviderInfrastructure defines the desired infrastructure provider. This provider is used to specify the provider to be used to provide an environment to deploy the out resources like the Envoy Proxy data plane.

EnvoyGatewayFileResourceProvider

EnvoyGatewayFileResourceProvider defines configuration for the File Resource provider.

Appears in:

FieldDescription
paths string arrayPaths are the paths to a directory or file containing the resource configuration. Recursive sub directories are not currently supported.

EnvoyGatewayHostInfrastructureProvider

EnvoyGatewayHostInfrastructureProvider defines configuration for the Host Infrastructure provider.

Appears in:

EnvoyGatewayInfrastructureProvider

EnvoyGatewayInfrastructureProvider defines configuration for the Custom Infrastructure provider.

Appears in:

FieldDescription
type InfrastructureProviderTypeType is the type of infrastructure providers to use. Supported types are “Host”.
host EnvoyGatewayHostInfrastructureProviderHost defines the configuration of the Host provider. Host provides runtime deployment of the data plane as a child process on the host environment.

EnvoyGatewayKubernetesProvider

EnvoyGatewayKubernetesProvider defines configuration for the Kubernetes provider.

Appears in:

FieldDescription
rateLimitDeployment KubernetesDeploymentSpecRateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource. If unspecified, default settings for the managed Envoy ratelimit deployment resource are applied.
watch KubernetesWatchModeWatch holds configuration of which input resources should be watched and reconciled.
deploy KubernetesDeployModeDeploy holds configuration of how output managed resources such as the Envoy Proxy data plane should be deployed
overwrite_control_plane_certs booleanOverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set.

EnvoyGatewayLogComponent

Underlying type: string

EnvoyGatewayLogComponent defines a component that supports a configured logging level.

Appears in:

EnvoyGatewayLogging

EnvoyGatewayLogging defines logging for Envoy Gateway.

Appears in:

FieldDescription
level object (keys:EnvoyGatewayLogComponent, values:LogLevel)Level is the logging level. If unspecified, defaults to “info”. EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit. LogLevel options: debug/info/error/warn.

EnvoyGatewayProvider

EnvoyGatewayProvider defines the desired configuration of a provider.

Appears in:

FieldDescription
type ProviderTypeType is the type of provider to use. Supported types are “Kubernetes”.
kubernetes EnvoyGatewayKubernetesProviderKubernetes defines the configuration of the Kubernetes provider. Kubernetes provides runtime configuration via the Kubernetes API.
custom EnvoyGatewayCustomProviderCustom defines the configuration for the Custom provider. This provider allows you to define a specific resource provider and a infrastructure provider.

EnvoyGatewayResourceProvider

EnvoyGatewayResourceProvider defines configuration for the Custom Resource provider.

Appears in:

FieldDescription
type ResourceProviderTypeType is the type of resource provider to use. Supported types are “File”.
file EnvoyGatewayFileResourceProviderFile defines the configuration of the File provider. File provides runtime configuration defined by one or more files.

EnvoyGatewaySpec

EnvoyGatewaySpec defines the desired state of Envoy Gateway.

Appears in:

FieldDescription
gateway GatewayGateway defines desired Gateway API specific configuration. If unset, default configuration parameters will apply.
provider EnvoyGatewayProviderProvider defines the desired provider and provider-specific configuration. If unspecified, the Kubernetes provider is used with default configuration parameters.
logging EnvoyGatewayLoggingLogging defines logging parameters for Envoy Gateway.
admin EnvoyGatewayAdminAdmin defines the desired admin related abilities. If unspecified, the Admin is used with default configuration parameters.
rateLimit RateLimitRateLimit defines the configuration associated with the Rate Limit service deployed by Envoy Gateway required to implement the Global Rate limiting functionality. The specific rate limit service used here is the reference implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit. This configuration is unneeded for “Local” rate limiting.
extensionManager ExtensionManagerExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane.
extensionApis ExtensionAPISettingsExtensionAPIs defines the settings related to specific Gateway API Extensions implemented by Envoy Gateway

EnvoyProxy

EnvoyProxy is the schema for the envoyproxies API.

FieldDescription
apiVersion stringconfig.gateway.envoyproxy.io/v1alpha1
kind stringEnvoyProxy
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec EnvoyProxySpecEnvoyProxySpec defines the desired state of EnvoyProxy.

