diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml index 3a0ec774c..b07a9c16e 100644 --- a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -39,24 +39,33 @@ spec: metadata: type: object spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration - resource. + description: GlobalConfigurationSpec resource defines the global configuration + parameters of the Ingress Controller. properties: listeners: + description: Listeners field of the GlobalConfigurationSpec resource items: description: Listener defines a listener. properties: ipv4: + description: Specifies the IPv4 address to listen on. type: string ipv6: + description: ipv6 addresse that NGINX will listen on. type: string name: + description: The name of the listener. The name must be unique + across all listeners. type: string port: + description: The port on which the listener will accept connections. type: integer protocol: + description: The protocol of the listener. For example, HTTP. type: string ssl: + description: Whether the listener will be listening for SSL + connections type: boolean type: object type: array diff --git a/config/crd/bases/k8s.nginx.org_policies.yaml b/config/crd/bases/k8s.nginx.org_policies.yaml index 46745fa74..32ce35382 100644 --- a/config/crd/bases/k8s.nginx.org_policies.yaml +++ b/config/crd/bases/k8s.nginx.org_policies.yaml @@ -55,8 +55,7 @@ spec: Only one policy (field) is allowed. properties: accessControl: - description: AccessControl defines an access policy based on the source - IP of a request. + description: The access control policy based on the client IP address. properties: allow: items: @@ -68,78 +67,146 @@ spec: type: array type: object apiKey: - description: APIKey defines an API Key policy. + description: The API Key policy configures NGINX to authorize requests + which provide a valid API Key in a specified header or query param. properties: clientSecret: + description: The key to which the API key is applied. Can contain + text, variables, or a combination of them. Accepted variables + are $http_, $arg_, $cookie_. type: string suppliedIn: - description: SuppliedIn defines the locations API Key should be - supplied in. + description: The location of the API Key. For example, $http_auth, + $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, + $cookie_. properties: header: + description: The location of the API Key as a request header. + For example, $http_auth. Accepted variables are $http_. items: type: string type: array query: + description: The location of the API Key as a query param. + For example, $arg_apikey. Accepted variables are $arg_. items: type: string type: array type: object type: object basicAuth: - description: BasicAuth holds HTTP Basic authentication configuration + description: The basic auth policy configures NGINX to authenticate + client requests using HTTP Basic authentication credentials. properties: realm: + description: The realm for the basic authentication. type: string secret: + description: The name of the Kubernetes secret that stores the + Htpasswd configuration. It must be in the same namespace as + the Policy resource. The secret must be of the type nginx.org/htpasswd, + and the config must be stored in the secret under the key htpasswd, + otherwise the secret will be rejected as invalid. type: string type: object egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. + description: The EgressMTLS policy configures upstreams authentication + and certificate verification. properties: ciphers: + description: Specifies the enabled ciphers for requests to an + upstream HTTPS server. The default is DEFAULT. type: string protocols: + description: Specifies the protocols for requests to an upstream + HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. type: string serverName: + description: Enables passing of the server name through Server + Name Indication extension. type: boolean sessionReuse: + description: Enables reuse of SSL sessions to the upstreams. The + default is true. type: boolean sslName: + description: Allows overriding the server name used to verify + the certificate of the upstream HTTPS server. type: string tlsSecret: + description: The name of the Kubernetes secret that stores the + TLS certificate and key. It must be in the same namespace as + the Policy resource. The secret must be of the type kubernetes.io/tls, + the certificate must be stored in the secret under the key tls.crt, + and the key must be stored under the key tls.key, otherwise + the secret will be rejected as invalid. type: string trustedCertSecret: + description: The name of the Kubernetes secret that stores the + CA certificate. It must be in the same namespace as the Policy + resource. The secret must be of the type nginx.org/ca, and the + certificate must be stored in the secret under the key ca.crt, + otherwise the secret will be rejected as invalid. type: string verifyDepth: + description: Sets the verification depth in the proxied HTTPS + server certificates chain. The default is 1. type: integer verifyServer: + description: Enables verification of the upstream HTTPS server + certificate. type: boolean type: object ingressClassName: + description: Specifies which instance of NGINX Ingress Controller + must handle the Policy resource. type: string ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. + description: The IngressMTLS policy configures client certificate + verification. properties: clientCertSecret: + description: The name of the Kubernetes secret that stores the + CA certificate. It must be in the same namespace as the Policy + resource. The secret must be of the type nginx.org/ca, and the + certificate must be stored in the secret under the key ca.crt, + otherwise the secret will be rejected as invalid. type: string crlFileName: + description: The file name of the Certificate Revocation List. + NGINX Ingress Controller will look for this file in /etc/nginx/secrets type: string verifyClient: + description: Verification for the client. Possible values are + "on", "off", "optional", "optional_no_ca". The default is "on". type: string verifyDepth: + description: Sets the verification depth in the client certificates + chain. The default is 1. type: integer type: object jwt: - description: JWTAuth holds JWT authentication configuration. + description: The JWT policy configures NGINX Plus to authenticate + client requests using JSON Web Tokens. properties: jwksURI: + description: The remote URI where the request will be sent to + retrieve JSON Web Key set type: string keyCache: + description: Enables in-memory caching of JWKS (JSON Web Key Sets) + that are obtained from the jwksURI and sets a valid time for + expiration. type: string realm: + description: The realm of the JWT. type: string secret: + description: The name of the Kubernetes secret that stores the + Htpasswd configuration. It must be in the same namespace as + the Policy resource. The secret must be of the type nginx.org/htpasswd, + and the config must be stored in the secret under the key htpasswd, + otherwise the secret will be rejected as invalid. type: string sniEnabled: description: Enables SNI (Server Name Indication) for the JWT @@ -152,48 +219,93 @@ spec: used. type: string token: + description: 'The token specifies a variable that contains the + JSON Web Token. By default the JWT is passed in the Authorization + header as a Bearer Token. JWT may be also passed as a cookie + or a part of a query string, for example: $cookie_auth_token. + Accepted variables are $http_, $arg_, $cookie_.' type: string type: object oidc: - description: OIDC defines an Open ID Connect policy. + description: The OpenID Connect policy configures NGINX to authenticate + client requests by validating a JWT token against an OAuth2/OIDC + token provider, such as Auth0 or Keycloak. properties: accessTokenEnable: + description: Option of whether Bearer token is used to authorize + NGINX to access protected backend. type: boolean authEndpoint: + description: URL for the authorization endpoint provided by your + OpenID Connect provider. type: string authExtraArgs: + description: A list of extra URL arguments to pass to the authorization + endpoint provided by your OpenID Connect provider. Arguments + must be URL encoded, multiple arguments may be included in the + list, for example [ arg1=value1, arg2=value2 ] items: type: string type: array clientID: + description: The client ID provided by your OpenID Connect provider. type: string clientSecret: + description: The name of the Kubernetes secret that stores the + client secret provided by your OpenID Connect provider. It must + be in the same namespace as the Policy resource. The secret + must be of the type nginx.org/oidc, and the secret under the + key client-secret, otherwise the secret will be rejected as + invalid. If PKCE is enabled, this should be not configured. type: string endSessionEndpoint: + description: URL provided by your OpenID Connect provider to request + the end user be logged out. type: string jwksURI: + description: URL for the JSON Web Key Set (JWK) document provided + by your OpenID Connect provider. type: string pkceEnable: + description: Switches Proof Key for Code Exchange on. The OpenID + client needs to be in public mode. clientSecret is not used + in this mode. type: boolean postLogoutRedirectURI: + description: URI to redirect to after the logout has been performed. + Requires endSessionEndpoint. The default is /_logout. type: string redirectURI: + description: Allows overriding the default redirect URI. The default + is /_codexch. type: string scope: + description: List of OpenID Connect scopes. The scope openid always + needs to be present and others can be added concatenating them + with a + sign, for example openid+profile+email, openid+email+userDefinedScope. + The default is openid. type: string tokenEndpoint: + description: URL for the token endpoint provided by your OpenID + Connect provider. type: string zoneSyncLeeway: + description: Specifies the maximum timeout in milliseconds for + synchronizing ID/access tokens and shared values between Ingress + Controller pods. The default is 200. type: integer type: object rateLimit: - description: RateLimit defines a rate limit policy. + description: The rate limit policy controls the rate of processing + requests per a defined key. properties: burst: + description: Excessive requests are delayed until their number + exceeds the burst size, in which case the request is terminated + with an error. type: integer condition: - description: RateLimitCondition defines a condition for a rate - limit policy. + description: Add a condition to a rate-limit policy. properties: default: description: sets the rate limit in this policy to be the @@ -238,43 +350,89 @@ spec: type: array type: object delay: + description: The delay parameter specifies a limit at which excessive + requests become delayed. If not set all excessive requests are + delayed. type: integer dryRun: + description: Enables the dry run mode. In this mode, the rate + limit is not actually applied, but the number of excessive requests + is accounted as usual in the shared memory zone. type: boolean key: + description: |- + The key to which the rate limit is applied. Can contain text, variables, or a combination of them. + Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are + $binary_remote_addr, $request_uri, $request_method, $url, $http_, $args, $arg_, $cookie_,$jwt_claim_ . type: string logLevel: + description: Sets the desired logging level for cases when the + server refuses to process requests due to rate exceeding, or + delays request processing. Allowed values are info, notice, + warn or error. Default is error. type: string noDelay: + description: Disables the delaying of excessive requests while + requests are being limited. Overrides delay if both are set. type: boolean rate: + description: The rate of requests permitted. The rate is specified + in requests per second (r/s) or requests per minute (r/m). type: string rejectCode: + description: Sets the status code to return in response to rejected + requests. Must fall into the range 400..599. Default is 503. type: integer scale: + description: Enables a constant rate-limit by dividing the configured + rate by the number of nginx-ingress pods currently serving traffic. + This adjustment ensures that the rate-limit remains consistent, + even as the number of nginx-pods fluctuates due to autoscaling. + This will not work properly if requests from a client are not + evenly distributed across all ingress pods (Such as with sticky + sessions, long lived TCP Connections with many requests, and + so forth). In such cases using zone-sync instead would give + better results. Enabling zone-sync will suppress this setting. type: boolean zoneSize: + description: Size of the shared memory zone. Only positive values + are allowed. Allowed suffixes are k or m, if none are present + k is assumed. type: string type: object waf: - description: WAF defines an WAF policy. + description: The WAF policy configures WAF and log configuration policies + for NGINX AppProtect properties: apBundle: + description: The App Protect WAF policy bundle. Mutually exclusive + with apPolicy. type: string apPolicy: + description: The App Protect WAF policy of the WAF. Accepts an + optional namespace. Mutually exclusive with apBundle. type: string enable: + description: Enables NGINX App Protect WAF. type: boolean securityLog: description: SecurityLog defines the security log of a WAF policy. properties: apLogBundle: + description: The App Protect WAF log bundle resource. Only + works with apBundle. type: string apLogConf: + description: The App Protect WAF log conf resource. Accepts + an optional namespace. Only works with apPolicy. type: string enable: + description: Enables security log. type: boolean logDest: + description: The log destination for the security log. Only + accepted variables are syslog:server=; localhost; + fqdn>:, stderr, . type: string type: object securityLogs: @@ -282,25 +440,40 @@ spec: description: SecurityLog defines the security log of a WAF policy. properties: apLogBundle: + description: The App Protect WAF log bundle resource. Only + works with apBundle. type: string apLogConf: + description: The App Protect WAF log conf resource. Accepts + an optional namespace. Only works with apPolicy. type: string enable: + description: Enables security log. type: boolean logDest: + description: The log destination for the security log. Only + accepted variables are syslog:server=; localhost; + fqdn>:, stderr, . type: string type: object type: array type: object type: object status: - description: PolicyStatus is the status of the policy resource + description: the status of the Policy resource properties: message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or' type: string type: object type: object diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml index 4021c6049..4171b314a 100644 --- a/config/crd/bases/k8s.nginx.org_transportservers.yaml +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -54,36 +54,57 @@ spec: description: TransportServerSpec is the spec of the TransportServer resource. properties: action: - description: TransportServerAction defines an action. + description: The action to perform for a request. properties: pass: + description: Passes connections/datagrams to an upstream. The + upstream with that name must be defined in the resource. type: string type: object host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. The host value needs to be unique + among all Ingress and VirtualServer resources. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServer + resource. type: string listener: - description: TransportServerListener defines a listener for a TransportServer. + description: Sets a custom HTTP and/or HTTPS listener. Valid fields + are listener.http and listener.https. Each field must reference + the name of a valid listener defined in a GlobalConfiguration resource properties: name: + description: The name of a listener defined in a GlobalConfiguration + resource. type: string protocol: + description: The protocol of the listener. type: string type: object serverSnippets: + description: Sets a custom snippet in server context. Overrides the + server-snippets ConfigMap key. type: string sessionParameters: - description: SessionParameters defines session parameters. + description: The parameters of the session to be used for the Server + context properties: timeout: + description: The timeout between two successive read or write + operations on client or proxied server connections. The default + is 10m. type: string type: object streamSnippets: + description: Sets a custom snippet in the stream context. Overrides + the stream-snippets ConfigMap key. type: string tls: - description: TransportServerTLS defines TransportServerTLS configuration - for a TransportServer. + description: The TLS termination configuration. properties: secret: type: string @@ -92,80 +113,163 @@ spec: description: UpstreamParameters defines parameters for an upstream. properties: connectTimeout: + description: The timeout for establishing a connection with a + proxied server. The default is 60s. type: string nextUpstream: + description: If a connection to the proxied server cannot be established, + determines whether a client connection will be passed to the + next server. The default is true. type: boolean nextUpstreamTimeout: + description: The time allowed to pass a connection to the next + server. The default is 0. type: string nextUpstreamTries: + description: The number of tries for passing a connection to the + next server. The default is 0. type: integer udpRequests: + description: The number of datagrams, after receiving which, the + next datagram from the same client starts a new session. The + default is 0. type: integer udpResponses: + description: The number of datagrams expected from the proxied + server in response to a client datagram. By default, the number + of datagrams is not limited. type: integer type: object upstreams: + description: A list of upstreams. items: description: TransportServerUpstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random, + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer failTimeout: + description: Sets the number of unsuccessful attempts to communicate + with the server that should happen in the duration set by + the failTimeout parameter to consider the server unavailable. + The default is 1. type: string healthCheck: - description: TransportServerHealthCheck defines the parameters - for active Upstream HealthChecks. + description: 'The health check configuration for the Upstream. + Note: this feature is supported only in NGINX Plus.' properties: enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string match: - description: TransportServerMatch defines the parameters - of a custom health check. + description: Controls the data to send and the response + to expect for the healthcheck. properties: expect: + description: A literal string or a regular expression + that the data obtained from the server should match. + The regular expression is specified with the preceding + ~* modifier (for case-insensitive matching), or the + ~ modifier (for case-sensitive matching). NGINX Ingress + Controller validates a regular expression using the + RE2 syntax. type: string send: + description: A string to send to an upstream server. type: string type: object passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer timeout: + description: This overrides the timeout set by proxy_timeout + which is set in SessionParameters for health checks. The + default value is 5s. type: string type: object loadBalancingMethod: + description: The method used to load balance the upstream servers. + By default, connections are distributed between the servers + using a weighted round-robin balancing method. type: string maxConns: + description: Sets the time during which the specified number + of unsuccessful attempts to communicate with the server should + happen to consider the server unavailable and the period of + time the server will be considered unavailable. The default + is 10s. type: integer maxFails: + description: Sets the number of maximum connections to the proxied + server. Default value is zero, meaning there is no limit. + The default is 0. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and close client connections/ignore datagrams. The port must + fall into the range 1..65535. type: integer service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + close client connections/ignore datagrams. type: string type: object type: array type: object status: - description: TransportServerStatus defines the status for the TransportServer - resource. + description: The status of the TransportServer resource properties: message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string state: + description: 'Represents the current state of the resource. Possible + values: Valid (resource validated and accepted), Invalid (validation + failed or config reload failed), or Warning (validated but may work + in degraded state).' type: string type: object type: object diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml index 83ba8379e..9b3afbe07 100644 --- a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -65,295 +65,461 @@ spec: resource. properties: host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. Must be the same as the host of the + VirtualServer that references this resource. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServerRoute + resource. Must be the same as the ingressClassName of the VirtualServer + that references this resource. type: string subroutes: + description: A list of subroutes. items: description: Route defines a route. properties: action: - description: Action defines an action. + description: The default action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the ability + to modify the request/response (for example, rewrite the + URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default is true. type: boolean set: + description: Allows redefining or appending fields + to present request headers passed to the proxied + upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the response - headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response to the + client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the header + regardless of the response status code**. + Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be passed* + in the response to the client from a proxied upstream + server. items: type: string type: array ignore: + description: Disables processing of certain headers** + to the client from a proxied upstream server. items: type: string type: array pass: + description: Allows passing the hidden header fields* + to the client from a proxied upstream server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path is + a regular expression – starts with ~ – the rewritePath + can include capture groups with $1-9. For example + $1 for the first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which the requests + will be proxied to. The upstream with that name must + be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request to. Supported + NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly brackets. + For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The allowed + values are: 2XX, 4XX or 5XX. The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object dos: + description: A reference to a DosProtectedResource, setting + this enables DOS protection of the VirtualServer route. type: string errorPages: + description: The custom responses for error codes. NGINX will + use those responses instead of returning the error responses + from the upstream servers or the default responses generated + by NGINX. A custom response can be a redirect or a canned + response. For example, a redirect to another URL if an upstream + server responded with a 404 status code. items: description: ErrorPage defines an ErrorPage in a Route. properties: codes: + description: A list of error status codes. items: type: integer type: array redirect: - description: ErrorPageRedirect defines a redirect for - an ErrorPage. + description: The canned response action for the given + status codes. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301, 302, 307 or 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. + Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ErrorPageReturn defines a return for an ErrorPage. + description: The redirect action for the given status + codes. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly + brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The + allowed values are: 2XX, 4XX or 5XX. The default + is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object type: array location-snippets: + description: Sets a custom snippet in the location context. + Overrides the location-snippets ConfigMap key. type: string matches: + description: The matching rules for advanced content-based routing. + Requires the default Action or Splits. Unmatched requests + will be handled by the default Action or Splits. items: description: Match defines a match. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301, 302, 307 or 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object conditions: + description: A list of conditions. Must include at least + 1 condition. items: description: Condition defines a condition in a MatchRule. properties: argument: + description: The name of an argument. Must consist + of alphanumeric characters or _. type: string cookie: + description: The name of a cookie. Must consist + of alphanumeric characters or _. type: string header: + description: The name of a header. Must consist + of alphanumeric characters or -. type: string value: + description: The value to match the condition against. type: string variable: + description: The name of an NGINX variable. Must + start with $. type: string type: object type: array splits: + description: The splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. + The upstream with that name must be defined + in the resource. type: string proxy: - description: ActionProxy defines a proxy in - an Action. + description: Passes requests to an upstream + with the ability to modify the request/response + (for example, rewrite the URI or modify the + headers). properties: requestHeaders: - description: ProxyRequestHeaders defines - the request headers manipulation in an - ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request + headers to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers + passed to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines - the response headers manipulation in an - ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always @@ -361,337 +527,655 @@ spec: NGINX directive. properties: always: + description: If set to true, add + the header regardless of the + response status code**. Default + is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array hide: + description: The headers that will not + be passed* in the response to the + client from a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of + certain headers** to the client from + a proxied upstream server. items: type: string type: array pass: + description: Allows passing the hidden + header fields* to the client from + a proxied upstream server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route + path is a regular expression – starts + with ~ – the rewritePath can include capture + groups with $1-9. For example $1 for the + first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which + the requests will be proxied to. The upstream + with that name must be defined in the + resource. type: string type: object redirect: - description: ActionRedirect defines a redirect - in an Action. + description: Redirects requests to a provided + URL. properties: code: + description: 'The status code of a redirect. + The allowed values are: 301, 302, 307 + or 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, + $http_x_forwarded_proto, $request_uri + or $host. Variables must be enclosed in + curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in - an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. + Supports NGINX variables*. Variables must + be enclosed in curly brackets. For example: + Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. + The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. + The default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall + into the range 0..100. The sum of the weights + of all splits must be equal to 100. type: integer type: object type: array type: object type: array path: + description: 'The path of the route. NGINX will match it against + the URI of a request. Possible values are: a prefix ( / , + /path ), an exact match ( =/exact/match ), a case insensitive + regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive + regular expression ( ~^/foo.*\.jpg ). In the case of a prefix + (must start with / ) or an exact match (must start with = + ), the path must not include any whitespace characters, { + , } or ;. In the case of the regex matches, all double quotes + " must be escaped and the match can’t end in an unescaped + backslash \. The path must be unique among the paths of all + routes of the VirtualServer. Check the location directive + for more information.' type: string policies: + description: A list of policies. The policies override the policies + of the same type defined in the spec of the VirtualServer. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: The name of a policy. If the policy doesn’t + exist or invalid, NGINX will respond with an error response + with the 500 status code. type: string namespace: + description: The namespace of a policy. If not specified, + the namespace of the VirtualServer resource is used. type: string type: object type: array route: + description: The name of a VirtualServerRoute resource that + defines this route. If the VirtualServerRoute belongs to a + different namespace than the VirtualServer, you need to include + the namespace. For example, tea-namespace/tea. type: string splits: + description: The default splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301, 302, 307 or 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall into the + range 0..100. The sum of the weights of all splits must + be equal to 100. type: integer type: object type: array type: object type: array upstreams: + description: A list of upstreams. items: description: Upstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random, + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer buffer-size: + description: Sets the size of the buffer used for reading the + first part of a response received from the upstream server. + The default is set in the proxy-buffer-size ConfigMap key. type: string buffering: + description: Enables buffering of responses from the upstream + server. The default is set in the proxy-buffering ConfigMap + key. type: boolean buffers: - description: UpstreamBuffers defines Buffer Configuration for - an Upstream. + description: Configures the buffers used for reading a response + from the upstream server for a single connection. properties: number: + description: Configures the number of buffers. The default + is set in the proxy-buffers ConfigMap key. type: integer size: + description: Configures the size of a buffer. The default + is set in the proxy-buffers ConfigMap key. type: string type: object client-max-body-size: + description: Sets the maximum allowed size of the client request + body. The default is set in the client-max-body-size ConfigMap + key. type: string connect-timeout: + description: The timeout for establishing a connection with + an upstream server. The default is specified in the proxy-connect-timeout + ConfigMap key. type: string fail-timeout: + description: The time during which the specified number of unsuccessful + attempts to communicate with an upstream server should happen + to consider the server unavailable. The default is set in + the fail-timeout ConfigMap key. type: string healthCheck: - description: HealthCheck defines the parameters for active Upstream - HealthChecks. + description: 'The health check configuration for the Upstream. + Note: this feature is supported only in NGINX Plus.' properties: connect-timeout: + description: The timeout for establishing a connection with + an upstream server. By default, the connect-timeout of + the upstream is used. type: string enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer grpcService: + description: The gRPC service to be monitored on the upstream + server. Only valid on gRPC type upstreams. type: string grpcStatus: + description: The expected gRPC status code of the upstream + server response to the Check method. Configure this field + only if your gRPC services do not implement the gRPC health + checking protocol. For example, configure 12 if the upstream + server responds with 12 (UNIMPLEMENTED) status code. Only + valid on gRPC type upstreams. type: integer headers: + description: The request headers used for health check requests. + NGINX Plus always sets the Host, User-Agent and Connection + headers for health check requests. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string keepalive-time: + description: Enables keepalive connections for health checks + and specifies the time during which requests can be processed + through one keepalive connection. The default is 60s. type: string mandatory: + description: Require every newly added server to pass all + configured health checks before NGINX Plus sends traffic + to it. If this is not specified, or is set to false, the + server will be initially considered healthy. When combined + with slow-start, it gives a new server more time to connect + to databases and “warm up” before being asked to handle + their full share of traffic. type: boolean passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer path: + description: The path used for health check requests. The + default is /. This is not configurable for gRPC type upstreams. type: string persistent: + description: Set the initial “up” state for a server after + reload if the server was considered healthy before reload. + Enabling persistent requires that the mandatory parameter + is also set to true. type: boolean port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer read-timeout: + description: The timeout for reading a response from an + upstream server. By default, the read-timeout of the upstream + is used. type: string send-timeout: + description: The timeout for transmitting a request to an + upstream server. By default, the send-timeout of the upstream + is used. type: string statusMatch: + description: 'The expected response status codes of a health + check. By default, the response should have status code + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This + not supported for gRPC type upstreams.' type: string tls: - description: UpstreamTLS defines a TLS configuration for - an Upstream. + description: The TLS configuration used for health check + requests. By default, the tls field of the upstream is + used. properties: enable: + description: 'Enables HTTPS for requests to upstream + servers. The default is False , meaning that HTTP + will be used. Note: by default, NGINX will not verify + the upstream server certificate. To enable the verification, + configure an EgressMTLS Policy.' type: boolean type: object type: object keepalive: + description: Configures the cache for connections to upstream + servers. The value 0 disables the cache. The default is set + in the keepalive ConfigMap key. type: integer lb-method: + description: The load balancing method. To use the round-robin + method, specify round_robin. The default is specified in the + lb-method ConfigMap key. type: string max-conns: + description: 'The maximum number of simultaneous active connections + to an upstream server. By default there is no limit. Note: + if keepalive connections are enabled, the total number of + active and idle keepalive connections to an upstream server + may exceed the max_conns value.' type: integer max-fails: + description: The number of unsuccessful attempts to communicate + with an upstream server that should happen in the duration + set by the fail-timeout to consider the server unavailable. + The default is set in the max-fails ConfigMap key. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string next-upstream: + description: Specifies in which cases a request should be passed + to the next upstream server. The default is error timeout. type: string next-upstream-timeout: + description: The time during which a request can be passed to + the next upstream server. The 0 value turns off the time limit. + The default is 0. type: string next-upstream-tries: + description: The number of possible tries for passing a request + to the next upstream server. The 0 value turns off this limit. + The default is 0. type: integer ntlm: + description: 'Allows proxying requests with NTLM Authentication. + In order for NTLM authentication to work, it is necessary + to enable keepalive connections to upstream servers using + the keepalive field. Note: this feature is supported only + in NGINX Plus.' type: boolean port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and return a 502 response for requests for this upstream. + The port must fall into the range 1..65535. type: integer queue: - description: UpstreamQueue defines Queue Configuration for an - Upstream. + description: 'Configures a queue for an upstream. A client request + will be placed into the queue if an upstream server cannot + be selected immediately while processing the request. By default, + no queue is configured. Note: this feature is supported only + in NGINX Plus.' properties: size: + description: The size of the queue. type: integer timeout: + description: The timeout of the queue. A request cannot + be queued for a period longer than the timeout. The default + is 60s. type: string type: object read-timeout: + description: The timeout for reading a response from an upstream + server. The default is specified in the proxy-read-timeout + ConfigMap key. type: string send-timeout: + description: The timeout for transmitting a request to an upstream + server. The default is specified in the proxy-send-timeout + ConfigMap key. type: string service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + return a 502 response for requests for this upstream. For + NGINX Plus only, services of type ExternalName are also supported + . type: string sessionCookie: - description: SessionCookie defines the parameters for session - persistence. + description: The SessionCookie field configures session persistence + which allows requests from the same client to be passed to + the same upstream server. The information about the designated + upstream server is passed in a session cookie generated by + NGINX Plus. properties: domain: + description: The domain for which the cookie is set. type: string enable: + description: Enables session persistence with a session + cookie for an upstream server. The default is false. type: boolean expires: + description: The time for which a browser should keep the + cookie. Can be set to the special value max, which will + cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: + description: Adds the HttpOnly attribute to the cookie. type: boolean name: + description: The name of the cookie. type: string path: + description: The path for which the cookie is set. type: string samesite: + description: 'Adds the SameSite attribute to the cookie. + The allowed values are: strict, lax, none' type: string secure: + description: Adds the Secure attribute to the cookie. type: boolean type: object slow-start: + description: 'The slow start allows an upstream server to gradually + recover its weight from 0 to its nominal value after it has + been recovered or became available or when the server becomes + available after a period of time it was considered unavailable. + By default, the slow start is disabled. Note: The parameter + cannot be used along with the random, hash or ip_hash load + balancing methods and will be ignored.' type: string subselector: additionalProperties: type: string + description: 'Selects the pods within the service using label + keys and values. By default, all pods of the service are selected. + Note: the specified labels are expected to be present in the + pods when they are created. If the pod labels are updated, + NGINX Ingress Controller will not see that change until the + number of the pods is changed.' type: object tls: - description: UpstreamTLS defines a TLS configuration for an - Upstream. + description: The TLS configuration for the Upstream. properties: enable: + description: 'Enables HTTPS for requests to upstream servers. + The default is False , meaning that HTTP will be used. + Note: by default, NGINX will not verify the upstream server + certificate. To enable the verification, configure an + EgressMTLS Policy.' type: boolean type: object type: + description: The type of the upstream. Supported values are + http and grpc. The default is http. For gRPC, it is necessary + to enable HTTP/2 in the ConfigMap and configure TLS termination + in the VirtualServer. type: string use-cluster-ip: + description: Enables using the Cluster IP and port of the service + instead of the default behavior of using the IP and port of + the pods. When this field is enabled, the fields that configure + NGINX behavior related to multiple upstream servers (like + lb-method and next-upstream) will have no effect, as NGINX + Ingress Controller will configure NGINX with only one upstream + server that will match the service Cluster IP. type: boolean type: object type: array @@ -701,6 +1185,8 @@ spec: resource. properties: externalEndpoints: + description: Defines the IPs, hostnames and ports used to connect + to this resource. items: description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. @@ -714,12 +1200,20 @@ spec: type: object type: array message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string referencedBy: + description: Defines how other resources reference this resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or NGINX' type: string type: object type: object diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml index 8cdf187d3..8e4cafe4e 100644 --- a/config/crd/bases/k8s.nginx.org_virtualservers.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -64,20 +64,26 @@ spec: description: VirtualServerSpec is the spec of the VirtualServer resource. properties: dos: + description: A reference to a DosProtectedResource, setting this enables + DOS protection of the VirtualServer route. type: string externalDNS: - description: ExternalDNS defines externaldns sub-resource of a virtual - server. + description: The externalDNS configuration for a VirtualServer. properties: enable: + description: Enables ExternalDNS integration for a VirtualServer + resource. The default is false. type: boolean labels: additionalProperties: type: string - description: Labels stores labels defined for the Endpoint + description: Configure labels to be applied to the Endpoint resources + that will be consumed by ExternalDNS. type: object providerSpecific: - description: ProviderSpecific stores provider specific config + description: Configure provider specific properties which holds + the name and value of a configuration which is specific to individual + DNS providers. items: description: |- ProviderSpecificProperty defines specific property @@ -92,330 +98,515 @@ spec: type: object type: array recordTTL: - description: TTL for the record + description: TTL for the DNS record. This defaults to 0 if not + defined. format: int64 type: integer recordType: + description: The record Type that should be created, e.g. “A”, + “AAAA”, “CNAME”. This is automatically computed based on the + external endpoints if not defined. type: string type: object gunzip: + description: Enables or disables decompression of gzipped responses + for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. + If the gunzip value is not set, it defaults to off. type: boolean host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. The host value needs to be unique + among all Ingress and VirtualServer resources. type: string http-snippets: + description: Sets a custom snippet in the http context. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServerRoute + resource. Must be the same as the ingressClassName of the VirtualServer + that references this resource. type: string internalRoute: description: InternalRoute allows for the configuration of internal routing. type: boolean listener: - description: VirtualServerListener references a custom http and/or - https listener defined in GlobalConfiguration. + description: Sets a custom HTTP and/or HTTPS listener. Valid fields + are listener.http and listener.https. Each field must reference + the name of a valid listener defined in a GlobalConfiguration resource properties: http: + description: The name of an HTTP listener defined in a GlobalConfiguration + resource. type: string https: + description: The name of an HTTPS listener defined in a GlobalConfiguration + resource. type: string type: object policies: + description: A list of policies. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: The name of a policy. If the policy doesn’t exist + or invalid, NGINX will respond with an error response with + the 500 status code. type: string namespace: + description: The namespace of a policy. If not specified, the + namespace of the VirtualServer resource is used. type: string type: object type: array routes: + description: A list of routes. items: description: Route defines a route. properties: action: - description: Action defines an action. + description: The default action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the ability + to modify the request/response (for example, rewrite the + URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default is true. type: boolean set: + description: Allows redefining or appending fields + to present request headers passed to the proxied + upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the response - headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response to the + client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the header + regardless of the response status code**. + Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be passed* + in the response to the client from a proxied upstream + server. items: type: string type: array ignore: + description: Disables processing of certain headers** + to the client from a proxied upstream server. items: type: string type: array pass: + description: Allows passing the hidden header fields* + to the client from a proxied upstream server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path is + a regular expression – starts with ~ – the rewritePath + can include capture groups with $1-9. For example + $1 for the first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which the requests + will be proxied to. The upstream with that name must + be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request to. Supported + NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly brackets. + For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The allowed + values are: 2XX, 4XX or 5XX. The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object dos: + description: A reference to a DosProtectedResource, setting + this enables DOS protection of the VirtualServer route. type: string errorPages: + description: The custom responses for error codes. NGINX will + use those responses instead of returning the error responses + from the upstream servers or the default responses generated + by NGINX. A custom response can be a redirect or a canned + response. For example, a redirect to another URL if an upstream + server responded with a 404 status code. items: description: ErrorPage defines an ErrorPage in a Route. properties: codes: + description: A list of error status codes. items: type: integer type: array redirect: - description: ErrorPageRedirect defines a redirect for - an ErrorPage. + description: The canned response action for the given + status codes. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301, 302, 307 or 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. + Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ErrorPageReturn defines a return for an ErrorPage. + description: The redirect action for the given status + codes. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly + brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The + allowed values are: 2XX, 4XX or 5XX. The default + is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object type: array location-snippets: + description: Sets a custom snippet in the location context. + Overrides the location-snippets ConfigMap key. type: string matches: + description: The matching rules for advanced content-based routing. + Requires the default Action or Splits. Unmatched requests + will be handled by the default Action or Splits. items: description: Match defines a match. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301, 302, 307 or 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object conditions: + description: A list of conditions. Must include at least + 1 condition. items: description: Condition defines a condition in a MatchRule. properties: argument: + description: The name of an argument. Must consist + of alphanumeric characters or _. type: string cookie: + description: The name of a cookie. Must consist + of alphanumeric characters or _. type: string header: + description: The name of a header. Must consist + of alphanumeric characters or -. type: string value: + description: The value to match the condition against. type: string variable: + description: The name of an NGINX variable. Must + start with $. type: string type: object type: array splits: + description: The splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. + The upstream with that name must be defined + in the resource. type: string proxy: - description: ActionProxy defines a proxy in - an Action. + description: Passes requests to an upstream + with the ability to modify the request/response + (for example, rewrite the URI or modify the + headers). properties: requestHeaders: - description: ProxyRequestHeaders defines - the request headers manipulation in an - ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request + headers to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers + passed to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines - the response headers manipulation in an - ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always @@ -423,384 +614,763 @@ spec: NGINX directive. properties: always: + description: If set to true, add + the header regardless of the + response status code**. Default + is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array hide: + description: The headers that will not + be passed* in the response to the + client from a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of + certain headers** to the client from + a proxied upstream server. items: type: string type: array pass: + description: Allows passing the hidden + header fields* to the client from + a proxied upstream server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route + path is a regular expression – starts + with ~ – the rewritePath can include capture + groups with $1-9. For example $1 for the + first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which + the requests will be proxied to. The upstream + with that name must be defined in the + resource. type: string type: object redirect: - description: ActionRedirect defines a redirect - in an Action. + description: Redirects requests to a provided + URL. properties: code: + description: 'The status code of a redirect. + The allowed values are: 301, 302, 307 + or 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, + $http_x_forwarded_proto, $request_uri + or $host. Variables must be enclosed in + curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in - an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. + Supports NGINX variables*. Variables must + be enclosed in curly brackets. For example: + Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. + The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. + The default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall + into the range 0..100. The sum of the weights + of all splits must be equal to 100. type: integer type: object type: array type: object type: array path: + description: 'The path of the route. NGINX will match it against + the URI of a request. Possible values are: a prefix ( / , + /path ), an exact match ( =/exact/match ), a case insensitive + regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive + regular expression ( ~^/foo.*\.jpg ). In the case of a prefix + (must start with / ) or an exact match (must start with = + ), the path must not include any whitespace characters, { + , } or ;. In the case of the regex matches, all double quotes + " must be escaped and the match can’t end in an unescaped + backslash \. The path must be unique among the paths of all + routes of the VirtualServer. Check the location directive + for more information.' type: string policies: + description: A list of policies. The policies override the policies + of the same type defined in the spec of the VirtualServer. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: The name of a policy. If the policy doesn’t + exist or invalid, NGINX will respond with an error response + with the 500 status code. type: string namespace: + description: The namespace of a policy. If not specified, + the namespace of the VirtualServer resource is used. type: string type: object type: array route: + description: The name of a VirtualServerRoute resource that + defines this route. If the VirtualServerRoute belongs to a + different namespace than the VirtualServer, you need to include + the namespace. For example, tea-namespace/tea. type: string splits: + description: The default splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301, 302, 307 or 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall into the + range 0..100. The sum of the weights of all splits must + be equal to 100. type: integer type: object type: array type: object type: array server-snippets: + description: Sets a custom snippet in server context. Overrides the + server-snippets ConfigMap key. type: string tls: - description: TLS defines TLS configuration for a VirtualServer. + description: The TLS termination configuration. properties: cert-manager: - description: CertManager defines a cert manager config for a TLS. + description: The cert-manager configuration of the TLS for a VirtualServer. properties: cluster-issuer: + description: the name of a ClusterIssuer. A ClusterIssuer + is a cert-manager resource which describes the certificate + authority capable of signing certificates. It does not matter + which namespace your VirtualServer resides, as ClusterIssuers + are non-namespaced resources. Please note that one of issuer + and cluster-issuer are required, but they are mutually exclusive + - one and only one must be defined. type: string common-name: + description: This field allows you to configure spec.commonName + for the Certificate to be generated. This configuration + adds a CN to the x509 certificate. type: string duration: + description: This field allows you to configure spec.duration + field for the Certificate to be generated. Must be specified + using a Go time.Duration string format, which does not allow + the d (days) suffix. You must specify these values using + s, m, and h suffixes instead. type: string issue-temp-cert: + description: When true, ask cert-manager for a temporary self-signed + certificate pending the issuance of the Certificate. This + allows HTTPS-only servers to use ACME HTTP01 challenges + when the TLS secret does not exist yet. type: boolean issuer: + description: the name of an Issuer. An Issuer is a cert-manager + resource which describes the certificate authority capable + of signing certificates. The Issuer must be in the same + namespace as the VirtualServer resource. Please note that + one of issuer and cluster-issuer are required, but they + are mutually exclusive - one and only one must be defined. type: string issuer-group: + description: The API group of the external issuer controller, + for example awspca.cert-manager.io. This is only necessary + for out-of-tree issuers. This cannot be defined if cluster-issuer + is also defined. type: string issuer-kind: + description: The kind of the external issuer resource, for + example AWSPCAIssuer. This is only necessary for out-of-tree + issuers. This cannot be defined if cluster-issuer is also + defined. type: string renew-before: + description: this annotation allows you to configure spec.renewBefore + field for the Certificate to be generated. Must be specified + using a Go time.Duration string format, which does not allow + the d (days) suffix. You must specify these values using + s, m, and h suffixes instead. type: string usages: + description: This field allows you to configure spec.usages + field for the Certificate to be generated. Pass a string + with comma-separated values i.e. key agreement,digital signature, + server auth. An exhaustive list of supported key usages + can be found in the the cert-manager api documentation. type: string type: object redirect: - description: TLSRedirect defines a redirect for a TLS. + description: The redirect configuration of the TLS for a VirtualServer. properties: basedOn: + description: The attribute of a request that NGINX will evaluate + to send a redirect. The allowed values are scheme (the scheme + of the request) or x-forwarded-proto (the X-Forwarded-Proto + header of the request). The default is scheme. type: string code: + description: 'The status code of a redirect. The allowed values + are: 301, 302, 307 or 308. The default is 301.' type: integer enable: + description: Enables a TLS redirect for a VirtualServer. The + default is False. type: boolean type: object secret: + description: The name of a secret with a TLS certificate and key. + The secret must belong to the same namespace as the VirtualServer. + The secret must be of the type kubernetes.io/tls and contain + keys named tls.crt and tls.key that contain the certificate + and private key as described here. If the secret doesn’t exist + or is invalid, NGINX will break any attempt to establish a TLS + connection to the host of the VirtualServer. If the secret is + not specified but wildcard TLS secret is configured, NGINX will + use the wildcard secret for TLS termination. type: string type: object upstreams: + description: A list of upstreams. items: description: Upstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random, + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer buffer-size: + description: Sets the size of the buffer used for reading the + first part of a response received from the upstream server. + The default is set in the proxy-buffer-size ConfigMap key. type: string buffering: + description: Enables buffering of responses from the upstream + server. The default is set in the proxy-buffering ConfigMap + key. type: boolean buffers: - description: UpstreamBuffers defines Buffer Configuration for - an Upstream. + description: Configures the buffers used for reading a response + from the upstream server for a single connection. properties: number: + description: Configures the number of buffers. The default + is set in the proxy-buffers ConfigMap key. type: integer size: + description: Configures the size of a buffer. The default + is set in the proxy-buffers ConfigMap key. type: string type: object client-max-body-size: + description: Sets the maximum allowed size of the client request + body. The default is set in the client-max-body-size ConfigMap + key. type: string connect-timeout: + description: The timeout for establishing a connection with + an upstream server. The default is specified in the proxy-connect-timeout + ConfigMap key. type: string fail-timeout: + description: The time during which the specified number of unsuccessful + attempts to communicate with an upstream server should happen + to consider the server unavailable. The default is set in + the fail-timeout ConfigMap key. type: string healthCheck: - description: HealthCheck defines the parameters for active Upstream - HealthChecks. + description: 'The health check configuration for the Upstream. + Note: this feature is supported only in NGINX Plus.' properties: connect-timeout: + description: The timeout for establishing a connection with + an upstream server. By default, the connect-timeout of + the upstream is used. type: string enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer grpcService: + description: The gRPC service to be monitored on the upstream + server. Only valid on gRPC type upstreams. type: string grpcStatus: + description: The expected gRPC status code of the upstream + server response to the Check method. Configure this field + only if your gRPC services do not implement the gRPC health + checking protocol. For example, configure 12 if the upstream + server responds with 12 (UNIMPLEMENTED) status code. Only + valid on gRPC type upstreams. type: integer headers: + description: The request headers used for health check requests. + NGINX Plus always sets the Host, User-Agent and Connection + headers for health check requests. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string keepalive-time: + description: Enables keepalive connections for health checks + and specifies the time during which requests can be processed + through one keepalive connection. The default is 60s. type: string mandatory: + description: Require every newly added server to pass all + configured health checks before NGINX Plus sends traffic + to it. If this is not specified, or is set to false, the + server will be initially considered healthy. When combined + with slow-start, it gives a new server more time to connect + to databases and “warm up” before being asked to handle + their full share of traffic. type: boolean passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer path: + description: The path used for health check requests. The + default is /. This is not configurable for gRPC type upstreams. type: string persistent: + description: Set the initial “up” state for a server after + reload if the server was considered healthy before reload. + Enabling persistent requires that the mandatory parameter + is also set to true. type: boolean port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer read-timeout: + description: The timeout for reading a response from an + upstream server. By default, the read-timeout of the upstream + is used. type: string send-timeout: + description: The timeout for transmitting a request to an + upstream server. By default, the send-timeout of the upstream + is used. type: string statusMatch: + description: 'The expected response status codes of a health + check. By default, the response should have status code + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This + not supported for gRPC type upstreams.' type: string tls: - description: UpstreamTLS defines a TLS configuration for - an Upstream. + description: The TLS configuration used for health check + requests. By default, the tls field of the upstream is + used. properties: enable: + description: 'Enables HTTPS for requests to upstream + servers. The default is False , meaning that HTTP + will be used. Note: by default, NGINX will not verify + the upstream server certificate. To enable the verification, + configure an EgressMTLS Policy.' type: boolean type: object type: object keepalive: + description: Configures the cache for connections to upstream + servers. The value 0 disables the cache. The default is set + in the keepalive ConfigMap key. type: integer lb-method: + description: The load balancing method. To use the round-robin + method, specify round_robin. The default is specified in the + lb-method ConfigMap key. type: string max-conns: + description: 'The maximum number of simultaneous active connections + to an upstream server. By default there is no limit. Note: + if keepalive connections are enabled, the total number of + active and idle keepalive connections to an upstream server + may exceed the max_conns value.' type: integer max-fails: + description: The number of unsuccessful attempts to communicate + with an upstream server that should happen in the duration + set by the fail-timeout to consider the server unavailable. + The default is set in the max-fails ConfigMap key. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string next-upstream: + description: Specifies in which cases a request should be passed + to the next upstream server. The default is error timeout. type: string next-upstream-timeout: + description: The time during which a request can be passed to + the next upstream server. The 0 value turns off the time limit. + The default is 0. type: string next-upstream-tries: + description: The number of possible tries for passing a request + to the next upstream server. The 0 value turns off this limit. + The default is 0. type: integer ntlm: + description: 'Allows proxying requests with NTLM Authentication. + In order for NTLM authentication to work, it is necessary + to enable keepalive connections to upstream servers using + the keepalive field. Note: this feature is supported only + in NGINX Plus.' type: boolean port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and return a 502 response for requests for this upstream. + The port must fall into the range 1..65535. type: integer queue: - description: UpstreamQueue defines Queue Configuration for an - Upstream. + description: 'Configures a queue for an upstream. A client request + will be placed into the queue if an upstream server cannot + be selected immediately while processing the request. By default, + no queue is configured. Note: this feature is supported only + in NGINX Plus.' properties: size: + description: The size of the queue. type: integer timeout: + description: The timeout of the queue. A request cannot + be queued for a period longer than the timeout. The default + is 60s. type: string type: object read-timeout: + description: The timeout for reading a response from an upstream + server. The default is specified in the proxy-read-timeout + ConfigMap key. type: string send-timeout: + description: The timeout for transmitting a request to an upstream + server. The default is specified in the proxy-send-timeout + ConfigMap key. type: string service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + return a 502 response for requests for this upstream. For + NGINX Plus only, services of type ExternalName are also supported + . type: string sessionCookie: - description: SessionCookie defines the parameters for session - persistence. + description: The SessionCookie field configures session persistence + which allows requests from the same client to be passed to + the same upstream server. The information about the designated + upstream server is passed in a session cookie generated by + NGINX Plus. properties: domain: + description: The domain for which the cookie is set. type: string enable: + description: Enables session persistence with a session + cookie for an upstream server. The default is false. type: boolean expires: + description: The time for which a browser should keep the + cookie. Can be set to the special value max, which will + cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: + description: Adds the HttpOnly attribute to the cookie. type: boolean name: + description: The name of the cookie. type: string path: + description: The path for which the cookie is set. type: string samesite: + description: 'Adds the SameSite attribute to the cookie. + The allowed values are: strict, lax, none' type: string secure: + description: Adds the Secure attribute to the cookie. type: boolean type: object slow-start: + description: 'The slow start allows an upstream server to gradually + recover its weight from 0 to its nominal value after it has + been recovered or became available or when the server becomes + available after a period of time it was considered unavailable. + By default, the slow start is disabled. Note: The parameter + cannot be used along with the random, hash or ip_hash load + balancing methods and will be ignored.' type: string subselector: additionalProperties: type: string + description: 'Selects the pods within the service using label + keys and values. By default, all pods of the service are selected. + Note: the specified labels are expected to be present in the + pods when they are created. If the pod labels are updated, + NGINX Ingress Controller will not see that change until the + number of the pods is changed.' type: object tls: - description: UpstreamTLS defines a TLS configuration for an - Upstream. + description: The TLS configuration for the Upstream. properties: enable: + description: 'Enables HTTPS for requests to upstream servers. + The default is False , meaning that HTTP will be used. + Note: by default, NGINX will not verify the upstream server + certificate. To enable the verification, configure an + EgressMTLS Policy.' type: boolean type: object type: + description: The type of the upstream. Supported values are + http and grpc. The default is http. For gRPC, it is necessary + to enable HTTP/2 in the ConfigMap and configure TLS termination + in the VirtualServer. type: string use-cluster-ip: + description: Enables using the Cluster IP and port of the service + instead of the default behavior of using the IP and port of + the pods. When this field is enabled, the fields that configure + NGINX behavior related to multiple upstream servers (like + lb-method and next-upstream) will have no effect, as NGINX + Ingress Controller will configure NGINX with only one upstream + server that will match the service Cluster IP. type: boolean type: object type: array type: object status: - description: VirtualServerStatus defines the status for the VirtualServer - resource. + description: Status contains the current status of the VirtualServer. properties: externalEndpoints: items: diff --git a/deploy/crds.yaml b/deploy/crds.yaml index 512f816d1..5b80d9dff 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -135,24 +135,33 @@ spec: metadata: type: object spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration - resource. + description: GlobalConfigurationSpec resource defines the global configuration + parameters of the Ingress Controller. properties: listeners: + description: Listeners field of the GlobalConfigurationSpec resource items: description: Listener defines a listener. properties: ipv4: + description: Specifies the IPv4 address to listen on. type: string ipv6: + description: ipv6 addresse that NGINX will listen on. type: string name: + description: The name of the listener. The name must be unique + across all listeners. type: string port: + description: The port on which the listener will accept connections. type: integer protocol: + description: The protocol of the listener. For example, HTTP. type: string ssl: + description: Whether the listener will be listening for SSL + connections type: boolean type: object type: array @@ -217,8 +226,7 @@ spec: Only one policy (field) is allowed. properties: accessControl: - description: AccessControl defines an access policy based on the source - IP of a request. + description: The access control policy based on the client IP address. properties: allow: items: @@ -230,78 +238,146 @@ spec: type: array type: object apiKey: - description: APIKey defines an API Key policy. + description: The API Key policy configures NGINX to authorize requests + which provide a valid API Key in a specified header or query param. properties: clientSecret: + description: The key to which the API key is applied. Can contain + text, variables, or a combination of them. Accepted variables + are $http_, $arg_, $cookie_. type: string suppliedIn: - description: SuppliedIn defines the locations API Key should be - supplied in. + description: The location of the API Key. For example, $http_auth, + $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, + $cookie_. properties: header: + description: The location of the API Key as a request header. + For example, $http_auth. Accepted variables are $http_. items: type: string type: array query: + description: The location of the API Key as a query param. + For example, $arg_apikey. Accepted variables are $arg_. items: type: string type: array type: object type: object basicAuth: - description: BasicAuth holds HTTP Basic authentication configuration + description: The basic auth policy configures NGINX to authenticate + client requests using HTTP Basic authentication credentials. properties: realm: + description: The realm for the basic authentication. type: string secret: + description: The name of the Kubernetes secret that stores the + Htpasswd configuration. It must be in the same namespace as + the Policy resource. The secret must be of the type nginx.org/htpasswd, + and the config must be stored in the secret under the key htpasswd, + otherwise the secret will be rejected as invalid. type: string type: object egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. + description: The EgressMTLS policy configures upstreams authentication + and certificate verification. properties: ciphers: + description: Specifies the enabled ciphers for requests to an + upstream HTTPS server. The default is DEFAULT. type: string protocols: + description: Specifies the protocols for requests to an upstream + HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. type: string serverName: + description: Enables passing of the server name through Server + Name Indication extension. type: boolean sessionReuse: + description: Enables reuse of SSL sessions to the upstreams. The + default is true. type: boolean sslName: + description: Allows overriding the server name used to verify + the certificate of the upstream HTTPS server. type: string tlsSecret: + description: The name of the Kubernetes secret that stores the + TLS certificate and key. It must be in the same namespace as + the Policy resource. The secret must be of the type kubernetes.io/tls, + the certificate must be stored in the secret under the key tls.crt, + and the key must be stored under the key tls.key, otherwise + the secret will be rejected as invalid. type: string trustedCertSecret: + description: The name of the Kubernetes secret that stores the + CA certificate. It must be in the same namespace as the Policy + resource. The secret must be of the type nginx.org/ca, and the + certificate must be stored in the secret under the key ca.crt, + otherwise the secret will be rejected as invalid. type: string verifyDepth: + description: Sets the verification depth in the proxied HTTPS + server certificates chain. The default is 1. type: integer verifyServer: + description: Enables verification of the upstream HTTPS server + certificate. type: boolean type: object ingressClassName: + description: Specifies which instance of NGINX Ingress Controller + must handle the Policy resource. type: string ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. + description: The IngressMTLS policy configures client certificate + verification. properties: clientCertSecret: + description: The name of the Kubernetes secret that stores the + CA certificate. It must be in the same namespace as the Policy + resource. The secret must be of the type nginx.org/ca, and the + certificate must be stored in the secret under the key ca.crt, + otherwise the secret will be rejected as invalid. type: string crlFileName: + description: The file name of the Certificate Revocation List. + NGINX Ingress Controller will look for this file in /etc/nginx/secrets type: string verifyClient: + description: Verification for the client. Possible values are + "on", "off", "optional", "optional_no_ca". The default is "on". type: string verifyDepth: + description: Sets the verification depth in the client certificates + chain. The default is 1. type: integer type: object jwt: - description: JWTAuth holds JWT authentication configuration. + description: The JWT policy configures NGINX Plus to authenticate + client requests using JSON Web Tokens. properties: jwksURI: + description: The remote URI where the request will be sent to + retrieve JSON Web Key set type: string keyCache: + description: Enables in-memory caching of JWKS (JSON Web Key Sets) + that are obtained from the jwksURI and sets a valid time for + expiration. type: string realm: + description: The realm of the JWT. type: string secret: + description: The name of the Kubernetes secret that stores the + Htpasswd configuration. It must be in the same namespace as + the Policy resource. The secret must be of the type nginx.org/htpasswd, + and the config must be stored in the secret under the key htpasswd, + otherwise the secret will be rejected as invalid. type: string sniEnabled: description: Enables SNI (Server Name Indication) for the JWT @@ -314,48 +390,93 @@ spec: used. type: string token: + description: 'The token specifies a variable that contains the + JSON Web Token. By default the JWT is passed in the Authorization + header as a Bearer Token. JWT may be also passed as a cookie + or a part of a query string, for example: $cookie_auth_token. + Accepted variables are $http_, $arg_, $cookie_.' type: string type: object oidc: - description: OIDC defines an Open ID Connect policy. + description: The OpenID Connect policy configures NGINX to authenticate + client requests by validating a JWT token against an OAuth2/OIDC + token provider, such as Auth0 or Keycloak. properties: accessTokenEnable: + description: Option of whether Bearer token is used to authorize + NGINX to access protected backend. type: boolean authEndpoint: + description: URL for the authorization endpoint provided by your + OpenID Connect provider. type: string authExtraArgs: + description: A list of extra URL arguments to pass to the authorization + endpoint provided by your OpenID Connect provider. Arguments + must be URL encoded, multiple arguments may be included in the + list, for example [ arg1=value1, arg2=value2 ] items: type: string type: array clientID: + description: The client ID provided by your OpenID Connect provider. type: string clientSecret: + description: The name of the Kubernetes secret that stores the + client secret provided by your OpenID Connect provider. It must + be in the same namespace as the Policy resource. The secret + must be of the type nginx.org/oidc, and the secret under the + key client-secret, otherwise the secret will be rejected as + invalid. If PKCE is enabled, this should be not configured. type: string endSessionEndpoint: + description: URL provided by your OpenID Connect provider to request + the end user be logged out. type: string jwksURI: + description: URL for the JSON Web Key Set (JWK) document provided + by your OpenID Connect provider. type: string pkceEnable: + description: Switches Proof Key for Code Exchange on. The OpenID + client needs to be in public mode. clientSecret is not used + in this mode. type: boolean postLogoutRedirectURI: + description: URI to redirect to after the logout has been performed. + Requires endSessionEndpoint. The default is /_logout. type: string redirectURI: + description: Allows overriding the default redirect URI. The default + is /_codexch. type: string scope: + description: List of OpenID Connect scopes. The scope openid always + needs to be present and others can be added concatenating them + with a + sign, for example openid+profile+email, openid+email+userDefinedScope. + The default is openid. type: string tokenEndpoint: + description: URL for the token endpoint provided by your OpenID + Connect provider. type: string zoneSyncLeeway: + description: Specifies the maximum timeout in milliseconds for + synchronizing ID/access tokens and shared values between Ingress + Controller pods. The default is 200. type: integer type: object rateLimit: - description: RateLimit defines a rate limit policy. + description: The rate limit policy controls the rate of processing + requests per a defined key. properties: burst: + description: Excessive requests are delayed until their number + exceeds the burst size, in which case the request is terminated + with an error. type: integer condition: - description: RateLimitCondition defines a condition for a rate - limit policy. + description: Add a condition to a rate-limit policy. properties: default: description: sets the rate limit in this policy to be the @@ -400,43 +521,89 @@ spec: type: array type: object delay: + description: The delay parameter specifies a limit at which excessive + requests become delayed. If not set all excessive requests are + delayed. type: integer dryRun: + description: Enables the dry run mode. In this mode, the rate + limit is not actually applied, but the number of excessive requests + is accounted as usual in the shared memory zone. type: boolean key: + description: |- + The key to which the rate limit is applied. Can contain text, variables, or a combination of them. + Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are + $binary_remote_addr, $request_uri, $request_method, $url, $http_, $args, $arg_, $cookie_,$jwt_claim_ . type: string logLevel: + description: Sets the desired logging level for cases when the + server refuses to process requests due to rate exceeding, or + delays request processing. Allowed values are info, notice, + warn or error. Default is error. type: string noDelay: + description: Disables the delaying of excessive requests while + requests are being limited. Overrides delay if both are set. type: boolean rate: + description: The rate of requests permitted. The rate is specified + in requests per second (r/s) or requests per minute (r/m). type: string rejectCode: + description: Sets the status code to return in response to rejected + requests. Must fall into the range 400..599. Default is 503. type: integer scale: + description: Enables a constant rate-limit by dividing the configured + rate by the number of nginx-ingress pods currently serving traffic. + This adjustment ensures that the rate-limit remains consistent, + even as the number of nginx-pods fluctuates due to autoscaling. + This will not work properly if requests from a client are not + evenly distributed across all ingress pods (Such as with sticky + sessions, long lived TCP Connections with many requests, and + so forth). In such cases using zone-sync instead would give + better results. Enabling zone-sync will suppress this setting. type: boolean zoneSize: + description: Size of the shared memory zone. Only positive values + are allowed. Allowed suffixes are k or m, if none are present + k is assumed. type: string type: object waf: - description: WAF defines an WAF policy. + description: The WAF policy configures WAF and log configuration policies + for NGINX AppProtect properties: apBundle: + description: The App Protect WAF policy bundle. Mutually exclusive + with apPolicy. type: string apPolicy: + description: The App Protect WAF policy of the WAF. Accepts an + optional namespace. Mutually exclusive with apBundle. type: string enable: + description: Enables NGINX App Protect WAF. type: boolean securityLog: description: SecurityLog defines the security log of a WAF policy. properties: apLogBundle: + description: The App Protect WAF log bundle resource. Only + works with apBundle. type: string apLogConf: + description: The App Protect WAF log conf resource. Accepts + an optional namespace. Only works with apPolicy. type: string enable: + description: Enables security log. type: boolean logDest: + description: The log destination for the security log. Only + accepted variables are syslog:server=; localhost; + fqdn>:, stderr, . type: string type: object securityLogs: @@ -444,25 +611,40 @@ spec: description: SecurityLog defines the security log of a WAF policy. properties: apLogBundle: + description: The App Protect WAF log bundle resource. Only + works with apBundle. type: string apLogConf: + description: The App Protect WAF log conf resource. Accepts + an optional namespace. Only works with apPolicy. type: string enable: + description: Enables security log. type: boolean logDest: + description: The log destination for the security log. Only + accepted variables are syslog:server=; localhost; + fqdn>:, stderr, . type: string type: object type: array type: object type: object status: - description: PolicyStatus is the status of the policy resource + description: the status of the Policy resource properties: message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or' type: string type: object type: object @@ -526,36 +708,57 @@ spec: description: TransportServerSpec is the spec of the TransportServer resource. properties: action: - description: TransportServerAction defines an action. + description: The action to perform for a request. properties: pass: + description: Passes connections/datagrams to an upstream. The + upstream with that name must be defined in the resource. type: string type: object host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. The host value needs to be unique + among all Ingress and VirtualServer resources. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServer + resource. type: string listener: - description: TransportServerListener defines a listener for a TransportServer. + description: Sets a custom HTTP and/or HTTPS listener. Valid fields + are listener.http and listener.https. Each field must reference + the name of a valid listener defined in a GlobalConfiguration resource properties: name: + description: The name of a listener defined in a GlobalConfiguration + resource. type: string protocol: + description: The protocol of the listener. type: string type: object serverSnippets: + description: Sets a custom snippet in server context. Overrides the + server-snippets ConfigMap key. type: string sessionParameters: - description: SessionParameters defines session parameters. + description: The parameters of the session to be used for the Server + context properties: timeout: + description: The timeout between two successive read or write + operations on client or proxied server connections. The default + is 10m. type: string type: object streamSnippets: + description: Sets a custom snippet in the stream context. Overrides + the stream-snippets ConfigMap key. type: string tls: - description: TransportServerTLS defines TransportServerTLS configuration - for a TransportServer. + description: The TLS termination configuration. properties: secret: type: string @@ -564,80 +767,163 @@ spec: description: UpstreamParameters defines parameters for an upstream. properties: connectTimeout: + description: The timeout for establishing a connection with a + proxied server. The default is 60s. type: string nextUpstream: + description: If a connection to the proxied server cannot be established, + determines whether a client connection will be passed to the + next server. The default is true. type: boolean nextUpstreamTimeout: + description: The time allowed to pass a connection to the next + server. The default is 0. type: string nextUpstreamTries: + description: The number of tries for passing a connection to the + next server. The default is 0. type: integer udpRequests: + description: The number of datagrams, after receiving which, the + next datagram from the same client starts a new session. The + default is 0. type: integer udpResponses: + description: The number of datagrams expected from the proxied + server in response to a client datagram. By default, the number + of datagrams is not limited. type: integer type: object upstreams: + description: A list of upstreams. items: description: TransportServerUpstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random, + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer failTimeout: + description: Sets the number of unsuccessful attempts to communicate + with the server that should happen in the duration set by + the failTimeout parameter to consider the server unavailable. + The default is 1. type: string healthCheck: - description: TransportServerHealthCheck defines the parameters - for active Upstream HealthChecks. + description: 'The health check configuration for the Upstream. + Note: this feature is supported only in NGINX Plus.' properties: enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string match: - description: TransportServerMatch defines the parameters - of a custom health check. + description: Controls the data to send and the response + to expect for the healthcheck. properties: expect: + description: A literal string or a regular expression + that the data obtained from the server should match. + The regular expression is specified with the preceding + ~* modifier (for case-insensitive matching), or the + ~ modifier (for case-sensitive matching). NGINX Ingress + Controller validates a regular expression using the + RE2 syntax. type: string send: + description: A string to send to an upstream server. type: string type: object passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer timeout: + description: This overrides the timeout set by proxy_timeout + which is set in SessionParameters for health checks. The + default value is 5s. type: string type: object loadBalancingMethod: + description: The method used to load balance the upstream servers. + By default, connections are distributed between the servers + using a weighted round-robin balancing method. type: string maxConns: + description: Sets the time during which the specified number + of unsuccessful attempts to communicate with the server should + happen to consider the server unavailable and the period of + time the server will be considered unavailable. The default + is 10s. type: integer maxFails: + description: Sets the number of maximum connections to the proxied + server. Default value is zero, meaning there is no limit. + The default is 0. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and close client connections/ignore datagrams. The port must + fall into the range 1..65535. type: integer service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + close client connections/ignore datagrams. type: string type: object type: array type: object status: - description: TransportServerStatus defines the status for the TransportServer - resource. + description: The status of the TransportServer resource properties: message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string state: + description: 'Represents the current state of the resource. Possible + values: Valid (resource validated and accepted), Invalid (validation + failed or config reload failed), or Warning (validated but may work + in degraded state).' type: string type: object type: object @@ -712,295 +998,461 @@ spec: resource. properties: host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. Must be the same as the host of the + VirtualServer that references this resource. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServerRoute + resource. Must be the same as the ingressClassName of the VirtualServer + that references this resource. type: string subroutes: + description: A list of subroutes. items: description: Route defines a route. properties: action: - description: Action defines an action. + description: The default action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the ability + to modify the request/response (for example, rewrite the + URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default is true. type: boolean set: + description: Allows redefining or appending fields + to present request headers passed to the proxied + upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the response - headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response to the + client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the header + regardless of the response status code**. + Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be passed* + in the response to the client from a proxied upstream + server. items: type: string type: array ignore: + description: Disables processing of certain headers** + to the client from a proxied upstream server. items: type: string type: array pass: + description: Allows passing the hidden header fields* + to the client from a proxied upstream server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path is + a regular expression – starts with ~ – the rewritePath + can include capture groups with $1-9. For example + $1 for the first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which the requests + will be proxied to. The upstream with that name must + be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request to. Supported + NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly brackets. + For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The allowed + values are: 2XX, 4XX or 5XX. The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object dos: + description: A reference to a DosProtectedResource, setting + this enables DOS protection of the VirtualServer route. type: string errorPages: + description: The custom responses for error codes. NGINX will + use those responses instead of returning the error responses + from the upstream servers or the default responses generated + by NGINX. A custom response can be a redirect or a canned + response. For example, a redirect to another URL if an upstream + server responded with a 404 status code. items: description: ErrorPage defines an ErrorPage in a Route. properties: codes: + description: A list of error status codes. items: type: integer type: array redirect: - description: ErrorPageRedirect defines a redirect for - an ErrorPage. + description: The canned response action for the given + status codes. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301, 302, 307 or 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. + Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ErrorPageReturn defines a return for an ErrorPage. + description: The redirect action for the given status + codes. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly + brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The + allowed values are: 2XX, 4XX or 5XX. The default + is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object type: array location-snippets: + description: Sets a custom snippet in the location context. + Overrides the location-snippets ConfigMap key. type: string matches: + description: The matching rules for advanced content-based routing. + Requires the default Action or Splits. Unmatched requests + will be handled by the default Action or Splits. items: description: Match defines a match. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301, 302, 307 or 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object conditions: + description: A list of conditions. Must include at least + 1 condition. items: description: Condition defines a condition in a MatchRule. properties: argument: + description: The name of an argument. Must consist + of alphanumeric characters or _. type: string cookie: + description: The name of a cookie. Must consist + of alphanumeric characters or _. type: string header: + description: The name of a header. Must consist + of alphanumeric characters or -. type: string value: + description: The value to match the condition against. type: string variable: + description: The name of an NGINX variable. Must + start with $. type: string type: object type: array splits: + description: The splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. + The upstream with that name must be defined + in the resource. type: string proxy: - description: ActionProxy defines a proxy in - an Action. + description: Passes requests to an upstream + with the ability to modify the request/response + (for example, rewrite the URI or modify the + headers). properties: requestHeaders: - description: ProxyRequestHeaders defines - the request headers manipulation in an - ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request + headers to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers + passed to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines - the response headers manipulation in an - ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always @@ -1008,337 +1460,655 @@ spec: NGINX directive. properties: always: + description: If set to true, add + the header regardless of the + response status code**. Default + is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array hide: + description: The headers that will not + be passed* in the response to the + client from a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of + certain headers** to the client from + a proxied upstream server. items: type: string type: array pass: + description: Allows passing the hidden + header fields* to the client from + a proxied upstream server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route + path is a regular expression – starts + with ~ – the rewritePath can include capture + groups with $1-9. For example $1 for the + first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which + the requests will be proxied to. The upstream + with that name must be defined in the + resource. type: string type: object redirect: - description: ActionRedirect defines a redirect - in an Action. + description: Redirects requests to a provided + URL. properties: code: + description: 'The status code of a redirect. + The allowed values are: 301, 302, 307 + or 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, + $http_x_forwarded_proto, $request_uri + or $host. Variables must be enclosed in + curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in - an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. + Supports NGINX variables*. Variables must + be enclosed in curly brackets. For example: + Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. + The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. + The default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall + into the range 0..100. The sum of the weights + of all splits must be equal to 100. type: integer type: object type: array type: object type: array path: + description: 'The path of the route. NGINX will match it against + the URI of a request. Possible values are: a prefix ( / , + /path ), an exact match ( =/exact/match ), a case insensitive + regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive + regular expression ( ~^/foo.*\.jpg ). In the case of a prefix + (must start with / ) or an exact match (must start with = + ), the path must not include any whitespace characters, { + , } or ;. In the case of the regex matches, all double quotes + " must be escaped and the match can’t end in an unescaped + backslash \. The path must be unique among the paths of all + routes of the VirtualServer. Check the location directive + for more information.' type: string policies: + description: A list of policies. The policies override the policies + of the same type defined in the spec of the VirtualServer. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: The name of a policy. If the policy doesn’t + exist or invalid, NGINX will respond with an error response + with the 500 status code. type: string namespace: + description: The namespace of a policy. If not specified, + the namespace of the VirtualServer resource is used. type: string type: object type: array route: + description: The name of a VirtualServerRoute resource that + defines this route. If the VirtualServerRoute belongs to a + different namespace than the VirtualServer, you need to include + the namespace. For example, tea-namespace/tea. type: string splits: + description: The default splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301, 302, 307 or 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall into the + range 0..100. The sum of the weights of all splits must + be equal to 100. type: integer type: object type: array type: object type: array upstreams: + description: A list of upstreams. items: description: Upstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random, + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer buffer-size: + description: Sets the size of the buffer used for reading the + first part of a response received from the upstream server. + The default is set in the proxy-buffer-size ConfigMap key. type: string buffering: + description: Enables buffering of responses from the upstream + server. The default is set in the proxy-buffering ConfigMap + key. type: boolean buffers: - description: UpstreamBuffers defines Buffer Configuration for - an Upstream. + description: Configures the buffers used for reading a response + from the upstream server for a single connection. properties: number: + description: Configures the number of buffers. The default + is set in the proxy-buffers ConfigMap key. type: integer size: + description: Configures the size of a buffer. The default + is set in the proxy-buffers ConfigMap key. type: string type: object client-max-body-size: + description: Sets the maximum allowed size of the client request + body. The default is set in the client-max-body-size ConfigMap + key. type: string connect-timeout: + description: The timeout for establishing a connection with + an upstream server. The default is specified in the proxy-connect-timeout + ConfigMap key. type: string fail-timeout: + description: The time during which the specified number of unsuccessful + attempts to communicate with an upstream server should happen + to consider the server unavailable. The default is set in + the fail-timeout ConfigMap key. type: string healthCheck: - description: HealthCheck defines the parameters for active Upstream - HealthChecks. + description: 'The health check configuration for the Upstream. + Note: this feature is supported only in NGINX Plus.' properties: connect-timeout: + description: The timeout for establishing a connection with + an upstream server. By default, the connect-timeout of + the upstream is used. type: string enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer grpcService: + description: The gRPC service to be monitored on the upstream + server. Only valid on gRPC type upstreams. type: string grpcStatus: + description: The expected gRPC status code of the upstream + server response to the Check method. Configure this field + only if your gRPC services do not implement the gRPC health + checking protocol. For example, configure 12 if the upstream + server responds with 12 (UNIMPLEMENTED) status code. Only + valid on gRPC type upstreams. type: integer headers: + description: The request headers used for health check requests. + NGINX Plus always sets the Host, User-Agent and Connection + headers for health check requests. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string keepalive-time: + description: Enables keepalive connections for health checks + and specifies the time during which requests can be processed + through one keepalive connection. The default is 60s. type: string mandatory: + description: Require every newly added server to pass all + configured health checks before NGINX Plus sends traffic + to it. If this is not specified, or is set to false, the + server will be initially considered healthy. When combined + with slow-start, it gives a new server more time to connect + to databases and “warm up” before being asked to handle + their full share of traffic. type: boolean passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer path: + description: The path used for health check requests. The + default is /. This is not configurable for gRPC type upstreams. type: string persistent: + description: Set the initial “up” state for a server after + reload if the server was considered healthy before reload. + Enabling persistent requires that the mandatory parameter + is also set to true. type: boolean port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer read-timeout: + description: The timeout for reading a response from an + upstream server. By default, the read-timeout of the upstream + is used. type: string send-timeout: + description: The timeout for transmitting a request to an + upstream server. By default, the send-timeout of the upstream + is used. type: string statusMatch: + description: 'The expected response status codes of a health + check. By default, the response should have status code + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This + not supported for gRPC type upstreams.' type: string tls: - description: UpstreamTLS defines a TLS configuration for - an Upstream. + description: The TLS configuration used for health check + requests. By default, the tls field of the upstream is + used. properties: enable: + description: 'Enables HTTPS for requests to upstream + servers. The default is False , meaning that HTTP + will be used. Note: by default, NGINX will not verify + the upstream server certificate. To enable the verification, + configure an EgressMTLS Policy.' type: boolean type: object type: object keepalive: + description: Configures the cache for connections to upstream + servers. The value 0 disables the cache. The default is set + in the keepalive ConfigMap key. type: integer lb-method: + description: The load balancing method. To use the round-robin + method, specify round_robin. The default is specified in the + lb-method ConfigMap key. type: string max-conns: + description: 'The maximum number of simultaneous active connections + to an upstream server. By default there is no limit. Note: + if keepalive connections are enabled, the total number of + active and idle keepalive connections to an upstream server + may exceed the max_conns value.' type: integer max-fails: + description: The number of unsuccessful attempts to communicate + with an upstream server that should happen in the duration + set by the fail-timeout to consider the server unavailable. + The default is set in the max-fails ConfigMap key. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string next-upstream: + description: Specifies in which cases a request should be passed + to the next upstream server. The default is error timeout. type: string next-upstream-timeout: + description: The time during which a request can be passed to + the next upstream server. The 0 value turns off the time limit. + The default is 0. type: string next-upstream-tries: + description: The number of possible tries for passing a request + to the next upstream server. The 0 value turns off this limit. + The default is 0. type: integer ntlm: + description: 'Allows proxying requests with NTLM Authentication. + In order for NTLM authentication to work, it is necessary + to enable keepalive connections to upstream servers using + the keepalive field. Note: this feature is supported only + in NGINX Plus.' type: boolean port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and return a 502 response for requests for this upstream. + The port must fall into the range 1..65535. type: integer queue: - description: UpstreamQueue defines Queue Configuration for an - Upstream. + description: 'Configures a queue for an upstream. A client request + will be placed into the queue if an upstream server cannot + be selected immediately while processing the request. By default, + no queue is configured. Note: this feature is supported only + in NGINX Plus.' properties: size: + description: The size of the queue. type: integer timeout: + description: The timeout of the queue. A request cannot + be queued for a period longer than the timeout. The default + is 60s. type: string type: object read-timeout: + description: The timeout for reading a response from an upstream + server. The default is specified in the proxy-read-timeout + ConfigMap key. type: string send-timeout: + description: The timeout for transmitting a request to an upstream + server. The default is specified in the proxy-send-timeout + ConfigMap key. type: string service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + return a 502 response for requests for this upstream. For + NGINX Plus only, services of type ExternalName are also supported + . type: string sessionCookie: - description: SessionCookie defines the parameters for session - persistence. + description: The SessionCookie field configures session persistence + which allows requests from the same client to be passed to + the same upstream server. The information about the designated + upstream server is passed in a session cookie generated by + NGINX Plus. properties: domain: + description: The domain for which the cookie is set. type: string enable: + description: Enables session persistence with a session + cookie for an upstream server. The default is false. type: boolean expires: + description: The time for which a browser should keep the + cookie. Can be set to the special value max, which will + cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: + description: Adds the HttpOnly attribute to the cookie. type: boolean name: + description: The name of the cookie. type: string path: + description: The path for which the cookie is set. type: string samesite: + description: 'Adds the SameSite attribute to the cookie. + The allowed values are: strict, lax, none' type: string secure: + description: Adds the Secure attribute to the cookie. type: boolean type: object slow-start: + description: 'The slow start allows an upstream server to gradually + recover its weight from 0 to its nominal value after it has + been recovered or became available or when the server becomes + available after a period of time it was considered unavailable. + By default, the slow start is disabled. Note: The parameter + cannot be used along with the random, hash or ip_hash load + balancing methods and will be ignored.' type: string subselector: additionalProperties: type: string + description: 'Selects the pods within the service using label + keys and values. By default, all pods of the service are selected. + Note: the specified labels are expected to be present in the + pods when they are created. If the pod labels are updated, + NGINX Ingress Controller will not see that change until the + number of the pods is changed.' type: object tls: - description: UpstreamTLS defines a TLS configuration for an - Upstream. + description: The TLS configuration for the Upstream. properties: enable: + description: 'Enables HTTPS for requests to upstream servers. + The default is False , meaning that HTTP will be used. + Note: by default, NGINX will not verify the upstream server + certificate. To enable the verification, configure an + EgressMTLS Policy.' type: boolean type: object type: + description: The type of the upstream. Supported values are + http and grpc. The default is http. For gRPC, it is necessary + to enable HTTP/2 in the ConfigMap and configure TLS termination + in the VirtualServer. type: string use-cluster-ip: + description: Enables using the Cluster IP and port of the service + instead of the default behavior of using the IP and port of + the pods. When this field is enabled, the fields that configure + NGINX behavior related to multiple upstream servers (like + lb-method and next-upstream) will have no effect, as NGINX + Ingress Controller will configure NGINX with only one upstream + server that will match the service Cluster IP. type: boolean type: object type: array @@ -1348,6 +2118,8 @@ spec: resource. properties: externalEndpoints: + description: Defines the IPs, hostnames and ports used to connect + to this resource. items: description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. @@ -1361,12 +2133,20 @@ spec: type: object type: array message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string referencedBy: + description: Defines how other resources reference this resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or NGINX' type: string type: object type: object @@ -1440,20 +2220,26 @@ spec: description: VirtualServerSpec is the spec of the VirtualServer resource. properties: dos: + description: A reference to a DosProtectedResource, setting this enables + DOS protection of the VirtualServer route. type: string externalDNS: - description: ExternalDNS defines externaldns sub-resource of a virtual - server. + description: The externalDNS configuration for a VirtualServer. properties: enable: + description: Enables ExternalDNS integration for a VirtualServer + resource. The default is false. type: boolean labels: additionalProperties: type: string - description: Labels stores labels defined for the Endpoint + description: Configure labels to be applied to the Endpoint resources + that will be consumed by ExternalDNS. type: object providerSpecific: - description: ProviderSpecific stores provider specific config + description: Configure provider specific properties which holds + the name and value of a configuration which is specific to individual + DNS providers. items: description: |- ProviderSpecificProperty defines specific property @@ -1468,330 +2254,515 @@ spec: type: object type: array recordTTL: - description: TTL for the record + description: TTL for the DNS record. This defaults to 0 if not + defined. format: int64 type: integer recordType: + description: The record Type that should be created, e.g. “A”, + “AAAA”, “CNAME”. This is automatically computed based on the + external endpoints if not defined. type: string type: object gunzip: + description: Enables or disables decompression of gzipped responses + for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. + If the gunzip value is not set, it defaults to off. type: boolean host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. The host value needs to be unique + among all Ingress and VirtualServer resources. type: string http-snippets: + description: Sets a custom snippet in the http context. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServerRoute + resource. Must be the same as the ingressClassName of the VirtualServer + that references this resource. type: string internalRoute: description: InternalRoute allows for the configuration of internal routing. type: boolean listener: - description: VirtualServerListener references a custom http and/or - https listener defined in GlobalConfiguration. + description: Sets a custom HTTP and/or HTTPS listener. Valid fields + are listener.http and listener.https. Each field must reference + the name of a valid listener defined in a GlobalConfiguration resource properties: http: + description: The name of an HTTP listener defined in a GlobalConfiguration + resource. type: string https: + description: The name of an HTTPS listener defined in a GlobalConfiguration + resource. type: string type: object policies: + description: A list of policies. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: The name of a policy. If the policy doesn’t exist + or invalid, NGINX will respond with an error response with + the 500 status code. type: string namespace: + description: The namespace of a policy. If not specified, the + namespace of the VirtualServer resource is used. type: string type: object type: array routes: + description: A list of routes. items: description: Route defines a route. properties: action: - description: Action defines an action. + description: The default action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the ability + to modify the request/response (for example, rewrite the + URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default is true. type: boolean set: + description: Allows redefining or appending fields + to present request headers passed to the proxied + upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the response - headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response to the + client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the header + regardless of the response status code**. + Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be passed* + in the response to the client from a proxied upstream + server. items: type: string type: array ignore: + description: Disables processing of certain headers** + to the client from a proxied upstream server. items: type: string type: array pass: + description: Allows passing the hidden header fields* + to the client from a proxied upstream server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path is + a regular expression – starts with ~ – the rewritePath + can include capture groups with $1-9. For example + $1 for the first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which the requests + will be proxied to. The upstream with that name must + be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request to. Supported + NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly brackets. + For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The allowed + values are: 2XX, 4XX or 5XX. The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object dos: + description: A reference to a DosProtectedResource, setting + this enables DOS protection of the VirtualServer route. type: string errorPages: + description: The custom responses for error codes. NGINX will + use those responses instead of returning the error responses + from the upstream servers or the default responses generated + by NGINX. A custom response can be a redirect or a canned + response. For example, a redirect to another URL if an upstream + server responded with a 404 status code. items: description: ErrorPage defines an ErrorPage in a Route. properties: codes: + description: A list of error status codes. items: type: integer type: array redirect: - description: ErrorPageRedirect defines a redirect for - an ErrorPage. + description: The canned response action for the given + status codes. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301, 302, 307 or 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. + Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ErrorPageReturn defines a return for an ErrorPage. + description: The redirect action for the given status + codes. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly + brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The + allowed values are: 2XX, 4XX or 5XX. The default + is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object type: array location-snippets: + description: Sets a custom snippet in the location context. + Overrides the location-snippets ConfigMap key. type: string matches: + description: The matching rules for advanced content-based routing. + Requires the default Action or Splits. Unmatched requests + will be handled by the default Action or Splits. items: description: Match defines a match. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301, 302, 307 or 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object conditions: + description: A list of conditions. Must include at least + 1 condition. items: description: Condition defines a condition in a MatchRule. properties: argument: + description: The name of an argument. Must consist + of alphanumeric characters or _. type: string cookie: + description: The name of a cookie. Must consist + of alphanumeric characters or _. type: string header: + description: The name of a header. Must consist + of alphanumeric characters or -. type: string value: + description: The value to match the condition against. type: string variable: + description: The name of an NGINX variable. Must + start with $. type: string type: object type: array splits: + description: The splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. + The upstream with that name must be defined + in the resource. type: string proxy: - description: ActionProxy defines a proxy in - an Action. + description: Passes requests to an upstream + with the ability to modify the request/response + (for example, rewrite the URI or modify the + headers). properties: requestHeaders: - description: ProxyRequestHeaders defines - the request headers manipulation in an - ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request + headers to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers + passed to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines - the response headers manipulation in an - ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always @@ -1799,384 +2770,763 @@ spec: NGINX directive. properties: always: + description: If set to true, add + the header regardless of the + response status code**. Default + is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array hide: + description: The headers that will not + be passed* in the response to the + client from a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of + certain headers** to the client from + a proxied upstream server. items: type: string type: array pass: + description: Allows passing the hidden + header fields* to the client from + a proxied upstream server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route + path is a regular expression – starts + with ~ – the rewritePath can include capture + groups with $1-9. For example $1 for the + first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which + the requests will be proxied to. The upstream + with that name must be defined in the + resource. type: string type: object redirect: - description: ActionRedirect defines a redirect - in an Action. + description: Redirects requests to a provided + URL. properties: code: + description: 'The status code of a redirect. + The allowed values are: 301, 302, 307 + or 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, + $http_x_forwarded_proto, $request_uri + or $host. Variables must be enclosed in + curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in - an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. + Supports NGINX variables*. Variables must + be enclosed in curly brackets. For example: + Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. + The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. + The default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall + into the range 0..100. The sum of the weights + of all splits must be equal to 100. type: integer type: object type: array type: object type: array path: + description: 'The path of the route. NGINX will match it against + the URI of a request. Possible values are: a prefix ( / , + /path ), an exact match ( =/exact/match ), a case insensitive + regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive + regular expression ( ~^/foo.*\.jpg ). In the case of a prefix + (must start with / ) or an exact match (must start with = + ), the path must not include any whitespace characters, { + , } or ;. In the case of the regex matches, all double quotes + " must be escaped and the match can’t end in an unescaped + backslash \. The path must be unique among the paths of all + routes of the VirtualServer. Check the location directive + for more information.' type: string policies: + description: A list of policies. The policies override the policies + of the same type defined in the spec of the VirtualServer. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: The name of a policy. If the policy doesn’t + exist or invalid, NGINX will respond with an error response + with the 500 status code. type: string namespace: + description: The namespace of a policy. If not specified, + the namespace of the VirtualServer resource is used. type: string type: object type: array route: + description: The name of a VirtualServerRoute resource that + defines this route. If the VirtualServerRoute belongs to a + different namespace than the VirtualServer, you need to include + the namespace. For example, tea-namespace/tea. type: string splits: + description: The default splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301, 302, 307 or 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall into the + range 0..100. The sum of the weights of all splits must + be equal to 100. type: integer type: object type: array type: object type: array server-snippets: + description: Sets a custom snippet in server context. Overrides the + server-snippets ConfigMap key. type: string tls: - description: TLS defines TLS configuration for a VirtualServer. + description: The TLS termination configuration. properties: cert-manager: - description: CertManager defines a cert manager config for a TLS. + description: The cert-manager configuration of the TLS for a VirtualServer. properties: cluster-issuer: + description: the name of a ClusterIssuer. A ClusterIssuer + is a cert-manager resource which describes the certificate + authority capable of signing certificates. It does not matter + which namespace your VirtualServer resides, as ClusterIssuers + are non-namespaced resources. Please note that one of issuer + and cluster-issuer are required, but they are mutually exclusive + - one and only one must be defined. type: string common-name: + description: This field allows you to configure spec.commonName + for the Certificate to be generated. This configuration + adds a CN to the x509 certificate. type: string duration: + description: This field allows you to configure spec.duration + field for the Certificate to be generated. Must be specified + using a Go time.Duration string format, which does not allow + the d (days) suffix. You must specify these values using + s, m, and h suffixes instead. type: string issue-temp-cert: + description: When true, ask cert-manager for a temporary self-signed + certificate pending the issuance of the Certificate. This + allows HTTPS-only servers to use ACME HTTP01 challenges + when the TLS secret does not exist yet. type: boolean issuer: + description: the name of an Issuer. An Issuer is a cert-manager + resource which describes the certificate authority capable + of signing certificates. The Issuer must be in the same + namespace as the VirtualServer resource. Please note that + one of issuer and cluster-issuer are required, but they + are mutually exclusive - one and only one must be defined. type: string issuer-group: + description: The API group of the external issuer controller, + for example awspca.cert-manager.io. This is only necessary + for out-of-tree issuers. This cannot be defined if cluster-issuer + is also defined. type: string issuer-kind: + description: The kind of the external issuer resource, for + example AWSPCAIssuer. This is only necessary for out-of-tree + issuers. This cannot be defined if cluster-issuer is also + defined. type: string renew-before: + description: this annotation allows you to configure spec.renewBefore + field for the Certificate to be generated. Must be specified + using a Go time.Duration string format, which does not allow + the d (days) suffix. You must specify these values using + s, m, and h suffixes instead. type: string usages: + description: This field allows you to configure spec.usages + field for the Certificate to be generated. Pass a string + with comma-separated values i.e. key agreement,digital signature, + server auth. An exhaustive list of supported key usages + can be found in the the cert-manager api documentation. type: string type: object redirect: - description: TLSRedirect defines a redirect for a TLS. + description: The redirect configuration of the TLS for a VirtualServer. properties: basedOn: + description: The attribute of a request that NGINX will evaluate + to send a redirect. The allowed values are scheme (the scheme + of the request) or x-forwarded-proto (the X-Forwarded-Proto + header of the request). The default is scheme. type: string code: + description: 'The status code of a redirect. The allowed values + are: 301, 302, 307 or 308. The default is 301.' type: integer enable: + description: Enables a TLS redirect for a VirtualServer. The + default is False. type: boolean type: object secret: + description: The name of a secret with a TLS certificate and key. + The secret must belong to the same namespace as the VirtualServer. + The secret must be of the type kubernetes.io/tls and contain + keys named tls.crt and tls.key that contain the certificate + and private key as described here. If the secret doesn’t exist + or is invalid, NGINX will break any attempt to establish a TLS + connection to the host of the VirtualServer. If the secret is + not specified but wildcard TLS secret is configured, NGINX will + use the wildcard secret for TLS termination. type: string type: object upstreams: + description: A list of upstreams. items: description: Upstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random, + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer buffer-size: + description: Sets the size of the buffer used for reading the + first part of a response received from the upstream server. + The default is set in the proxy-buffer-size ConfigMap key. type: string buffering: + description: Enables buffering of responses from the upstream + server. The default is set in the proxy-buffering ConfigMap + key. type: boolean buffers: - description: UpstreamBuffers defines Buffer Configuration for - an Upstream. + description: Configures the buffers used for reading a response + from the upstream server for a single connection. properties: number: + description: Configures the number of buffers. The default + is set in the proxy-buffers ConfigMap key. type: integer size: + description: Configures the size of a buffer. The default + is set in the proxy-buffers ConfigMap key. type: string type: object client-max-body-size: + description: Sets the maximum allowed size of the client request + body. The default is set in the client-max-body-size ConfigMap + key. type: string connect-timeout: + description: The timeout for establishing a connection with + an upstream server. The default is specified in the proxy-connect-timeout + ConfigMap key. type: string fail-timeout: + description: The time during which the specified number of unsuccessful + attempts to communicate with an upstream server should happen + to consider the server unavailable. The default is set in + the fail-timeout ConfigMap key. type: string healthCheck: - description: HealthCheck defines the parameters for active Upstream - HealthChecks. + description: 'The health check configuration for the Upstream. + Note: this feature is supported only in NGINX Plus.' properties: connect-timeout: + description: The timeout for establishing a connection with + an upstream server. By default, the connect-timeout of + the upstream is used. type: string enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer grpcService: + description: The gRPC service to be monitored on the upstream + server. Only valid on gRPC type upstreams. type: string grpcStatus: + description: The expected gRPC status code of the upstream + server response to the Check method. Configure this field + only if your gRPC services do not implement the gRPC health + checking protocol. For example, configure 12 if the upstream + server responds with 12 (UNIMPLEMENTED) status code. Only + valid on gRPC type upstreams. type: integer headers: + description: The request headers used for health check requests. + NGINX Plus always sets the Host, User-Agent and Connection + headers for health check requests. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string keepalive-time: + description: Enables keepalive connections for health checks + and specifies the time during which requests can be processed + through one keepalive connection. The default is 60s. type: string mandatory: + description: Require every newly added server to pass all + configured health checks before NGINX Plus sends traffic + to it. If this is not specified, or is set to false, the + server will be initially considered healthy. When combined + with slow-start, it gives a new server more time to connect + to databases and “warm up” before being asked to handle + their full share of traffic. type: boolean passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer path: + description: The path used for health check requests. The + default is /. This is not configurable for gRPC type upstreams. type: string persistent: + description: Set the initial “up” state for a server after + reload if the server was considered healthy before reload. + Enabling persistent requires that the mandatory parameter + is also set to true. type: boolean port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer read-timeout: + description: The timeout for reading a response from an + upstream server. By default, the read-timeout of the upstream + is used. type: string send-timeout: + description: The timeout for transmitting a request to an + upstream server. By default, the send-timeout of the upstream + is used. type: string statusMatch: + description: 'The expected response status codes of a health + check. By default, the response should have status code + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This + not supported for gRPC type upstreams.' type: string tls: - description: UpstreamTLS defines a TLS configuration for - an Upstream. + description: The TLS configuration used for health check + requests. By default, the tls field of the upstream is + used. properties: enable: + description: 'Enables HTTPS for requests to upstream + servers. The default is False , meaning that HTTP + will be used. Note: by default, NGINX will not verify + the upstream server certificate. To enable the verification, + configure an EgressMTLS Policy.' type: boolean type: object type: object keepalive: + description: Configures the cache for connections to upstream + servers. The value 0 disables the cache. The default is set + in the keepalive ConfigMap key. type: integer lb-method: + description: The load balancing method. To use the round-robin + method, specify round_robin. The default is specified in the + lb-method ConfigMap key. type: string max-conns: + description: 'The maximum number of simultaneous active connections + to an upstream server. By default there is no limit. Note: + if keepalive connections are enabled, the total number of + active and idle keepalive connections to an upstream server + may exceed the max_conns value.' type: integer max-fails: + description: The number of unsuccessful attempts to communicate + with an upstream server that should happen in the duration + set by the fail-timeout to consider the server unavailable. + The default is set in the max-fails ConfigMap key. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string next-upstream: + description: Specifies in which cases a request should be passed + to the next upstream server. The default is error timeout. type: string next-upstream-timeout: + description: The time during which a request can be passed to + the next upstream server. The 0 value turns off the time limit. + The default is 0. type: string next-upstream-tries: + description: The number of possible tries for passing a request + to the next upstream server. The 0 value turns off this limit. + The default is 0. type: integer ntlm: + description: 'Allows proxying requests with NTLM Authentication. + In order for NTLM authentication to work, it is necessary + to enable keepalive connections to upstream servers using + the keepalive field. Note: this feature is supported only + in NGINX Plus.' type: boolean port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and return a 502 response for requests for this upstream. + The port must fall into the range 1..65535. type: integer queue: - description: UpstreamQueue defines Queue Configuration for an - Upstream. + description: 'Configures a queue for an upstream. A client request + will be placed into the queue if an upstream server cannot + be selected immediately while processing the request. By default, + no queue is configured. Note: this feature is supported only + in NGINX Plus.' properties: size: + description: The size of the queue. type: integer timeout: + description: The timeout of the queue. A request cannot + be queued for a period longer than the timeout. The default + is 60s. type: string type: object read-timeout: + description: The timeout for reading a response from an upstream + server. The default is specified in the proxy-read-timeout + ConfigMap key. type: string send-timeout: + description: The timeout for transmitting a request to an upstream + server. The default is specified in the proxy-send-timeout + ConfigMap key. type: string service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + return a 502 response for requests for this upstream. For + NGINX Plus only, services of type ExternalName are also supported + . type: string sessionCookie: - description: SessionCookie defines the parameters for session - persistence. + description: The SessionCookie field configures session persistence + which allows requests from the same client to be passed to + the same upstream server. The information about the designated + upstream server is passed in a session cookie generated by + NGINX Plus. properties: domain: + description: The domain for which the cookie is set. type: string enable: + description: Enables session persistence with a session + cookie for an upstream server. The default is false. type: boolean expires: + description: The time for which a browser should keep the + cookie. Can be set to the special value max, which will + cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: + description: Adds the HttpOnly attribute to the cookie. type: boolean name: + description: The name of the cookie. type: string path: + description: The path for which the cookie is set. type: string samesite: + description: 'Adds the SameSite attribute to the cookie. + The allowed values are: strict, lax, none' type: string secure: + description: Adds the Secure attribute to the cookie. type: boolean type: object slow-start: + description: 'The slow start allows an upstream server to gradually + recover its weight from 0 to its nominal value after it has + been recovered or became available or when the server becomes + available after a period of time it was considered unavailable. + By default, the slow start is disabled. Note: The parameter + cannot be used along with the random, hash or ip_hash load + balancing methods and will be ignored.' type: string subselector: additionalProperties: type: string + description: 'Selects the pods within the service using label + keys and values. By default, all pods of the service are selected. + Note: the specified labels are expected to be present in the + pods when they are created. If the pod labels are updated, + NGINX Ingress Controller will not see that change until the + number of the pods is changed.' type: object tls: - description: UpstreamTLS defines a TLS configuration for an - Upstream. + description: The TLS configuration for the Upstream. properties: enable: + description: 'Enables HTTPS for requests to upstream servers. + The default is False , meaning that HTTP will be used. + Note: by default, NGINX will not verify the upstream server + certificate. To enable the verification, configure an + EgressMTLS Policy.' type: boolean type: object type: + description: The type of the upstream. Supported values are + http and grpc. The default is http. For gRPC, it is necessary + to enable HTTP/2 in the ConfigMap and configure TLS termination + in the VirtualServer. type: string use-cluster-ip: + description: Enables using the Cluster IP and port of the service + instead of the default behavior of using the IP and port of + the pods. When this field is enabled, the fields that configure + NGINX behavior related to multiple upstream servers (like + lb-method and next-upstream) will have no effect, as NGINX + Ingress Controller will configure NGINX with only one upstream + server that will match the service Cluster IP. type: boolean type: object type: array type: object status: - description: VirtualServerStatus defines the status for the VirtualServer - resource. + description: Status contains the current status of the VirtualServer. properties: externalEndpoints: items: diff --git a/docs/crd/k8s.nginx.org_globalconfigurations.md b/docs/crd/k8s.nginx.org_globalconfigurations.md index 5ff40014a..55beeee5d 100644 --- a/docs/crd/k8s.nginx.org_globalconfigurations.md +++ b/docs/crd/k8s.nginx.org_globalconfigurations.md @@ -15,10 +15,10 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `listeners` | `array` | List of configuration values. | -| `listeners[].ipv4` | `string` | String configuration value. | -| `listeners[].ipv6` | `string` | String configuration value. | -| `listeners[].name` | `string` | String configuration value. | -| `listeners[].port` | `integer` | Numeric configuration value. | -| `listeners[].protocol` | `string` | String configuration value. | -| `listeners[].ssl` | `boolean` | Enable or disable this feature. | +| `listeners` | `array` | Listeners field of the GlobalConfigurationSpec resource | +| `listeners[].ipv4` | `string` | Specifies the IPv4 address to listen on. | +| `listeners[].ipv6` | `string` | Ipv6 addresse that NGINX will listen on. | +| `listeners[].name` | `string` | The name of the listener. The name must be unique across all listeners. | +| `listeners[].port` | `integer` | The port on which the listener will accept connections. | +| `listeners[].protocol` | `string` | The protocol of the listener. For example, HTTP. | +| `listeners[].ssl` | `boolean` | Whether the listener will be listening for SSL connections | diff --git a/docs/crd/k8s.nginx.org_policies.md b/docs/crd/k8s.nginx.org_policies.md index f1021edcb..d8c8bb0f1 100644 --- a/docs/crd/k8s.nginx.org_policies.md +++ b/docs/crd/k8s.nginx.org_policies.md @@ -15,56 +15,58 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `accessControl` | `object` | AccessControl defines an access policy based on the source IP of a request. | +| `accessControl` | `object` | The access control policy based on the client IP address. | | `accessControl.allow` | `array[string]` | Configuration field. | | `accessControl.deny` | `array[string]` | Configuration field. | -| `apiKey` | `object` | APIKey defines an API Key policy. | -| `apiKey.clientSecret` | `string` | String configuration value. | -| `apiKey.suppliedIn` | `object` | SuppliedIn defines the locations API Key should be supplied in. | -| `apiKey.suppliedIn.header` | `array[string]` | Configuration field. | -| `apiKey.suppliedIn.query` | `array[string]` | Configuration field. | -| `basicAuth` | `object` | BasicAuth holds HTTP Basic authentication configuration | -| `basicAuth.realm` | `string` | String configuration value. | -| `basicAuth.secret` | `string` | String configuration value. | -| `egressMTLS` | `object` | EgressMTLS defines an Egress MTLS policy. | -| `egressMTLS.ciphers` | `string` | String configuration value. | -| `egressMTLS.protocols` | `string` | String configuration value. | -| `egressMTLS.serverName` | `boolean` | Enable or disable this feature. | -| `egressMTLS.sessionReuse` | `boolean` | Enable or disable this feature. | -| `egressMTLS.sslName` | `string` | String configuration value. | -| `egressMTLS.tlsSecret` | `string` | String configuration value. | -| `egressMTLS.trustedCertSecret` | `string` | String configuration value. | -| `egressMTLS.verifyDepth` | `integer` | Numeric configuration value. | -| `egressMTLS.verifyServer` | `boolean` | Enable or disable this feature. | -| `ingressClassName` | `string` | String configuration value. | -| `ingressMTLS` | `object` | IngressMTLS defines an Ingress MTLS policy. | -| `ingressMTLS.clientCertSecret` | `string` | String configuration value. | -| `ingressMTLS.crlFileName` | `string` | String configuration value. | -| `ingressMTLS.verifyClient` | `string` | String configuration value. | -| `ingressMTLS.verifyDepth` | `integer` | Numeric configuration value. | -| `jwt` | `object` | JWTAuth holds JWT authentication configuration. | -| `jwt.jwksURI` | `string` | String configuration value. | -| `jwt.keyCache` | `string` | String configuration value. | -| `jwt.realm` | `string` | String configuration value. | -| `jwt.secret` | `string` | String configuration value. | -| `jwt.token` | `string` | String configuration value. | -| `oidc` | `object` | OIDC defines an Open ID Connect policy. | -| `oidc.accessTokenEnable` | `boolean` | Enable or disable this feature. | -| `oidc.authEndpoint` | `string` | String configuration value. | -| `oidc.authExtraArgs` | `array[string]` | Configuration field. | -| `oidc.clientID` | `string` | String configuration value. | -| `oidc.clientSecret` | `string` | String configuration value. | -| `oidc.endSessionEndpoint` | `string` | String configuration value. | -| `oidc.jwksURI` | `string` | String configuration value. | -| `oidc.pkceEnable` | `boolean` | Enable or disable this feature. | -| `oidc.postLogoutRedirectURI` | `string` | String configuration value. | -| `oidc.redirectURI` | `string` | String configuration value. | -| `oidc.scope` | `string` | String configuration value. | -| `oidc.tokenEndpoint` | `string` | String configuration value. | -| `oidc.zoneSyncLeeway` | `integer` | Numeric configuration value. | -| `rateLimit` | `object` | RateLimit defines a rate limit policy. | -| `rateLimit.burst` | `integer` | Numeric configuration value. | -| `rateLimit.condition` | `object` | RateLimitCondition defines a condition for a rate limit policy. | +| `apiKey` | `object` | The API Key policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. | +| `apiKey.clientSecret` | `string` | The key to which the API key is applied. Can contain text, variables, or a combination of them. Accepted variables are $http_, $arg_, $cookie_. | +| `apiKey.suppliedIn` | `object` | The location of the API Key. For example, $http_auth, $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, $cookie_. | +| `apiKey.suppliedIn.header` | `array[string]` | The location of the API Key as a request header. For example, $http_auth. Accepted variables are $http_. | +| `apiKey.suppliedIn.query` | `array[string]` | The location of the API Key as a query param. For example, $arg_apikey. Accepted variables are $arg_. | +| `basicAuth` | `object` | The basic auth policy configures NGINX to authenticate client requests using HTTP Basic authentication credentials. | +| `basicAuth.realm` | `string` | The realm for the basic authentication. | +| `basicAuth.secret` | `string` | The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. | +| `egressMTLS` | `object` | The EgressMTLS policy configures upstreams authentication and certificate verification. | +| `egressMTLS.ciphers` | `string` | Specifies the enabled ciphers for requests to an upstream HTTPS server. The default is DEFAULT. | +| `egressMTLS.protocols` | `string` | Specifies the protocols for requests to an upstream HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. | +| `egressMTLS.serverName` | `boolean` | Enables passing of the server name through Server Name Indication extension. | +| `egressMTLS.sessionReuse` | `boolean` | Enables reuse of SSL sessions to the upstreams. The default is true. | +| `egressMTLS.sslName` | `string` | Allows overriding the server name used to verify the certificate of the upstream HTTPS server. | +| `egressMTLS.tlsSecret` | `string` | The name of the Kubernetes secret that stores the TLS certificate and key. It must be in the same namespace as the Policy resource. The secret must be of the type kubernetes.io/tls, the certificate must be stored in the secret under the key tls.crt, and the key must be stored under the key tls.key, otherwise the secret will be rejected as invalid. | +| `egressMTLS.trustedCertSecret` | `string` | The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. | +| `egressMTLS.verifyDepth` | `integer` | Sets the verification depth in the proxied HTTPS server certificates chain. The default is 1. | +| `egressMTLS.verifyServer` | `boolean` | Enables verification of the upstream HTTPS server certificate. | +| `ingressClassName` | `string` | Specifies which instance of NGINX Ingress Controller must handle the Policy resource. | +| `ingressMTLS` | `object` | The IngressMTLS policy configures client certificate verification. | +| `ingressMTLS.clientCertSecret` | `string` | The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. | +| `ingressMTLS.crlFileName` | `string` | The file name of the Certificate Revocation List. NGINX Ingress Controller will look for this file in /etc/nginx/secrets | +| `ingressMTLS.verifyClient` | `string` | Verification for the client. Possible values are "on", "off", "optional", "optional_no_ca". The default is "on". | +| `ingressMTLS.verifyDepth` | `integer` | Sets the verification depth in the client certificates chain. The default is 1. | +| `jwt` | `object` | The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens. | +| `jwt.jwksURI` | `string` | The remote URI where the request will be sent to retrieve JSON Web Key set | +| `jwt.keyCache` | `string` | Enables in-memory caching of JWKS (JSON Web Key Sets) that are obtained from the jwksURI and sets a valid time for expiration. | +| `jwt.realm` | `string` | The realm of the JWT. | +| `jwt.secret` | `string` | The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. | +| `jwt.sniEnabled` | `boolean` | Enables SNI (Server Name Indication) for the JWT policy. This is useful when the remote server requires SNI to serve the correct certificate. | +| `jwt.sniName` | `string` | The SNI name to use when connecting to the remote server. If not set, the hostname from the ``jwksURI`` will be used. | +| `jwt.token` | `string` | The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the Authorization header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: $cookie_auth_token. Accepted variables are $http_, $arg_, $cookie_. | +| `oidc` | `object` | The OpenID Connect policy configures NGINX to authenticate client requests by validating a JWT token against an OAuth2/OIDC token provider, such as Auth0 or Keycloak. | +| `oidc.accessTokenEnable` | `boolean` | Option of whether Bearer token is used to authorize NGINX to access protected backend. | +| `oidc.authEndpoint` | `string` | URL for the authorization endpoint provided by your OpenID Connect provider. | +| `oidc.authExtraArgs` | `array[string]` | A list of extra URL arguments to pass to the authorization endpoint provided by your OpenID Connect provider. Arguments must be URL encoded, multiple arguments may be included in the list, for example [ arg1=value1, arg2=value2 ] | +| `oidc.clientID` | `string` | The client ID provided by your OpenID Connect provider. | +| `oidc.clientSecret` | `string` | The name of the Kubernetes secret that stores the client secret provided by your OpenID Connect provider. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/oidc, and the secret under the key client-secret, otherwise the secret will be rejected as invalid. If PKCE is enabled, this should be not configured. | +| `oidc.endSessionEndpoint` | `string` | URL provided by your OpenID Connect provider to request the end user be logged out. | +| `oidc.jwksURI` | `string` | URL for the JSON Web Key Set (JWK) document provided by your OpenID Connect provider. | +| `oidc.pkceEnable` | `boolean` | Switches Proof Key for Code Exchange on. The OpenID client needs to be in public mode. clientSecret is not used in this mode. | +| `oidc.postLogoutRedirectURI` | `string` | URI to redirect to after the logout has been performed. Requires endSessionEndpoint. The default is /_logout. | +| `oidc.redirectURI` | `string` | Allows overriding the default redirect URI. The default is /_codexch. | +| `oidc.scope` | `string` | List of OpenID Connect scopes. The scope openid always needs to be present and others can be added concatenating them with a + sign, for example openid+profile+email, openid+email+userDefinedScope. The default is openid. | +| `oidc.tokenEndpoint` | `string` | URL for the token endpoint provided by your OpenID Connect provider. | +| `oidc.zoneSyncLeeway` | `integer` | Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is 200. | +| `rateLimit` | `object` | The rate limit policy controls the rate of processing requests per a defined key. | +| `rateLimit.burst` | `integer` | Excessive requests are delayed until their number exceeds the burst size, in which case the request is terminated with an error. | +| `rateLimit.condition` | `object` | Add a condition to a rate-limit policy. | | `rateLimit.condition.default` | `boolean` | Sets the rate limit in this policy to be the default if no conditions are met. In a group of policies with the same condition, only one policy can be the default. | | `rateLimit.condition.jwt` | `object` | Defines a JWT condition to rate limit against. | | `rateLimit.condition.jwt.claim` | `string` | The JWT claim to be rate limit by. Nested claims should be separated by "." | @@ -72,26 +74,26 @@ The `.spec` object supports the following fields: | `rateLimit.condition.variables` | `array` | Defines a Variables condition to rate limit against. | | `rateLimit.condition.variables[].match` | `string` | The value of the variable to match against. | | `rateLimit.condition.variables[].name` | `string` | The name of the variable to match against. | -| `rateLimit.delay` | `integer` | Numeric configuration value. | -| `rateLimit.dryRun` | `boolean` | Enable or disable this feature. | -| `rateLimit.key` | `string` | String configuration value. | -| `rateLimit.logLevel` | `string` | String configuration value. | -| `rateLimit.noDelay` | `boolean` | Enable or disable this feature. | -| `rateLimit.rate` | `string` | String configuration value. | -| `rateLimit.rejectCode` | `integer` | Numeric configuration value. | -| `rateLimit.scale` | `boolean` | Enable or disable this feature. | -| `rateLimit.zoneSize` | `string` | String configuration value. | -| `waf` | `object` | WAF defines an WAF policy. | -| `waf.apBundle` | `string` | String configuration value. | -| `waf.apPolicy` | `string` | String configuration value. | -| `waf.enable` | `boolean` | Enable or disable this feature. | +| `rateLimit.delay` | `integer` | The delay parameter specifies a limit at which excessive requests become delayed. If not set all excessive requests are delayed. | +| `rateLimit.dryRun` | `boolean` | Enables the dry run mode. In this mode, the rate limit is not actually applied, but the number of excessive requests is accounted as usual in the shared memory zone. | +| `rateLimit.key` | `string` | The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are $binary_remote_addr, $request_uri, $request_method, $url, $http_, $args, $arg_, $cookie_,$jwt_claim_ . | +| `rateLimit.logLevel` | `string` | Sets the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing. Allowed values are info, notice, warn or error. Default is error. | +| `rateLimit.noDelay` | `boolean` | Disables the delaying of excessive requests while requests are being limited. Overrides delay if both are set. | +| `rateLimit.rate` | `string` | The rate of requests permitted. The rate is specified in requests per second (r/s) or requests per minute (r/m). | +| `rateLimit.rejectCode` | `integer` | Sets the status code to return in response to rejected requests. Must fall into the range 400..599. Default is 503. | +| `rateLimit.scale` | `boolean` | Enables a constant rate-limit by dividing the configured rate by the number of nginx-ingress pods currently serving traffic. This adjustment ensures that the rate-limit remains consistent, even as the number of nginx-pods fluctuates due to autoscaling. This will not work properly if requests from a client are not evenly distributed across all ingress pods (Such as with sticky sessions, long lived TCP Connections with many requests, and so forth). In such cases using zone-sync instead would give better results. Enabling zone-sync will suppress this setting. | +| `rateLimit.zoneSize` | `string` | Size of the shared memory zone. Only positive values are allowed. Allowed suffixes are k or m, if none are present k is assumed. | +| `waf` | `object` | The WAF policy configures WAF and log configuration policies for NGINX AppProtect | +| `waf.apBundle` | `string` | The App Protect WAF policy bundle. Mutually exclusive with apPolicy. | +| `waf.apPolicy` | `string` | The App Protect WAF policy of the WAF. Accepts an optional namespace. Mutually exclusive with apBundle. | +| `waf.enable` | `boolean` | Enables NGINX App Protect WAF. | | `waf.securityLog` | `object` | SecurityLog defines the security log of a WAF policy. | -| `waf.securityLog.apLogBundle` | `string` | String configuration value. | -| `waf.securityLog.apLogConf` | `string` | String configuration value. | -| `waf.securityLog.enable` | `boolean` | Enable or disable this feature. | -| `waf.securityLog.logDest` | `string` | String configuration value. | +| `waf.securityLog.apLogBundle` | `string` | The App Protect WAF log bundle resource. Only works with apBundle. | +| `waf.securityLog.apLogConf` | `string` | The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. | +| `waf.securityLog.enable` | `boolean` | Enables security log. | +| `waf.securityLog.logDest` | `string` | The log destination for the security log. Only accepted variables are syslog:server=; localhost; fqdn>:, stderr, . | | `waf.securityLogs` | `array` | List of configuration values. | -| `waf.securityLogs[].apLogBundle` | `string` | String configuration value. | -| `waf.securityLogs[].apLogConf` | `string` | String configuration value. | -| `waf.securityLogs[].enable` | `boolean` | Enable or disable this feature. | -| `waf.securityLogs[].logDest` | `string` | String configuration value. | +| `waf.securityLogs[].apLogBundle` | `string` | The App Protect WAF log bundle resource. Only works with apBundle. | +| `waf.securityLogs[].apLogConf` | `string` | The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. | +| `waf.securityLogs[].enable` | `boolean` | Enables security log. | +| `waf.securityLogs[].logDest` | `string` | The log destination for the security log. Only accepted variables are syslog:server=; localhost; fqdn>:, stderr, . | diff --git a/docs/crd/k8s.nginx.org_transportservers.md b/docs/crd/k8s.nginx.org_transportservers.md index ea83fcafe..0a986b3ca 100644 --- a/docs/crd/k8s.nginx.org_transportservers.md +++ b/docs/crd/k8s.nginx.org_transportservers.md @@ -15,44 +15,44 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `action` | `object` | TransportServerAction defines an action. | -| `action.pass` | `string` | String configuration value. | -| `host` | `string` | String configuration value. | -| `ingressClassName` | `string` | String configuration value. | -| `listener` | `object` | TransportServerListener defines a listener for a TransportServer. | -| `listener.name` | `string` | String configuration value. | -| `listener.protocol` | `string` | String configuration value. | -| `serverSnippets` | `string` | String configuration value. | -| `sessionParameters` | `object` | SessionParameters defines session parameters. | -| `sessionParameters.timeout` | `string` | String configuration value. | -| `streamSnippets` | `string` | String configuration value. | -| `tls` | `object` | TransportServerTLS defines TransportServerTLS configuration for a TransportServer. | +| `action` | `object` | The action to perform for a request. | +| `action.pass` | `string` | Passes connections/datagrams to an upstream. The upstream with that name must be defined in the resource. | +| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. | +| `ingressClassName` | `string` | Specifies which Ingress Controller must handle the VirtualServer resource. | +| `listener` | `object` | Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource | +| `listener.name` | `string` | The name of a listener defined in a GlobalConfiguration resource. | +| `listener.protocol` | `string` | The protocol of the listener. | +| `serverSnippets` | `string` | Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. | +| `sessionParameters` | `object` | The parameters of the session to be used for the Server context | +| `sessionParameters.timeout` | `string` | The timeout between two successive read or write operations on client or proxied server connections. The default is 10m. | +| `streamSnippets` | `string` | Sets a custom snippet in the stream context. Overrides the stream-snippets ConfigMap key. | +| `tls` | `object` | The TLS termination configuration. | | `tls.secret` | `string` | String configuration value. | | `upstreamParameters` | `object` | UpstreamParameters defines parameters for an upstream. | -| `upstreamParameters.connectTimeout` | `string` | String configuration value. | -| `upstreamParameters.nextUpstream` | `boolean` | Enable or disable this feature. | -| `upstreamParameters.nextUpstreamTimeout` | `string` | String configuration value. | -| `upstreamParameters.nextUpstreamTries` | `integer` | Numeric configuration value. | -| `upstreamParameters.udpRequests` | `integer` | Numeric configuration value. | -| `upstreamParameters.udpResponses` | `integer` | Numeric configuration value. | -| `upstreams` | `array` | List of configuration values. | -| `upstreams[].backup` | `string` | String configuration value. | -| `upstreams[].backupPort` | `integer` | Numeric configuration value. | -| `upstreams[].failTimeout` | `string` | String configuration value. | -| `upstreams[].healthCheck` | `object` | TransportServerHealthCheck defines the parameters for active Upstream HealthChecks. | -| `upstreams[].healthCheck.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.fails` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.interval` | `string` | String configuration value. | -| `upstreams[].healthCheck.jitter` | `string` | String configuration value. | -| `upstreams[].healthCheck.match` | `object` | TransportServerMatch defines the parameters of a custom health check. | -| `upstreams[].healthCheck.match.expect` | `string` | String configuration value. | -| `upstreams[].healthCheck.match.send` | `string` | String configuration value. | -| `upstreams[].healthCheck.passes` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.port` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.timeout` | `string` | String configuration value. | -| `upstreams[].loadBalancingMethod` | `string` | String configuration value. | -| `upstreams[].maxConns` | `integer` | Numeric configuration value. | -| `upstreams[].maxFails` | `integer` | Numeric configuration value. | -| `upstreams[].name` | `string` | String configuration value. | -| `upstreams[].port` | `integer` | Numeric configuration value. | -| `upstreams[].service` | `string` | String configuration value. | +| `upstreamParameters.connectTimeout` | `string` | The timeout for establishing a connection with a proxied server. The default is 60s. | +| `upstreamParameters.nextUpstream` | `boolean` | If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. The default is true. | +| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default is 0. | +| `upstreamParameters.nextUpstreamTries` | `integer` | The number of tries for passing a connection to the next server. The default is 0. | +| `upstreamParameters.udpRequests` | `integer` | The number of datagrams, after receiving which, the next datagram from the same client starts a new session. The default is 0. | +| `upstreamParameters.udpResponses` | `integer` | The number of datagrams expected from the proxied server in response to a client datagram. By default, the number of datagrams is not limited. | +| `upstreams` | `array` | A list of upstreams. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. | +| `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | +| `upstreams[].failTimeout` | `string` | Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default is 1. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | +| `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | +| `upstreams[].healthCheck.interval` | `string` | The interval between two consecutive health checks. The default is 5s. | +| `upstreams[].healthCheck.jitter` | `string` | The time within which each health check will be randomly delayed. By default, there is no delay. | +| `upstreams[].healthCheck.match` | `object` | Controls the data to send and the response to expect for the healthcheck. | +| `upstreams[].healthCheck.match.expect` | `string` | A literal string or a regular expression that the data obtained from the server should match. The regular expression is specified with the preceding ~* modifier (for case-insensitive matching), or the ~ modifier (for case-sensitive matching). NGINX Ingress Controller validates a regular expression using the RE2 syntax. | +| `upstreams[].healthCheck.match.send` | `string` | A string to send to an upstream server. | +| `upstreams[].healthCheck.passes` | `integer` | The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. | +| `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | +| `upstreams[].healthCheck.timeout` | `string` | This overrides the timeout set by proxy_timeout which is set in SessionParameters for health checks. The default value is 5s. | +| `upstreams[].loadBalancingMethod` | `string` | The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. | +| `upstreams[].maxConns` | `integer` | Sets the time during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable and the period of time the server will be considered unavailable. The default is 10s. | +| `upstreams[].maxFails` | `integer` | Sets the number of maximum connections to the proxied server. Default value is zero, meaning there is no limit. The default is 0. | +| `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | +| `upstreams[].port` | `integer` | The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. The port must fall into the range 1..65535. | +| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. | diff --git a/docs/crd/k8s.nginx.org_virtualserverroutes.md b/docs/crd/k8s.nginx.org_virtualserverroutes.md index 38aaa23e1..93bc49f19 100644 --- a/docs/crd/k8s.nginx.org_virtualserverroutes.md +++ b/docs/crd/k8s.nginx.org_virtualserverroutes.md @@ -15,212 +15,212 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `host` | `string` | String configuration value. | -| `ingressClassName` | `string` | String configuration value. | -| `subroutes` | `array` | List of configuration values. | -| `subroutes[].action` | `object` | Action defines an action. | -| `subroutes[].action.pass` | `string` | String configuration value. | -| `subroutes[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `subroutes[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `subroutes[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `subroutes[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `subroutes[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `subroutes[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `subroutes[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `subroutes[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `subroutes[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `subroutes[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `subroutes[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `subroutes[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `subroutes[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `subroutes[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `subroutes[].action.proxy.rewritePath` | `string` | String configuration value. | -| `subroutes[].action.proxy.upstream` | `string` | String configuration value. | -| `subroutes[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `subroutes[].action.redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].action.redirect.url` | `string` | String configuration value. | -| `subroutes[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `subroutes[].action.return.body` | `string` | String configuration value. | -| `subroutes[].action.return.code` | `integer` | Numeric configuration value. | -| `subroutes[].action.return.headers` | `array` | List of configuration values. | -| `subroutes[].action.return.headers[].name` | `string` | String configuration value. | -| `subroutes[].action.return.headers[].value` | `string` | String configuration value. | -| `subroutes[].action.return.type` | `string` | String configuration value. | -| `subroutes[].dos` | `string` | String configuration value. | -| `subroutes[].errorPages` | `array` | List of configuration values. | -| `subroutes[].errorPages[].codes` | `array[integer]` | Configuration field. | -| `subroutes[].errorPages[].redirect` | `object` | ErrorPageRedirect defines a redirect for an ErrorPage. | -| `subroutes[].errorPages[].redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].errorPages[].redirect.url` | `string` | String configuration value. | -| `subroutes[].errorPages[].return` | `object` | ErrorPageReturn defines a return for an ErrorPage. | -| `subroutes[].errorPages[].return.body` | `string` | String configuration value. | -| `subroutes[].errorPages[].return.code` | `integer` | Numeric configuration value. | -| `subroutes[].errorPages[].return.headers` | `array` | List of configuration values. | -| `subroutes[].errorPages[].return.headers[].name` | `string` | String configuration value. | -| `subroutes[].errorPages[].return.headers[].value` | `string` | String configuration value. | -| `subroutes[].errorPages[].return.type` | `string` | String configuration value. | -| `subroutes[].location-snippets` | `string` | String configuration value. | -| `subroutes[].matches` | `array` | List of configuration values. | -| `subroutes[].matches[].action` | `object` | Action defines an action. | -| `subroutes[].matches[].action.pass` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `subroutes[].matches[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `subroutes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `subroutes[].matches[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `subroutes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `subroutes[].matches[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `subroutes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `subroutes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `subroutes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `subroutes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `subroutes[].matches[].action.proxy.rewritePath` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.upstream` | `string` | String configuration value. | -| `subroutes[].matches[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `subroutes[].matches[].action.redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].matches[].action.redirect.url` | `string` | String configuration value. | -| `subroutes[].matches[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `subroutes[].matches[].action.return.body` | `string` | String configuration value. | -| `subroutes[].matches[].action.return.code` | `integer` | Numeric configuration value. | -| `subroutes[].matches[].action.return.headers` | `array` | List of configuration values. | -| `subroutes[].matches[].action.return.headers[].name` | `string` | String configuration value. | -| `subroutes[].matches[].action.return.headers[].value` | `string` | String configuration value. | -| `subroutes[].matches[].action.return.type` | `string` | String configuration value. | -| `subroutes[].matches[].conditions` | `array` | List of configuration values. | -| `subroutes[].matches[].conditions[].argument` | `string` | String configuration value. | -| `subroutes[].matches[].conditions[].cookie` | `string` | String configuration value. | -| `subroutes[].matches[].conditions[].header` | `string` | String configuration value. | -| `subroutes[].matches[].conditions[].value` | `string` | String configuration value. | -| `subroutes[].matches[].conditions[].variable` | `string` | String configuration value. | -| `subroutes[].matches[].splits` | `array` | List of configuration values. | -| `subroutes[].matches[].splits[].action` | `object` | Action defines an action. | -| `subroutes[].matches[].splits[].action.pass` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `subroutes[].matches[].splits[].action.proxy.rewritePath` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.upstream` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `subroutes[].matches[].splits[].action.redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].matches[].splits[].action.redirect.url` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `subroutes[].matches[].splits[].action.return.body` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.return.code` | `integer` | Numeric configuration value. | -| `subroutes[].matches[].splits[].action.return.headers` | `array` | List of configuration values. | -| `subroutes[].matches[].splits[].action.return.headers[].name` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.return.headers[].value` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.return.type` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].weight` | `integer` | Numeric configuration value. | -| `subroutes[].path` | `string` | String configuration value. | -| `subroutes[].policies` | `array` | List of configuration values. | -| `subroutes[].policies[].name` | `string` | String configuration value. | -| `subroutes[].policies[].namespace` | `string` | String configuration value. | -| `subroutes[].route` | `string` | String configuration value. | -| `subroutes[].splits` | `array` | List of configuration values. | -| `subroutes[].splits[].action` | `object` | Action defines an action. | -| `subroutes[].splits[].action.pass` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `subroutes[].splits[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `subroutes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `subroutes[].splits[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `subroutes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `subroutes[].splits[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `subroutes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `subroutes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `subroutes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `subroutes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `subroutes[].splits[].action.proxy.rewritePath` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.upstream` | `string` | String configuration value. | -| `subroutes[].splits[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `subroutes[].splits[].action.redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].splits[].action.redirect.url` | `string` | String configuration value. | -| `subroutes[].splits[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `subroutes[].splits[].action.return.body` | `string` | String configuration value. | -| `subroutes[].splits[].action.return.code` | `integer` | Numeric configuration value. | -| `subroutes[].splits[].action.return.headers` | `array` | List of configuration values. | -| `subroutes[].splits[].action.return.headers[].name` | `string` | String configuration value. | -| `subroutes[].splits[].action.return.headers[].value` | `string` | String configuration value. | -| `subroutes[].splits[].action.return.type` | `string` | String configuration value. | -| `subroutes[].splits[].weight` | `integer` | Numeric configuration value. | -| `upstreams` | `array` | List of configuration values. | -| `upstreams[].backup` | `string` | String configuration value. | -| `upstreams[].backupPort` | `integer` | Numeric configuration value. | -| `upstreams[].buffer-size` | `string` | String configuration value. | -| `upstreams[].buffering` | `boolean` | Enable or disable this feature. | -| `upstreams[].buffers` | `object` | UpstreamBuffers defines Buffer Configuration for an Upstream. | -| `upstreams[].buffers.number` | `integer` | Numeric configuration value. | -| `upstreams[].buffers.size` | `string` | String configuration value. | -| `upstreams[].client-max-body-size` | `string` | String configuration value. | -| `upstreams[].connect-timeout` | `string` | String configuration value. | -| `upstreams[].fail-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck` | `object` | HealthCheck defines the parameters for active Upstream HealthChecks. | -| `upstreams[].healthCheck.connect-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.fails` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.grpcService` | `string` | String configuration value. | -| `upstreams[].healthCheck.grpcStatus` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.headers` | `array` | List of configuration values. | -| `upstreams[].healthCheck.headers[].name` | `string` | String configuration value. | -| `upstreams[].healthCheck.headers[].value` | `string` | String configuration value. | -| `upstreams[].healthCheck.interval` | `string` | String configuration value. | -| `upstreams[].healthCheck.jitter` | `string` | String configuration value. | -| `upstreams[].healthCheck.keepalive-time` | `string` | String configuration value. | -| `upstreams[].healthCheck.mandatory` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.passes` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.path` | `string` | String configuration value. | -| `upstreams[].healthCheck.persistent` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.port` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.read-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.send-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.statusMatch` | `string` | String configuration value. | -| `upstreams[].healthCheck.tls` | `object` | UpstreamTLS defines a TLS configuration for an Upstream. | -| `upstreams[].healthCheck.tls.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].keepalive` | `integer` | Numeric configuration value. | -| `upstreams[].lb-method` | `string` | String configuration value. | -| `upstreams[].max-conns` | `integer` | Numeric configuration value. | -| `upstreams[].max-fails` | `integer` | Numeric configuration value. | -| `upstreams[].name` | `string` | String configuration value. | -| `upstreams[].next-upstream` | `string` | String configuration value. | -| `upstreams[].next-upstream-timeout` | `string` | String configuration value. | -| `upstreams[].next-upstream-tries` | `integer` | Numeric configuration value. | -| `upstreams[].ntlm` | `boolean` | Enable or disable this feature. | -| `upstreams[].port` | `integer` | Numeric configuration value. | -| `upstreams[].queue` | `object` | UpstreamQueue defines Queue Configuration for an Upstream. | -| `upstreams[].queue.size` | `integer` | Numeric configuration value. | -| `upstreams[].queue.timeout` | `string` | String configuration value. | -| `upstreams[].read-timeout` | `string` | String configuration value. | -| `upstreams[].send-timeout` | `string` | String configuration value. | -| `upstreams[].service` | `string` | String configuration value. | -| `upstreams[].sessionCookie` | `object` | SessionCookie defines the parameters for session persistence. | -| `upstreams[].sessionCookie.domain` | `string` | String configuration value. | -| `upstreams[].sessionCookie.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].sessionCookie.expires` | `string` | String configuration value. | -| `upstreams[].sessionCookie.httpOnly` | `boolean` | Enable or disable this feature. | -| `upstreams[].sessionCookie.name` | `string` | String configuration value. | -| `upstreams[].sessionCookie.path` | `string` | String configuration value. | -| `upstreams[].sessionCookie.samesite` | `string` | String configuration value. | -| `upstreams[].sessionCookie.secure` | `boolean` | Enable or disable this feature. | -| `upstreams[].slow-start` | `string` | String configuration value. | -| `upstreams[].subselector` | `object` | Configuration object. | -| `upstreams[].tls` | `object` | UpstreamTLS defines a TLS configuration for an Upstream. | -| `upstreams[].tls.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].type` | `string` | String configuration value. | -| `upstreams[].use-cluster-ip` | `boolean` | Enable or disable this feature. | +| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. Must be the same as the host of the VirtualServer that references this resource. | +| `ingressClassName` | `string` | Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. | +| `subroutes` | `array` | A list of subroutes. | +| `subroutes[].action` | `object` | The default action to perform for a request. | +| `subroutes[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `subroutes[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `subroutes[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `subroutes[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `subroutes[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | +| `subroutes[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `subroutes[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `subroutes[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `subroutes[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `subroutes[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | +| `subroutes[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `subroutes[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `subroutes[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `subroutes[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `subroutes[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | +| `subroutes[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `subroutes[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `subroutes[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `subroutes[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].action.return` | `object` | Returns a preconfigured response. | +| `subroutes[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].action.return.headers` | `array` | The custom headers of the response. | +| `subroutes[].action.return.headers[].name` | `string` | The name of the header. | +| `subroutes[].action.return.headers[].value` | `string` | The value of the header. | +| `subroutes[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].dos` | `string` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. | +| `subroutes[].errorPages` | `array` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | +| `subroutes[].errorPages[].codes` | `array[integer]` | A list of error status codes. | +| `subroutes[].errorPages[].redirect` | `object` | The canned response action for the given status codes. | +| `subroutes[].errorPages[].redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].errorPages[].redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].errorPages[].return` | `object` | The redirect action for the given status codes. | +| `subroutes[].errorPages[].return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].errorPages[].return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].errorPages[].return.headers` | `array` | The custom headers of the response. | +| `subroutes[].errorPages[].return.headers[].name` | `string` | The name of the header. | +| `subroutes[].errorPages[].return.headers[].value` | `string` | The value of the header. | +| `subroutes[].errorPages[].return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].location-snippets` | `string` | Sets a custom snippet in the location context. Overrides the location-snippets ConfigMap key. | +| `subroutes[].matches` | `array` | The matching rules for advanced content-based routing. Requires the default Action or Splits. Unmatched requests will be handled by the default Action or Splits. | +| `subroutes[].matches[].action` | `object` | The action to perform for a request. | +| `subroutes[].matches[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `subroutes[].matches[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `subroutes[].matches[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `subroutes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `subroutes[].matches[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | +| `subroutes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `subroutes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `subroutes[].matches[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `subroutes[].matches[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `subroutes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | +| `subroutes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `subroutes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `subroutes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `subroutes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `subroutes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | +| `subroutes[].matches[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `subroutes[].matches[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `subroutes[].matches[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `subroutes[].matches[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].matches[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].matches[].action.return` | `object` | Returns a preconfigured response. | +| `subroutes[].matches[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].matches[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].matches[].action.return.headers` | `array` | The custom headers of the response. | +| `subroutes[].matches[].action.return.headers[].name` | `string` | The name of the header. | +| `subroutes[].matches[].action.return.headers[].value` | `string` | The value of the header. | +| `subroutes[].matches[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].matches[].conditions` | `array` | A list of conditions. Must include at least 1 condition. | +| `subroutes[].matches[].conditions[].argument` | `string` | The name of an argument. Must consist of alphanumeric characters or _. | +| `subroutes[].matches[].conditions[].cookie` | `string` | The name of a cookie. Must consist of alphanumeric characters or _. | +| `subroutes[].matches[].conditions[].header` | `string` | The name of a header. Must consist of alphanumeric characters or -. | +| `subroutes[].matches[].conditions[].value` | `string` | The value to match the condition against. | +| `subroutes[].matches[].conditions[].variable` | `string` | The name of an NGINX variable. Must start with $. | +| `subroutes[].matches[].splits` | `array` | The splits configuration for traffic splitting. Must include at least 2 splits. | +| `subroutes[].matches[].splits[].action` | `object` | The action to perform for a request. | +| `subroutes[].matches[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `subroutes[].matches[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | +| `subroutes[].matches[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `subroutes[].matches[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `subroutes[].matches[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `subroutes[].matches[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].matches[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].matches[].splits[].action.return` | `object` | Returns a preconfigured response. | +| `subroutes[].matches[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].matches[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].matches[].splits[].action.return.headers` | `array` | The custom headers of the response. | +| `subroutes[].matches[].splits[].action.return.headers[].name` | `string` | The name of the header. | +| `subroutes[].matches[].splits[].action.return.headers[].value` | `string` | The value of the header. | +| `subroutes[].matches[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].matches[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | +| `subroutes[].path` | `string` | The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. | +| `subroutes[].policies` | `array` | A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. | +| `subroutes[].policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. | +| `subroutes[].policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | +| `subroutes[].route` | `string` | The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. | +| `subroutes[].splits` | `array` | The default splits configuration for traffic splitting. Must include at least 2 splits. | +| `subroutes[].splits[].action` | `object` | The action to perform for a request. | +| `subroutes[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `subroutes[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `subroutes[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `subroutes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `subroutes[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | +| `subroutes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `subroutes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `subroutes[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `subroutes[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `subroutes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | +| `subroutes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `subroutes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `subroutes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `subroutes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `subroutes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | +| `subroutes[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `subroutes[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `subroutes[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `subroutes[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].splits[].action.return` | `object` | Returns a preconfigured response. | +| `subroutes[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].splits[].action.return.headers` | `array` | The custom headers of the response. | +| `subroutes[].splits[].action.return.headers[].name` | `string` | The name of the header. | +| `subroutes[].splits[].action.return.headers[].value` | `string` | The value of the header. | +| `subroutes[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | +| `upstreams` | `array` | A list of upstreams. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. | +| `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | +| `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. The default is set in the proxy-buffer-size ConfigMap key. | +| `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. The default is set in the proxy-buffering ConfigMap key. | +| `upstreams[].buffers` | `object` | Configures the buffers used for reading a response from the upstream server for a single connection. | +| `upstreams[].buffers.number` | `integer` | Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. | +| `upstreams[].buffers.size` | `string` | Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. | +| `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. The default is set in the client-max-body-size ConfigMap key. | +| `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. The default is specified in the proxy-connect-timeout ConfigMap key. | +| `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. The default is set in the fail-timeout ConfigMap key. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].healthCheck.connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. By default, the connect-timeout of the upstream is used. | +| `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | +| `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | +| `upstreams[].healthCheck.grpcService` | `string` | The gRPC service to be monitored on the upstream server. Only valid on gRPC type upstreams. | +| `upstreams[].healthCheck.grpcStatus` | `integer` | The expected gRPC status code of the upstream server response to the Check method. Configure this field only if your gRPC services do not implement the gRPC health checking protocol. For example, configure 12 if the upstream server responds with 12 (UNIMPLEMENTED) status code. Only valid on gRPC type upstreams. | +| `upstreams[].healthCheck.headers` | `array` | The request headers used for health check requests. NGINX Plus always sets the Host, User-Agent and Connection headers for health check requests. | +| `upstreams[].healthCheck.headers[].name` | `string` | The name of the header. | +| `upstreams[].healthCheck.headers[].value` | `string` | The value of the header. | +| `upstreams[].healthCheck.interval` | `string` | The interval between two consecutive health checks. The default is 5s. | +| `upstreams[].healthCheck.jitter` | `string` | The time within which each health check will be randomly delayed. By default, there is no delay. | +| `upstreams[].healthCheck.keepalive-time` | `string` | Enables keepalive connections for health checks and specifies the time during which requests can be processed through one keepalive connection. The default is 60s. | +| `upstreams[].healthCheck.mandatory` | `boolean` | Require every newly added server to pass all configured health checks before NGINX Plus sends traffic to it. If this is not specified, or is set to false, the server will be initially considered healthy. When combined with slow-start, it gives a new server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. | +| `upstreams[].healthCheck.passes` | `integer` | The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. | +| `upstreams[].healthCheck.path` | `string` | The path used for health check requests. The default is /. This is not configurable for gRPC type upstreams. | +| `upstreams[].healthCheck.persistent` | `boolean` | Set the initial “up” state for a server after reload if the server was considered healthy before reload. Enabling persistent requires that the mandatory parameter is also set to true. | +| `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | +| `upstreams[].healthCheck.read-timeout` | `string` | The timeout for reading a response from an upstream server. By default, the read-timeout of the upstream is used. | +| `upstreams[].healthCheck.send-timeout` | `string` | The timeout for transmitting a request to an upstream server. By default, the send-timeout of the upstream is used. | +| `upstreams[].healthCheck.statusMatch` | `string` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This not supported for gRPC type upstreams. | +| `upstreams[].healthCheck.tls` | `object` | The TLS configuration used for health check requests. By default, the tls field of the upstream is used. | +| `upstreams[].healthCheck.tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | +| `upstreams[].keepalive` | `integer` | Configures the cache for connections to upstream servers. The value 0 disables the cache. The default is set in the keepalive ConfigMap key. | +| `upstreams[].lb-method` | `string` | The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. | +| `upstreams[].max-conns` | `integer` | The maximum number of simultaneous active connections to an upstream server. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. | +| `upstreams[].max-fails` | `integer` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. The default is set in the max-fails ConfigMap key. | +| `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | +| `upstreams[].next-upstream` | `string` | Specifies in which cases a request should be passed to the next upstream server. The default is error timeout. | +| `upstreams[].next-upstream-timeout` | `string` | The time during which a request can be passed to the next upstream server. The 0 value turns off the time limit. The default is 0. | +| `upstreams[].next-upstream-tries` | `integer` | The number of possible tries for passing a request to the next upstream server. The 0 value turns off this limit. The default is 0. | +| `upstreams[].ntlm` | `boolean` | Allows proxying requests with NTLM Authentication. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].port` | `integer` | The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. The port must fall into the range 1..65535. | +| `upstreams[].queue` | `object` | Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].queue.size` | `integer` | The size of the queue. | +| `upstreams[].queue.timeout` | `string` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. | +| `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. The default is specified in the proxy-read-timeout ConfigMap key. | +| `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. The default is specified in the proxy-send-timeout ConfigMap key. | +| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported . | +| `upstreams[].sessionCookie` | `object` | The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. | +| `upstreams[].sessionCookie.domain` | `string` | The domain for which the cookie is set. | +| `upstreams[].sessionCookie.enable` | `boolean` | Enables session persistence with a session cookie for an upstream server. The default is false. | +| `upstreams[].sessionCookie.expires` | `string` | The time for which a browser should keep the cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. | +| `upstreams[].sessionCookie.httpOnly` | `boolean` | Adds the HttpOnly attribute to the cookie. | +| `upstreams[].sessionCookie.name` | `string` | The name of the cookie. | +| `upstreams[].sessionCookie.path` | `string` | The path for which the cookie is set. | +| `upstreams[].sessionCookie.samesite` | `string` | Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none | +| `upstreams[].sessionCookie.secure` | `boolean` | Adds the Secure attribute to the cookie. | +| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored. | +| `upstreams[].subselector` | `object` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | +| `upstreams[].tls` | `object` | The TLS configuration for the Upstream. | +| `upstreams[].tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | +| `upstreams[].type` | `string` | The type of the upstream. Supported values are http and grpc. The default is http. For gRPC, it is necessary to enable HTTP/2 in the ConfigMap and configure TLS termination in the VirtualServer. | +| `upstreams[].use-cluster-ip` | `boolean` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | diff --git a/docs/crd/k8s.nginx.org_virtualservers.md b/docs/crd/k8s.nginx.org_virtualservers.md index 0a683122c..154584e56 100644 --- a/docs/crd/k8s.nginx.org_virtualservers.md +++ b/docs/crd/k8s.nginx.org_virtualservers.md @@ -15,247 +15,247 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `dos` | `string` | String configuration value. | -| `externalDNS` | `object` | ExternalDNS defines externaldns sub-resource of a virtual server. | -| `externalDNS.enable` | `boolean` | Enable or disable this feature. | -| `externalDNS.labels` | `object` | Labels stores labels defined for the Endpoint | -| `externalDNS.providerSpecific` | `array` | ProviderSpecific stores provider specific config | +| `dos` | `string` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. | +| `externalDNS` | `object` | The externalDNS configuration for a VirtualServer. | +| `externalDNS.enable` | `boolean` | Enables ExternalDNS integration for a VirtualServer resource. The default is false. | +| `externalDNS.labels` | `object` | Configure labels to be applied to the Endpoint resources that will be consumed by ExternalDNS. | +| `externalDNS.providerSpecific` | `array` | Configure provider specific properties which holds the name and value of a configuration which is specific to individual DNS providers. | | `externalDNS.providerSpecific[].name` | `string` | Name of the property | | `externalDNS.providerSpecific[].value` | `string` | Value of the property | -| `externalDNS.recordTTL` | `integer` | TTL for the record | -| `externalDNS.recordType` | `string` | String configuration value. | -| `gunzip` | `boolean` | Enable or disable this feature. | -| `host` | `string` | String configuration value. | -| `http-snippets` | `string` | String configuration value. | -| `ingressClassName` | `string` | String configuration value. | +| `externalDNS.recordTTL` | `integer` | TTL for the DNS record. This defaults to 0 if not defined. | +| `externalDNS.recordType` | `string` | The record Type that should be created, e.g. “A”, “AAAA”, “CNAME”. This is automatically computed based on the external endpoints if not defined. | +| `gunzip` | `boolean` | Enables or disables decompression of gzipped responses for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. If the gunzip value is not set, it defaults to off. | +| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. | +| `http-snippets` | `string` | Sets a custom snippet in the http context. | +| `ingressClassName` | `string` | Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. | | `internalRoute` | `boolean` | InternalRoute allows for the configuration of internal routing. | -| `listener` | `object` | VirtualServerListener references a custom http and/or https listener defined in GlobalConfiguration. | -| `listener.http` | `string` | String configuration value. | -| `listener.https` | `string` | String configuration value. | -| `policies` | `array` | List of configuration values. | -| `policies[].name` | `string` | String configuration value. | -| `policies[].namespace` | `string` | String configuration value. | -| `routes` | `array` | List of configuration values. | -| `routes[].action` | `object` | Action defines an action. | -| `routes[].action.pass` | `string` | String configuration value. | -| `routes[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `routes[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `routes[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `routes[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `routes[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `routes[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `routes[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `routes[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `routes[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `routes[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `routes[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `routes[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `routes[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `routes[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `routes[].action.proxy.rewritePath` | `string` | String configuration value. | -| `routes[].action.proxy.upstream` | `string` | String configuration value. | -| `routes[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `routes[].action.redirect.code` | `integer` | Numeric configuration value. | -| `routes[].action.redirect.url` | `string` | String configuration value. | -| `routes[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `routes[].action.return.body` | `string` | String configuration value. | -| `routes[].action.return.code` | `integer` | Numeric configuration value. | -| `routes[].action.return.headers` | `array` | List of configuration values. | -| `routes[].action.return.headers[].name` | `string` | String configuration value. | -| `routes[].action.return.headers[].value` | `string` | String configuration value. | -| `routes[].action.return.type` | `string` | String configuration value. | -| `routes[].dos` | `string` | String configuration value. | -| `routes[].errorPages` | `array` | List of configuration values. | -| `routes[].errorPages[].codes` | `array[integer]` | Configuration field. | -| `routes[].errorPages[].redirect` | `object` | ErrorPageRedirect defines a redirect for an ErrorPage. | -| `routes[].errorPages[].redirect.code` | `integer` | Numeric configuration value. | -| `routes[].errorPages[].redirect.url` | `string` | String configuration value. | -| `routes[].errorPages[].return` | `object` | ErrorPageReturn defines a return for an ErrorPage. | -| `routes[].errorPages[].return.body` | `string` | String configuration value. | -| `routes[].errorPages[].return.code` | `integer` | Numeric configuration value. | -| `routes[].errorPages[].return.headers` | `array` | List of configuration values. | -| `routes[].errorPages[].return.headers[].name` | `string` | String configuration value. | -| `routes[].errorPages[].return.headers[].value` | `string` | String configuration value. | -| `routes[].errorPages[].return.type` | `string` | String configuration value. | -| `routes[].location-snippets` | `string` | String configuration value. | -| `routes[].matches` | `array` | List of configuration values. | -| `routes[].matches[].action` | `object` | Action defines an action. | -| `routes[].matches[].action.pass` | `string` | String configuration value. | -| `routes[].matches[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `routes[].matches[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `routes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `routes[].matches[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `routes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `routes[].matches[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `routes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `routes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `routes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `routes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `routes[].matches[].action.proxy.rewritePath` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.upstream` | `string` | String configuration value. | -| `routes[].matches[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `routes[].matches[].action.redirect.code` | `integer` | Numeric configuration value. | -| `routes[].matches[].action.redirect.url` | `string` | String configuration value. | -| `routes[].matches[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `routes[].matches[].action.return.body` | `string` | String configuration value. | -| `routes[].matches[].action.return.code` | `integer` | Numeric configuration value. | -| `routes[].matches[].action.return.headers` | `array` | List of configuration values. | -| `routes[].matches[].action.return.headers[].name` | `string` | String configuration value. | -| `routes[].matches[].action.return.headers[].value` | `string` | String configuration value. | -| `routes[].matches[].action.return.type` | `string` | String configuration value. | -| `routes[].matches[].conditions` | `array` | List of configuration values. | -| `routes[].matches[].conditions[].argument` | `string` | String configuration value. | -| `routes[].matches[].conditions[].cookie` | `string` | String configuration value. | -| `routes[].matches[].conditions[].header` | `string` | String configuration value. | -| `routes[].matches[].conditions[].value` | `string` | String configuration value. | -| `routes[].matches[].conditions[].variable` | `string` | String configuration value. | -| `routes[].matches[].splits` | `array` | List of configuration values. | -| `routes[].matches[].splits[].action` | `object` | Action defines an action. | -| `routes[].matches[].splits[].action.pass` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `routes[].matches[].splits[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `routes[].matches[].splits[].action.proxy.rewritePath` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.upstream` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `routes[].matches[].splits[].action.redirect.code` | `integer` | Numeric configuration value. | -| `routes[].matches[].splits[].action.redirect.url` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `routes[].matches[].splits[].action.return.body` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.return.code` | `integer` | Numeric configuration value. | -| `routes[].matches[].splits[].action.return.headers` | `array` | List of configuration values. | -| `routes[].matches[].splits[].action.return.headers[].name` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.return.headers[].value` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.return.type` | `string` | String configuration value. | -| `routes[].matches[].splits[].weight` | `integer` | Numeric configuration value. | -| `routes[].path` | `string` | String configuration value. | -| `routes[].policies` | `array` | List of configuration values. | -| `routes[].policies[].name` | `string` | String configuration value. | -| `routes[].policies[].namespace` | `string` | String configuration value. | -| `routes[].route` | `string` | String configuration value. | -| `routes[].splits` | `array` | List of configuration values. | -| `routes[].splits[].action` | `object` | Action defines an action. | -| `routes[].splits[].action.pass` | `string` | String configuration value. | -| `routes[].splits[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `routes[].splits[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `routes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `routes[].splits[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `routes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `routes[].splits[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `routes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `routes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `routes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `routes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `routes[].splits[].action.proxy.rewritePath` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.upstream` | `string` | String configuration value. | -| `routes[].splits[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `routes[].splits[].action.redirect.code` | `integer` | Numeric configuration value. | -| `routes[].splits[].action.redirect.url` | `string` | String configuration value. | -| `routes[].splits[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `routes[].splits[].action.return.body` | `string` | String configuration value. | -| `routes[].splits[].action.return.code` | `integer` | Numeric configuration value. | -| `routes[].splits[].action.return.headers` | `array` | List of configuration values. | -| `routes[].splits[].action.return.headers[].name` | `string` | String configuration value. | -| `routes[].splits[].action.return.headers[].value` | `string` | String configuration value. | -| `routes[].splits[].action.return.type` | `string` | String configuration value. | -| `routes[].splits[].weight` | `integer` | Numeric configuration value. | -| `server-snippets` | `string` | String configuration value. | -| `tls` | `object` | TLS defines TLS configuration for a VirtualServer. | -| `tls.cert-manager` | `object` | CertManager defines a cert manager config for a TLS. | -| `tls.cert-manager.cluster-issuer` | `string` | String configuration value. | -| `tls.cert-manager.common-name` | `string` | String configuration value. | -| `tls.cert-manager.duration` | `string` | String configuration value. | -| `tls.cert-manager.issue-temp-cert` | `boolean` | Enable or disable this feature. | -| `tls.cert-manager.issuer` | `string` | String configuration value. | -| `tls.cert-manager.issuer-group` | `string` | String configuration value. | -| `tls.cert-manager.issuer-kind` | `string` | String configuration value. | -| `tls.cert-manager.renew-before` | `string` | String configuration value. | -| `tls.cert-manager.usages` | `string` | String configuration value. | -| `tls.redirect` | `object` | TLSRedirect defines a redirect for a TLS. | -| `tls.redirect.basedOn` | `string` | String configuration value. | -| `tls.redirect.code` | `integer` | Numeric configuration value. | -| `tls.redirect.enable` | `boolean` | Enable or disable this feature. | -| `tls.secret` | `string` | String configuration value. | -| `upstreams` | `array` | List of configuration values. | -| `upstreams[].backup` | `string` | String configuration value. | -| `upstreams[].backupPort` | `integer` | Numeric configuration value. | -| `upstreams[].buffer-size` | `string` | String configuration value. | -| `upstreams[].buffering` | `boolean` | Enable or disable this feature. | -| `upstreams[].buffers` | `object` | UpstreamBuffers defines Buffer Configuration for an Upstream. | -| `upstreams[].buffers.number` | `integer` | Numeric configuration value. | -| `upstreams[].buffers.size` | `string` | String configuration value. | -| `upstreams[].client-max-body-size` | `string` | String configuration value. | -| `upstreams[].connect-timeout` | `string` | String configuration value. | -| `upstreams[].fail-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck` | `object` | HealthCheck defines the parameters for active Upstream HealthChecks. | -| `upstreams[].healthCheck.connect-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.fails` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.grpcService` | `string` | String configuration value. | -| `upstreams[].healthCheck.grpcStatus` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.headers` | `array` | List of configuration values. | -| `upstreams[].healthCheck.headers[].name` | `string` | String configuration value. | -| `upstreams[].healthCheck.headers[].value` | `string` | String configuration value. | -| `upstreams[].healthCheck.interval` | `string` | String configuration value. | -| `upstreams[].healthCheck.jitter` | `string` | String configuration value. | -| `upstreams[].healthCheck.keepalive-time` | `string` | String configuration value. | -| `upstreams[].healthCheck.mandatory` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.passes` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.path` | `string` | String configuration value. | -| `upstreams[].healthCheck.persistent` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.port` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.read-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.send-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.statusMatch` | `string` | String configuration value. | -| `upstreams[].healthCheck.tls` | `object` | UpstreamTLS defines a TLS configuration for an Upstream. | -| `upstreams[].healthCheck.tls.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].keepalive` | `integer` | Numeric configuration value. | -| `upstreams[].lb-method` | `string` | String configuration value. | -| `upstreams[].max-conns` | `integer` | Numeric configuration value. | -| `upstreams[].max-fails` | `integer` | Numeric configuration value. | -| `upstreams[].name` | `string` | String configuration value. | -| `upstreams[].next-upstream` | `string` | String configuration value. | -| `upstreams[].next-upstream-timeout` | `string` | String configuration value. | -| `upstreams[].next-upstream-tries` | `integer` | Numeric configuration value. | -| `upstreams[].ntlm` | `boolean` | Enable or disable this feature. | -| `upstreams[].port` | `integer` | Numeric configuration value. | -| `upstreams[].queue` | `object` | UpstreamQueue defines Queue Configuration for an Upstream. | -| `upstreams[].queue.size` | `integer` | Numeric configuration value. | -| `upstreams[].queue.timeout` | `string` | String configuration value. | -| `upstreams[].read-timeout` | `string` | String configuration value. | -| `upstreams[].send-timeout` | `string` | String configuration value. | -| `upstreams[].service` | `string` | String configuration value. | -| `upstreams[].sessionCookie` | `object` | SessionCookie defines the parameters for session persistence. | -| `upstreams[].sessionCookie.domain` | `string` | String configuration value. | -| `upstreams[].sessionCookie.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].sessionCookie.expires` | `string` | String configuration value. | -| `upstreams[].sessionCookie.httpOnly` | `boolean` | Enable or disable this feature. | -| `upstreams[].sessionCookie.name` | `string` | String configuration value. | -| `upstreams[].sessionCookie.path` | `string` | String configuration value. | -| `upstreams[].sessionCookie.samesite` | `string` | String configuration value. | -| `upstreams[].sessionCookie.secure` | `boolean` | Enable or disable this feature. | -| `upstreams[].slow-start` | `string` | String configuration value. | -| `upstreams[].subselector` | `object` | Configuration object. | -| `upstreams[].tls` | `object` | UpstreamTLS defines a TLS configuration for an Upstream. | -| `upstreams[].tls.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].type` | `string` | String configuration value. | -| `upstreams[].use-cluster-ip` | `boolean` | Enable or disable this feature. | +| `listener` | `object` | Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource | +| `listener.http` | `string` | The name of an HTTP listener defined in a GlobalConfiguration resource. | +| `listener.https` | `string` | The name of an HTTPS listener defined in a GlobalConfiguration resource. | +| `policies` | `array` | A list of policies. | +| `policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. | +| `policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | +| `routes` | `array` | A list of routes. | +| `routes[].action` | `object` | The default action to perform for a request. | +| `routes[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `routes[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `routes[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `routes[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `routes[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | +| `routes[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `routes[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `routes[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `routes[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `routes[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | +| `routes[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `routes[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `routes[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `routes[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `routes[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | +| `routes[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `routes[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `routes[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `routes[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].action.return` | `object` | Returns a preconfigured response. | +| `routes[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].action.return.headers` | `array` | The custom headers of the response. | +| `routes[].action.return.headers[].name` | `string` | The name of the header. | +| `routes[].action.return.headers[].value` | `string` | The value of the header. | +| `routes[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].dos` | `string` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. | +| `routes[].errorPages` | `array` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | +| `routes[].errorPages[].codes` | `array[integer]` | A list of error status codes. | +| `routes[].errorPages[].redirect` | `object` | The canned response action for the given status codes. | +| `routes[].errorPages[].redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].errorPages[].redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].errorPages[].return` | `object` | The redirect action for the given status codes. | +| `routes[].errorPages[].return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].errorPages[].return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].errorPages[].return.headers` | `array` | The custom headers of the response. | +| `routes[].errorPages[].return.headers[].name` | `string` | The name of the header. | +| `routes[].errorPages[].return.headers[].value` | `string` | The value of the header. | +| `routes[].errorPages[].return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].location-snippets` | `string` | Sets a custom snippet in the location context. Overrides the location-snippets ConfigMap key. | +| `routes[].matches` | `array` | The matching rules for advanced content-based routing. Requires the default Action or Splits. Unmatched requests will be handled by the default Action or Splits. | +| `routes[].matches[].action` | `object` | The action to perform for a request. | +| `routes[].matches[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `routes[].matches[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `routes[].matches[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `routes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `routes[].matches[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | +| `routes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `routes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `routes[].matches[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `routes[].matches[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `routes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | +| `routes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `routes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `routes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `routes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `routes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | +| `routes[].matches[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `routes[].matches[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `routes[].matches[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `routes[].matches[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].matches[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].matches[].action.return` | `object` | Returns a preconfigured response. | +| `routes[].matches[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].matches[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].matches[].action.return.headers` | `array` | The