EnvoyProxyKubernetesProvider

EnvoyProxyKubernetesProvider defines configuration for the Kubernetes resource provider.

Appears in:

FieldDescription
envoyDeployment KubernetesDeploymentSpecEnvoyDeployment defines the desired state of the Envoy deployment resource. If unspecified, default settings for the managed Envoy deployment resource are applied.
envoyService KubernetesServiceSpecEnvoyService defines the desired state of the Envoy service resource. If unspecified, default settings for the managed Envoy service resource are applied.

EnvoyProxyProvider

EnvoyProxyProvider defines the desired state of a resource provider.

Appears in:

FieldDescription
type ProviderTypeType is the type of resource provider to use. A resource provider provides infrastructure resources for running the data plane, e.g. Envoy proxy, and optional auxiliary control planes. Supported types are “Kubernetes”.
kubernetes EnvoyProxyKubernetesProviderKubernetes defines the desired state of the Kubernetes resource provider. Kubernetes provides infrastructure resources for running the data plane, e.g. Envoy proxy. If unspecified and type is “Kubernetes”, default settings for managed Kubernetes resources are applied.

EnvoyProxySpec

EnvoyProxySpec defines the desired state of EnvoyProxy.

Appears in:

FieldDescription
provider EnvoyProxyProviderProvider defines the desired resource provider and provider-specific configuration. If unspecified, the “Kubernetes” resource provider is used with default configuration parameters.
logging ProxyLoggingLogging defines logging parameters for managed proxies.
telemetry ProxyTelemetryTelemetry defines telemetry parameters for managed proxies.
bootstrap stringBootstrap defines the Envoy Bootstrap as a YAML string. Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap to learn more about the syntax. If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration set by Envoy Gateway. Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources from it are not configurable and will result in the EnvoyProxy resource being rejected. Backward compatibility across minor versions is not guaranteed. We strongly recommend using egctl x translate to generate a EnvoyProxy resource with the Bootstrap field set to the default Bootstrap configuration used. You can edit this configuration, and rerun egctl x translate to ensure there are no validation errors.

ExtensionAPISettings

ExtensionAPISettings defines the settings specific to Gateway API Extensions.

Appears in:

FieldDescription
enableEnvoyPatchPolicy booleanEnableEnvoyPatchPolicy enables Envoy Gateway to reconcile and implement the EnvoyPatchPolicy resources.

ExtensionHooks

ExtensionHooks defines extension hooks across all supported runners

Appears in:

FieldDescription
xdsTranslator XDSTranslatorHooksXDSTranslator defines all the supported extension hooks for the xds-translator runner

ExtensionManager

ExtensionManager defines the configuration for registering an extension manager to the Envoy Gateway control plane.

Appears in:

FieldDescription
resources GroupVersionKind arrayResources defines the set of K8s resources the extension will handle.
hooks ExtensionHooksHooks defines the set of hooks the extension supports
service ExtensionServiceService defines the configuration of the extension service that the Envoy Gateway Control Plane will call through extension hooks.

ExtensionService

ExtensionService defines the configuration for connecting to a registered extension service.

Appears in:

FieldDescription
host stringHost define the extension service hostname.
port integerPort defines the port the extension service is exposed on.
tls ExtensionTLSTLS defines TLS configuration for communication between Envoy Gateway and the extension service.

ExtensionTLS

ExtensionTLS defines the TLS configuration when connecting to an extension service

Appears in:

FieldDescription
certificateRef SecretObjectReferenceCertificateRef contains a references to objects (Kubernetes objects or otherwise) that contains a TLS certificate and private keys. These certificates are used to establish a TLS handshake to the extension server.
CertificateRef can only reference a Kubernetes Secret at this time.

FileEnvoyProxyAccessLog

Appears in:

FieldDescription
path stringPath defines the file path used to expose envoy access log(e.g. /dev/stdout). Empty value disables accesslog.

Gateway

Gateway defines the desired Gateway API configuration of Envoy Gateway.

Appears in:

FieldDescription
controllerName stringControllerName defines the name of the Gateway API controller. If unspecified, defaults to “gateway.envoyproxy.io/gatewayclass-controller”. See the following for additional details: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass

GroupVersionKind

GroupVersionKind unambiguously identifies a Kind. It can be converted to k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind

Appears in:

FieldDescription
group string
version string
kind string

InfrastructureProviderType

Underlying type: string

InfrastructureProviderType defines the types of custom infrastructure providers supported by Envoy Gateway.