custom headers of the response. | +| `routes[].matches[].action.return.headers[].name` | `string` | The name of the header. | +| `routes[].matches[].action.return.headers[].value` | `string` | The value of the header. | +| `routes[].matches[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].matches[].conditions` | `array` | A list of conditions. Must include at least 1 condition. | +| `routes[].matches[].conditions[].argument` | `string` | The name of an argument. Must consist of alphanumeric characters or _. | +| `routes[].matches[].conditions[].cookie` | `string` | The name of a cookie. Must consist of alphanumeric characters or _. | +| `routes[].matches[].conditions[].header` | `string` | The name of a header. Must consist of alphanumeric characters or -. | +| `routes[].matches[].conditions[].value` | `string` | The value to match the condition against. | +| `routes[].matches[].conditions[].variable` | `string` | The name of an NGINX variable. Must start with $. | +| `routes[].matches[].splits` | `array` | The splits configuration for traffic splitting. Must include at least 2 splits. | +| `routes[].matches[].splits[].action` | `object` | The action to perform for a request. | +| `routes[].matches[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `routes[].matches[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `routes[].matches[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `routes[].matches[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | +| `routes[].matches[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `routes[].matches[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `routes[].matches[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `routes[].matches[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].matches[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].matches[].splits[].action.return` | `object` | Returns a preconfigured response. | +| `routes[].matches[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].matches[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].matches[].splits[].action.return.headers` | `array` | The custom headers of the response. | +| `routes[].matches[].splits[].action.return.headers[].name` | `string` | The name of the header. | +| `routes[].matches[].splits[].action.return.headers[].value` | `string` | The value of the header. | +| `routes[].matches[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].matches[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | +| `routes[].path` | `string` | The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. | +| `routes[].policies` | `array` | A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. | +| `routes[].policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. | +| `routes[].policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | +| `routes[].route` | `string` | The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. | +| `routes[].splits` | `array` | The default splits configuration for traffic splitting. Must include at least 2 splits. | +| `routes[].splits[].action` | `object` | The action to perform for a request. | +| `routes[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `routes[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `routes[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `routes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `routes[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | +| `routes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `routes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `routes[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `routes[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `routes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | +| `routes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `routes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `routes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `routes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `routes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | +| `routes[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `routes[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `routes[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `routes[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].splits[].action.return` | `object` | Returns a preconfigured response. | +| `routes[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].splits[].action.return.headers` | `array` | The custom headers of the response. | +| `routes[].splits[].action.return.headers[].name` | `string` | The name of the header. | +| `routes[].splits[].action.return.headers[].value` | `string` | The value of the header. | +| `routes[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | +| `server-snippets` | `string` | Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. | +| `tls` | `object` | The TLS termination configuration. | +| `tls.cert-manager` | `object` | The cert-manager configuration of the TLS for a VirtualServer. | +| `tls.cert-manager.cluster-issuer` | `string` | The name of a ClusterIssuer. A ClusterIssuer is a cert-manager resource which describes the certificate authority capable of signing certificates. It does not matter which namespace your VirtualServer resides, as ClusterIssuers are non-namespaced resources. Please note that one of issuer and cluster-issuer are required, but they are mutually exclusive - one and only one must be defined. | +| `tls.cert-manager.common-name` | `string` | This field allows you to configure spec.commonName for the Certificate to be generated. This configuration adds a CN to the x509 certificate. | +| `tls.cert-manager.duration` | `string` | This field allows you to configure spec.duration field for the Certificate to be generated. Must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | +| `tls.cert-manager.issue-temp-cert` | `boolean` | When true, ask cert-manager for a temporary self-signed certificate pending the issuance of the Certificate. This allows HTTPS-only servers to use ACME HTTP01 challenges when the TLS secret does not exist yet. | +| `tls.cert-manager.issuer` | `string` | The name of an Issuer. An Issuer is a cert-manager resource which describes the certificate authority capable of signing certificates. The Issuer must be in the same namespace as the VirtualServer resource. Please note that one of issuer and cluster-issuer are required, but they are mutually exclusive - one and only one must be defined. | +| `tls.cert-manager.issuer-group` | `string` | The API group of the external issuer controller, for example awspca.cert-manager.io. This is only necessary for out-of-tree issuers. This cannot be defined if cluster-issuer is also defined. | +| `tls.cert-manager.issuer-kind` | `string` | The kind of the external issuer resource, for example AWSPCAIssuer. This is only necessary for out-of-tree issuers. This cannot be defined if cluster-issuer is also defined. | +| `tls.cert-manager.renew-before` | `string` | This annotation allows you to configure spec.renewBefore field for the Certificate to be generated. Must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | +| `tls.cert-manager.usages` | `string` | This field allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. key agreement,digital signature, server auth. An exhaustive list of supported key usages can be found in the the cert-manager api documentation. | +| `tls.redirect` | `object` | The redirect configuration of the TLS for a VirtualServer. | +| `tls.redirect.basedOn` | `string` | The attribute of a request that NGINX will evaluate to send a redirect. The allowed values are scheme (the scheme of the request) or x-forwarded-proto (the X-Forwarded-Proto header of the request). The default is scheme. | +| `tls.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `tls.redirect.enable` | `boolean` | Enables a TLS redirect for a VirtualServer. The default is False. | +| `tls.secret` | `string` | The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type kubernetes.io/tls and contain keys named tls.crt and tls.key that contain the certificate and private key as described here. If the secret doesn’t exist or is invalid, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. If the secret is not specified but wildcard TLS secret is configured, NGINX will use the wildcard secret for TLS termination. | +| `upstreams` | `array` | A list of upstreams. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. | +| `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | +| `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. The default is set in the proxy-buffer-size ConfigMap key. | +| `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. The default is set in the proxy-buffering ConfigMap key. | +| `upstreams[].buffers` | `object` | Configures the buffers used for reading a response from the upstream server for a single connection. | +| `upstreams[].buffers.number` | `integer` | Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. | +| `upstreams[].buffers.size` | `string` | Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. | +| `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. The default is set in the client-max-body-size ConfigMap key. | +| `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. The default is specified in the proxy-connect-timeout ConfigMap key. | +| `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. The default is set in the fail-timeout ConfigMap key. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].healthCheck.connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. By default, the connect-timeout of the upstream is used. | +| `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | +| `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | +| `upstreams[].healthCheck.grpcService` | `string` | The gRPC service to be monitored on the upstream server. Only valid on gRPC type upstreams. | +| `upstreams[].healthCheck.grpcStatus` | `integer` | The expected gRPC status code of the upstream server response to the Check method. Configure this field only if your gRPC services do not implement the gRPC health checking protocol. For example, configure 12 if the upstream server responds with 12 (UNIMPLEMENTED) status code. Only valid on gRPC type upstreams. | +| `upstreams[].healthCheck.headers` | `array` | The request headers used for health check requests. NGINX Plus always sets the Host, User-Agent and Connection headers for health check requests. | +| `upstreams[].healthCheck.headers[].name` | `string` | The name of the header. | +| `upstreams[].healthCheck.headers[].value` | `string` | The value of the header. | +| `upstreams[].healthCheck.interval` | `string` | The interval between two consecutive health checks. The default is 5s. | +| `upstreams[].healthCheck.jitter` | `string` | The time within which each health check will be randomly delayed. By default, there is no delay. | +| `upstreams[].healthCheck.keepalive-time` | `string` | Enables keepalive connections for health checks and specifies the time during which requests can be processed through one keepalive connection. The default is 60s. | +| `upstreams[].healthCheck.mandatory` | `boolean` | Require every newly added server to pass all configured health checks before NGINX Plus sends traffic to it. If this is not specified, or is set to false, the server will be initially considered healthy. When combined with slow-start, it gives a new server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. | +| `upstreams[].healthCheck.passes` | `integer` | The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. | +| `upstreams[].healthCheck.path` | `string` | The path used for health check requests. The default is /. This is not configurable for gRPC type upstreams. | +| `upstreams[].healthCheck.persistent` | `boolean` | Set the initial “up” state for a server after reload if the server was considered healthy before reload. Enabling persistent requires that the mandatory parameter is also set to true. | +| `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | +| `upstreams[].healthCheck.read-timeout` | `string` | The timeout for reading a response from an upstream server. By default, the read-timeout of the upstream is used. | +| `upstreams[].healthCheck.send-timeout` | `string` | The timeout for transmitting a request to an upstream server. By default, the send-timeout of the upstream is used. | +| `upstreams[].healthCheck.statusMatch` | `string` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This not supported for gRPC type upstreams. | +| `upstreams[].healthCheck.tls` | `object` | The TLS configuration used for health check requests. By default, the tls field of the upstream is used. | +| `upstreams[].healthCheck.tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | +| `upstreams[].keepalive` | `integer` | Configures the cache for connections to upstream servers. The value 0 disables the cache. The default is set in the keepalive ConfigMap key. | +| `upstreams[].lb-method` | `string` | The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. | +| `upstreams[].max-conns` | `integer` | The maximum number of simultaneous active connections to an upstream server. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. | +| `upstreams[].max-fails` | `integer` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. The default is set in the max-fails ConfigMap key. | +| `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | +| `upstreams[].next-upstream` | `string` | Specifies in which cases a request should be passed to the next upstream server. The default is error timeout. | +| `upstreams[].next-upstream-timeout` | `string` | The time during which a request can be passed to the next upstream server. The 0 value turns off the time limit. The default is 0. | +| `upstreams[].next-upstream-tries` | `integer` | The number of possible tries for passing a request to the next upstream server. The 0 value turns off this limit. The default is 0. | +| `upstreams[].ntlm` | `boolean` | Allows proxying requests with NTLM Authentication. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].port` | `integer` | The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. The port must fall into the range 1..65535. | +| `upstreams[].queue` | `object` | Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].queue.size` | `integer` | The size of the queue. | +| `upstreams[].queue.timeout` | `string` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. | +| `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. The default is specified in the proxy-read-timeout ConfigMap key. | +| `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. The default is specified in the proxy-send-timeout ConfigMap key. | +| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported . | +| `upstreams[].sessionCookie` | `object` | The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. | +| `upstreams[].sessionCookie.domain` | `string` | The domain for which the cookie is set. | +| `upstreams[].sessionCookie.enable` | `boolean` | Enables session persistence with a session cookie for an upstream server. The default is false. | +| `upstreams[].sessionCookie.expires` | `string` | The time for which a browser should keep the cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. | +| `upstreams[].sessionCookie.httpOnly` | `boolean` | Adds the HttpOnly attribute to the cookie. | +| `upstreams[].sessionCookie.name` | `string` | The name of the cookie. | +| `upstreams[].sessionCookie.path` | `string` | The path for which the cookie is set. | +| `upstreams[].sessionCookie.samesite` | `string` | Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none | +| `upstreams[].sessionCookie.secure` | `boolean` | Adds the Secure attribute to the cookie. | +| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored. | +| `upstreams[].subselector` | `object` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | +| `upstreams[].tls` | `object` | The TLS configuration for the Upstream. | +| `upstreams[].tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | +| `upstreams[].type` | `string` | The type of the upstream. Supported values are http and grpc. The default is http. For gRPC, it is necessary to enable HTTP/2 in the ConfigMap and configure TLS termination in the VirtualServer. | +| `upstreams[].use-cluster-ip` | `boolean` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | diff --git a/go.mod b/go.mod index a3f1e50f2..71d7216c4 100644 --- a/go.mod +++ b/go.mod @@ -177,16 +177,17 @@ require ( go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect - golang.org/x/crypto v0.39.0 // indirect - golang.org/x/mod v0.25.0 // indirect - golang.org/x/net v0.41.0 // indirect + golang.org/x/crypto v0.40.0 // indirect + golang.org/x/mod v0.26.0 // indirect + golang.org/x/net v0.42.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sync v0.15.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.26.0 // indirect + golang.org/x/sync v0.16.0 // indirect + golang.org/x/sys v0.34.0 // indirect + golang.org/x/term v0.33.0 // indirect + golang.org/x/text v0.27.0 // indirect golang.org/x/time v0.9.0 // indirect - golang.org/x/tools v0.33.0 // indirect + golang.org/x/tools v0.35.0 // indirect + golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/grpc v1.73.0 // indirect diff --git a/go.sum b/go.sum index 4f17b1d7e..59f79b807 100644 --- a/go.sum +++ b/go.sum @@ -461,14 +461,14 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= -golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= +golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= -golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg= +golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -481,8 +481,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= -golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= +golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs= +golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -490,8 +490,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= -golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= +golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -508,24 +508,24 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= +golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= +golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= -golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= +golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= +golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -534,8 +534,12 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= -golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= +golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0= +golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw= +golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY= +golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= +golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= +golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml b/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 000000000..f4f88de75 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + ipv4: + type: string + ipv6: + type: string + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true diff --git a/nginx-ingress/crds/k8s.nginx.org_policies.yaml b/nginx-ingress/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 000000000..b3cfc7284 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,279 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + apiKey: + description: APIKey defines an API Key policy. + properties: + clientSecret: + type: string + suppliedIn: + description: SuppliedIn defines the locations API Key should be + supplied in. + properties: + header: + items: + type: string + type: array + query: + items: + type: string + type: array + type: object + type: object + basicAuth: + description: BasicAuth holds HTTP Basic authentication configuration + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + endSessionEndpoint: + type: string + jwksURI: + type: string + postLogoutRedirectURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + condition: + description: RateLimitCondition defines a condition for a rate + limit policy. + properties: + default: + description: sets the rate limit in this policy to be the + default if no conditions are met. In a group of policies + with the same JWT condition, only one policy can be the + default. + type: boolean + jwt: + description: defines a JWT condition to rate limit against. + properties: + claim: + description: the JWT claim to be rate limit by. Nested + claims should be separated by "." + pattern: ^([^$\s"'])*$ + type: string + match: + description: the value of the claim to match against. + pattern: ^([^$\s."'])*$ + type: string + required: + - claim + - match + type: object + type: object + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + scale: + type: boolean + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml b/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 000000000..9034caf24 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,175 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml b/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 000000000..7093ff4a5 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,729 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml b/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 000000000..7c3c9f7a7 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,829 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: |- + ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 6d21cc862..df32e367d 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -35,45 +35,61 @@ const ( type VirtualServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec VirtualServerSpec `json:"spec"` + Spec VirtualServerSpec `json:"spec"` + // Status contains the current status of the VirtualServer. Status VirtualServerStatus `json:"status"` } // VirtualServerSpec is the spec of the VirtualServer resource. type VirtualServerSpec struct { - IngressClass string `json:"ingressClassName"` - Host string `json:"host"` - Listener *VirtualServerListener `json:"listener"` - TLS *TLS `json:"tls"` - Gunzip bool `json:"gunzip"` - Policies []PolicyReference `json:"policies"` - Upstreams []Upstream `json:"upstreams"` - Routes []Route `json:"routes"` - HTTPSnippets string `json:"http-snippets"` - ServerSnippets string `json:"server-snippets"` - Dos string `json:"dos"` - ExternalDNS ExternalDNS `json:"externalDNS"` + // Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. + IngressClass string `json:"ingressClassName"` + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. + Host string `json:"host"` + // Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource + Listener *VirtualServerListener `json:"listener"` + // The TLS termination configuration. + TLS *TLS `json:"tls"` + // Enables or disables decompression of gzipped responses for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. If the gunzip value is not set, it defaults to off. + Gunzip bool `json:"gunzip"` + // A list of policies. + Policies []PolicyReference `json:"policies"` + // A list of upstreams. + Upstreams []Upstream `json:"upstreams"` + // A list of routes. + Routes []Route `json:"routes"` + // Sets a custom snippet in the http context. + HTTPSnippets string `json:"http-snippets"` + // Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. + ServerSnippets string `json:"server-snippets"` + // A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. + Dos string `json:"dos"` + // The externalDNS configuration for a VirtualServer. + ExternalDNS ExternalDNS `json:"externalDNS"` // InternalRoute allows for the configuration of internal routing. InternalRoute bool `json:"internalRoute"` } // VirtualServerListener references a custom http and/or https listener defined in GlobalConfiguration. type VirtualServerListener struct { - HTTP string `json:"http"` + // The name of an HTTP listener defined in a GlobalConfiguration resource. + HTTP string `json:"http"` + // The name of an HTTPS listener defined in a GlobalConfiguration resource. HTTPS string `json:"https"` } // ExternalDNS defines externaldns sub-resource of a virtual server. type ExternalDNS struct { - Enable bool `json:"enable"` + // Enables ExternalDNS integration for a VirtualServer resource. The default is false. + Enable bool `json:"enable"` + // The record Type that should be created, e.g. “A”, “AAAA”, “CNAME”. This is automatically computed based on the external endpoints if not defined. RecordType string `json:"recordType,omitempty"` - // TTL for the record + // TTL for the DNS record. This defaults to 0 if not defined. RecordTTL int64 `json:"recordTTL,omitempty"` - // Labels stores labels defined for the Endpoint + // Configure labels to be applied to the Endpoint resources that will be consumed by ExternalDNS. // +optional Labels map[string]string `json:"labels,omitempty"` - // ProviderSpecific stores provider specific config + // Configure provider specific properties which holds the name and value of a configuration which is specific to individual DNS providers. // +optional ProviderSpecific ProviderSpecific `json:"providerSpecific,omitempty"` } @@ -92,183 +108,288 @@ type ProviderSpecificProperty struct { // PolicyReference references a policy by name and an optional namespace. type PolicyReference struct { - Name string `json:"name"` + // The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. + Name string `json:"name"` + // The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. Namespace string `json:"namespace"` } // Upstream defines an upstream. type Upstream struct { - Name string `json:"name"` - Service string `json:"service"` - Subselector map[string]string `json:"subselector"` - Port uint16 `json:"port"` - LBMethod string `json:"lb-method"` - FailTimeout string `json:"fail-timeout"` - MaxFails *int `json:"max-fails"` - MaxConns *int `json:"max-conns"` - Keepalive *int `json:"keepalive"` - ProxyConnectTimeout string `json:"connect-timeout"` - ProxyReadTimeout string `json:"read-timeout"` - ProxySendTimeout string `json:"send-timeout"` - ProxyNextUpstream string `json:"next-upstream"` - ProxyNextUpstreamTimeout string `json:"next-upstream-timeout"` - ProxyNextUpstreamTries int `json:"next-upstream-tries"` - ProxyBuffering *bool `json:"buffering"` - ProxyBuffers *UpstreamBuffers `json:"buffers"` - ProxyBufferSize string `json:"buffer-size"` - ClientMaxBodySize string `json:"client-max-body-size"` - TLS UpstreamTLS `json:"tls"` - HealthCheck *HealthCheck `json:"healthCheck"` - SlowStart string `json:"slow-start"` - Queue *UpstreamQueue `json:"queue"` - SessionCookie *SessionCookie `json:"sessionCookie"` - UseClusterIP bool `json:"use-cluster-ip"` - NTLM bool `json:"ntlm"` - Type string `json:"type"` - Backup string `json:"backup"` - BackupPort *uint16 `json:"backupPort"` + // The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. + Name string `json:"name"` + // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported . + Service string `json:"service"` + // Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. + Subselector map[string]string `json:"subselector"` + // The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. The port must fall into the range 1..65535. + Port uint16 `json:"port"` + // The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. + LBMethod string `json:"lb-method"` + // The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. The default is set in the fail-timeout ConfigMap key. + FailTimeout string `json:"fail-timeout"` + // The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. The default is set in the max-fails ConfigMap key. + MaxFails *int `json:"max-fails"` + // The maximum number of simultaneous active connections to an upstream server. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. + MaxConns *int `json:"max-conns"` + // Configures the cache for connections to upstream servers. The value 0 disables the cache. The default is set in the keepalive ConfigMap key. + Keepalive *int `json:"keepalive"` + // The timeout for establishing a connection with an upstream server. The default is specified in the proxy-connect-timeout ConfigMap key. + ProxyConnectTimeout string `json:"connect-timeout"` + // The timeout for reading a response from an upstream server. The default is specified in the proxy-read-timeout ConfigMap key. + ProxyReadTimeout string `json:"read-timeout"` + // The timeout for transmitting a request to an upstream server. The default is specified in the proxy-send-timeout ConfigMap key. + ProxySendTimeout string `json:"send-timeout"` + // Specifies in which cases a request should be passed to the next upstream server. The default is error timeout. + ProxyNextUpstream string `json:"next-upstream"` + // The time during which a request can be passed to the next upstream server. The 0 value turns off the time limit. The default is 0. + ProxyNextUpstreamTimeout string `json:"next-upstream-timeout"` + // The number of possible tries for passing a request to the next upstream server. The 0 value turns off this limit. The default is 0. + ProxyNextUpstreamTries int `json:"next-upstream-tries"` + // Enables buffering of responses from the upstream server. The default is set in the proxy-buffering ConfigMap key. + ProxyBuffering *bool `json:"buffering"` + // Configures the buffers used for reading a response from the upstream server for a single connection. + ProxyBuffers *UpstreamBuffers `json:"buffers"` + // Sets the size of the buffer used for reading the first part of a response received from the upstream server. The default is set in the proxy-buffer-size ConfigMap key. + ProxyBufferSize string `json:"buffer-size"` + // Sets the maximum allowed size of the client request body. The default is set in the client-max-body-size ConfigMap key. + ClientMaxBodySize string `json:"client-max-body-size"` + // The TLS configuration for the Upstream. + TLS UpstreamTLS `json:"tls"` + // The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. + HealthCheck *HealthCheck `json:"healthCheck"` + // The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored. + SlowStart string `json:"slow-start"` + // Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. + Queue *UpstreamQueue `json:"queue"` + // The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. + SessionCookie *SessionCookie `json:"sessionCookie"` + // Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. + UseClusterIP bool `json:"use-cluster-ip"` + // Allows proxying requests with NTLM Authentication. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. + NTLM bool `json:"ntlm"` + // The type of the upstream. Supported values are http and grpc. The default is http. For gRPC, it is necessary to enable HTTP/2 in the ConfigMap and configure TLS termination in the VirtualServer. + Type string `json:"type"` + // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. + Backup string `json:"backup"` + // The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. + BackupPort *uint16 `json:"backupPort"` } // UpstreamBuffers defines Buffer Configuration for an Upstream. type UpstreamBuffers struct { - Number int `json:"number"` - Size string `json:"size"` + // Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. + Number int `json:"number"` + // Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. + Size string `json:"size"` } // UpstreamTLS defines a TLS configuration for an Upstream. type UpstreamTLS struct { + // Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. Enable bool `json:"enable"` } // HealthCheck defines the parameters for active Upstream HealthChecks. type HealthCheck struct { - Enable bool `json:"enable"` - Path string `json:"path"` - Interval