Appears in:

KubernetesContainerSpec

KubernetesContainerSpec defines the desired state of the Kubernetes container resource.

Appears in:

FieldDescription
env EnvVar arrayList of environment variables to set in the container.
resources ResourceRequirementsResources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
securityContext SecurityContextSecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
image stringImage specifies the EnvoyProxy container image to be used, instead of the default image.
volumeMounts VolumeMount arrayVolumeMounts are volumes to mount into the container’s filesystem. Cannot be updated.

KubernetesDeployMode

KubernetesDeployMode holds configuration for how to deploy managed resources such as the Envoy Proxy data plane fleet.

Appears in:

KubernetesDeploymentSpec

KubernetesDeploymentSpec defines the desired state of the Kubernetes deployment resource.

Appears in:

FieldDescription
replicas integerReplicas is the number of desired pods. Defaults to 1.
strategy DeploymentStrategyThe deployment strategy to use to replace existing pods with new ones.
pod KubernetesPodSpecPod defines the desired annotations and securityContext of container.
container KubernetesContainerSpecContainer defines the resources and securityContext of container.

KubernetesPodSpec

KubernetesPodSpec defines the desired state of the Kubernetes pod resource.

Appears in:

FieldDescription
annotations object (keys:string, values:string)Annotations are the annotations that should be appended to the pods. By default, no pod annotations are appended.
labels object (keys:string, values:string)Labels are the additional labels that should be tagged to the pods. By default, no additional pod labels are tagged.
securityContext PodSecurityContextSecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.
affinity AffinityIf specified, the pod’s scheduling constraints.
tolerations Toleration arrayIf specified, the pod’s tolerations.
volumes Volume arrayVolumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes

KubernetesServiceSpec

KubernetesServiceSpec defines the desired state of the Kubernetes service resource.

Appears in:

FieldDescription
annotations object (keys:string, values:string)Annotations that should be appended to the service. By default, no annotations are appended.
type ServiceTypeType determines how the Service is exposed. Defaults to LoadBalancer. Valid options are ClusterIP, LoadBalancer and NodePort. “LoadBalancer” means a service will be exposed via an external load balancer (if the cloud provider supports it). “ClusterIP” means a service will only be accessible inside the cluster, via the cluster IP. “NodePort” means a service will be exposed on a static Port on all Nodes of the cluster.

KubernetesWatchMode

KubernetesWatchMode holds the configuration for which input resources to watch and reconcile.

Appears in:

FieldDescription
Namespaces string arrayNamespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped resources such as Gateway, HTTPRoute and Service. Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as GatewayClass that it is linked to. By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources from all namespaces.

LiteralCustomTag

LiteralCustomTag adds hard-coded value to each span.

Appears in:

FieldDescription
value stringValue defines the hard-coded value to add to each span.

LogComponent

Underlying type: string

LogComponent defines a component that supports a configured logging level.

Appears in:

LogLevel

Underlying type: string

LogLevel defines a log level for Envoy Gateway and EnvoyProxy system logs. This type is not implemented for EnvoyProxy until https://github.com/envoyproxy/gateway/issues/280 is fixed.

Appears in:

MetricSink

Appears in:

FieldDescription
type MetricSinkTypeType defines the metric sink type. EG currently only supports OpenTelemetry.
openTelemetry OpenTelemetrySinkOpenTelemetry defines the configuration for OpenTelemetry sink. It’s required if the sink type is OpenTelemetry.

MetricSinkType

Underlying type: string

Appears in:

OpenTelemetryEnvoyProxyAccessLog

TODO: consider reuse ExtensionService?

Appears in:

FieldDescription
host stringHost define the extension service hostname.
port integerPort defines the port the extension service is exposed on.
resources object (keys:string, values:string)Resources is a set of labels that describe the source of a log entry, including envoy node info. It’s recommended to follow semantic conventions.

OpenTelemetrySink

Appears in:

FieldDescription
host stringHost define the service hostname.
port integerPort defines the port the service is exposed on.

PrometheusProvider

Appears in:

ProviderType

Underlying type: string

ProviderType defines the types of providers supported by Envoy Gateway.

Appears in:

ProxyAccessLog

Appears in:

FieldDescription
disable booleanDisable disables access logging for managed proxies if set to true.
settings ProxyAccessLogSetting arraySettings defines accesslog settings for managed proxies. If unspecified, will send default format to stdout.

ProxyAccessLogFormat

ProxyAccessLogFormat defines the format of accesslog.

Appears in:

FieldDescription
type ProxyAccessLogFormatTypeType defines the type of accesslog format.
text stringText defines the text accesslog format, following Envoy accesslog formatting, empty value results in proxy’s default access log format. It’s required when the format type is “Text”. Envoy command operators may be used in the format. The format string documentation provides more information.
json object (keys:string, values:string)JSON is additional attributes that describe the specific event occurrence. Structured format for the envoy access logs. Envoy command operators can be used as values for fields within the Struct. It’s required when the format type is “JSON”.

ProxyAccessLogFormatType

Underlying type: string

Appears in:

ProxyAccessLogSetting

Appears in:

FieldDescription
format ProxyAccessLogFormatFormat defines the format of accesslog.
sinks ProxyAccessLogSink arraySinks defines the sinks of accesslog.

ProxyAccessLogSink

Appears in:

FieldDescription
type ProxyAccessLogSinkTypeType defines the type of accesslog sink.
file FileEnvoyProxyAccessLogFile defines the file accesslog sink.
openTelemetry OpenTelemetryEnvoyProxyAccessLogOpenTelemetry defines the OpenTelemetry accesslog sink.

ProxyAccessLogSinkType

Underlying type: string

Appears in:

ProxyLogging

ProxyLogging defines logging parameters for managed proxies.

Appears in:

FieldDescription
level object (keys:LogComponent, values:LogLevel)Level is a map of logging level per component, where the component is the key and the log level is the value. If unspecified, defaults to “default: warn”.

ProxyMetrics

Appears in:

FieldDescription
prometheus PrometheusProviderPrometheus defines the configuration for Admin endpoint /stats/prometheus.
sinks MetricSink arraySinks defines the metric sinks where metrics are sent to.

ProxyTelemetry

Appears in:

FieldDescription
accessLog ProxyAccessLogAccessLogs defines accesslog parameters for managed proxies. If unspecified, will send default format to stdout.
tracing ProxyTracingTracing defines tracing configuration for managed proxies. If unspecified, will not send tracing data.
metrics ProxyMetricsMetrics defines metrics configuration for managed proxies.

ProxyTracing

Appears in:

FieldDescription
samplingRate integerSamplingRate controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. Defaults to 100, valid values [0-100]. 100 indicates 100% sampling.
customTags object (keys:string, values:CustomTag)CustomTags defines the custom tags to add to each span. If provider is kubernetes, pod name and namespace are added by default.
provider TracingProviderProvider defines the tracing provider. Only OpenTelemetry is supported currently.

RateLimit

RateLimit defines the configuration associated with the Rate Limit Service used for Global Rate Limiting.

Appears in:

FieldDescription
backend RateLimitDatabaseBackendBackend holds the configuration associated with the database backend used by the rate limit service to store state associated with global ratelimiting.

RateLimitDatabaseBackend

RateLimitDatabaseBackend defines the configuration associated with the database backend used by the rate limit service.

Appears in:

FieldDescription
type RateLimitDatabaseBackendTypeType is the type of database backend to use. Supported types are: * Redis: Connects to a Redis database.
redis RateLimitRedisSettingsRedis defines the settings needed to connect to a Redis database.

RateLimitDatabaseBackendType

Underlying type: string

RateLimitDatabaseBackendType specifies the types of database backend to be used by the rate limit service.

Appears in:

RateLimitRedisSettings

RateLimitRedisSettings defines the configuration for connecting to redis database.

Appears in:

FieldDescription
url stringURL of the Redis Database.
tls RedisTLSSettingsTLS defines TLS configuration for connecting to redis database.

RedisTLSSettings

RedisTLSSettings defines the TLS configuration for connecting to redis database.

Appears in:

FieldDescription
certificateRef SecretObjectReferenceCertificateRef defines the client certificate reference for TLS connections. Currently only a Kubernetes Secret of type TLS is supported.

RequestHeaderCustomTag

RequestHeaderCustomTag adds value from request header to each span.

Appears in:

FieldDescription
name stringName defines the name of the request header which to extract the value from.
defaultValue stringDefaultValue defines the default value to use if the request header is not set.

ResourceProviderType

Underlying type: string

ResourceProviderType defines the types of custom resource providers supported by Envoy Gateway.

Appears in:

ServiceType

Underlying type: string

ServiceType string describes ingress methods for a service

Appears in:

TracingProvider

Appears in:

FieldDescription
type TracingProviderTypeType defines the tracing provider type. EG currently only supports OpenTelemetry.
host stringHost define the provider service hostname.
port integerPort defines the port the provider service is exposed on.

TracingProviderType

Underlying type: string

Appears in:

XDSTranslatorHook

Underlying type: string

XDSTranslatorHook defines the types of hooks that an Envoy Gateway extension may support for the xds-translator

Appears in:

XDSTranslatorHooks

XDSTranslatorHooks contains all the pre and post hooks for the xds-translator runner.

Appears in:

FieldDescription
pre XDSTranslatorHook array
post XDSTranslatorHook array

2 - Extension APIs

Packages

gateway.envoyproxy.io/v1alpha1

Package v1alpha1 contains API schema definitions for the gateway.envoyproxy.io API group.

Resource Types

AuthenticationFilter

FieldDescription
apiVersion stringgateway.envoyproxy.io/v1alpha1
kind stringAuthenticationFilter
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec AuthenticationFilterSpecSpec defines the desired state of the AuthenticationFilter type.

AuthenticationFilterSpec

AuthenticationFilterSpec defines the desired state of the AuthenticationFilter type.

Appears in:

FieldDescription
type AuthenticationFilterTypeType defines the type of authentication provider to use. Supported provider types are “JWT”.
jwtProviders JwtAuthenticationFilterProvider arrayJWT defines the JSON Web Token (JWT) authentication provider type. When multiple jwtProviders are specified, the JWT is considered valid if any of the providers successfully validate the JWT. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.

AuthenticationFilterType

Underlying type: string

AuthenticationFilterType is a type of authentication provider.

Appears in:

ClaimToHeader

ClaimToHeader defines a configuration to convert JWT claims into HTTP headers

Appears in:

FieldDescription
header stringHeader defines the name of the HTTP request header that the JWT Claim will be saved into.
claim stringClaim is the JWT Claim that should be saved into the header : it can be a nested claim of type (eg. “claim.nested.key”, “sub”). The nested claim name must use dot “.” to separate the JSON name path.

EnvoyJSONPatchConfig

EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource using JSONPatch semantic

Appears in:

FieldDescription
type EnvoyResourceTypeType is the typed URL of the Envoy xDS Resource
name stringName is the name of the resource
operation JSONPatchOperationPatch defines the JSON Patch Operation

EnvoyPatchPolicy

EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API

Appears in:

FieldDescription
apiVersion stringgateway.envoyproxy.io/v1alpha1
kind stringEnvoyPatchPolicy
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec EnvoyPatchPolicySpecSpec defines the desired state of EnvoyPatchPolicy.

EnvoyPatchPolicyList

EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources.

FieldDescription
apiVersion stringgateway.envoyproxy.io/v1alpha1
kind stringEnvoyPatchPolicyList
metadata ListMetaRefer to Kubernetes API documentation for fields of metadata.
items EnvoyPatchPolicy array

EnvoyPatchPolicySpec

EnvoyPatchPolicySpec defines the desired state of EnvoyPatchPolicy.

Appears in:

FieldDescription
type EnvoyPatchTypeType decides the type of patch. Valid EnvoyPatchType values are “JSONPatch”.
jsonPatches EnvoyJSONPatchConfig arrayJSONPatch defines the JSONPatch configuration.
targetRef PolicyTargetReferenceTargetRef is the name of the Gateway API resource this policy is being attached to. Currently only attaching to Gateway is supported This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway TargetRef
priority integerPriority of the EnvoyPatchPolicy. If multiple EnvoyPatchPolicies are applied to the same TargetRef, they will be applied in the ascending order of the priority i.e. int32.min has the highest priority and int32.max has the lowest priority. Defaults to 0.

EnvoyPatchType

Underlying type: string

EnvoyPatchType specifies the types of Envoy patching mechanisms.

Appears in:

EnvoyResourceType

Underlying type: string

EnvoyResourceType specifies the type URL of the Envoy resource.

Appears in:

GlobalRateLimit

GlobalRateLimit defines global rate limit configuration.

Appears in:

FieldDescription
rules RateLimitRule arrayRules are a list of RateLimit selectors and limits. Each rule and its associated limit is applied in a mutually exclusive way i.e. if multiple rules get selected, each of their associated limits get applied, so a single traffic request might increase the rate limit counters for multiple rules if selected.

HeaderMatch

HeaderMatch defines the match attributes within the HTTP Headers of the request.

Appears in:

FieldDescription
type HeaderMatchTypeType specifies how to match against the value of the header.
name stringName of the HTTP header.
value stringValue within the HTTP header. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent. Do not set this field when Type=“Distinct”, implying matching on any/all unique values within the header.

HeaderMatchType

Underlying type: string

HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values are “Exact”, “RegularExpression”, and “Distinct”.

Appears in:

JSONPatchOperation

JSONPatchOperation defines the JSON Patch Operation as defined in https://datatracker.ietf.org/doc/html/rfc6902

Appears in:

FieldDescription
op JSONPatchOperationTypeOp is the type of operation to perform
path stringPath is the location of the target document/field where the operation will be performed Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
value JSONValue is the new value of the path location.

JSONPatchOperationType

Underlying type: string

JSONPatchOperationType specifies the JSON Patch operations that can be performed.

Appears in:

JwtAuthenticationFilterProvider

JwtAuthenticationFilterProvider defines the JSON Web Token (JWT) authentication provider type and how JWTs should be verified:

Appears in:

FieldDescription
name stringName defines a unique name for the JWT provider. A name can have a variety of forms, including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
issuer stringIssuer is the principal that issued the JWT and takes the form of a URL or email address. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided, the JWT issuer is not checked.
audiences string arrayAudiences is a list of JWT audiences allowed access. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences are not checked.
remoteJWKS RemoteJWKSRemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
claimToHeaders ClaimToHeader arrayClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported

RateLimitFilter

RateLimitFilter allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow.

FieldDescription
apiVersion stringgateway.envoyproxy.io/v1alpha1
kind stringRateLimitFilter
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec RateLimitFilterSpecSpec defines the desired state of RateLimitFilter.

RateLimitFilterSpec

RateLimitFilterSpec defines the desired state of RateLimitFilter.

Appears in:

FieldDescription
type RateLimitTypeType decides the scope for the RateLimits. Valid RateLimitType values are “Global”.
global GlobalRateLimitGlobal defines global rate limit configuration.

RateLimitRule

RateLimitRule defines the semantics for matching attributes from the incoming requests, and setting limits for them.

Appears in:

FieldDescription
clientSelectors RateLimitSelectCondition arrayClientSelectors holds the list of select conditions to select specific clients using attributes from the traffic flow. All individual select conditions must hold True for this rule and its limit to be applied. If this field is empty, it is equivalent to True, and the limit is applied.
limit RateLimitValueLimit holds the rate limit values. This limit is applied for traffic flows when the selectors compute to True, causing the request to be counted towards the limit. The limit is enforced and the request is ratelimited, i.e. a response with 429 HTTP status code is sent back to the client when the selected requests have reached the limit.

RateLimitSelectCondition

RateLimitSelectCondition specifies the attributes within the traffic flow that can be used to select a subset of clients to be ratelimited. All the individual conditions must hold True for the overall condition to hold True.

Appears in:

FieldDescription
headers HeaderMatch arrayHeaders is a list of request headers to match. Multiple header values are ANDed together, meaning, a request MUST match all the specified headers.
sourceIP stringDeprecated: Use SourceCIDR instead.
sourceCIDR SourceMatchSourceCIDR is the client IP Address range to match on.

RateLimitType

Underlying type: string

RateLimitType specifies the types of RateLimiting.

Appears in:

RateLimitUnit

Underlying type: string

RateLimitUnit specifies the intervals for setting rate limits. Valid RateLimitUnit values are “Second”, “Minute”, “Hour”, and “Day”.

Appears in:

RateLimitValue

RateLimitValue defines the limits for rate limiting.

Appears in:

FieldDescription
requests integer
unit RateLimitUnit

RemoteJWKS

RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.

Appears in:

FieldDescription
uri stringURI is the HTTPS URI to fetch the JWKS. Envoy’s system trust bundle is used to validate the server certificate.

SourceMatch

Appears in:

FieldDescription
type SourceMatchType
value stringValue is the IP CIDR that represents the range of Source IP Addresses of the client. These could also be the intermediate addresses through which the request has flown through and is part of the X-Forwarded-For header. For example, 192.168.0.1/32, 192.168.0.0/24, 001:db8::/64.

SourceMatchType

Underlying type: string

Appears in: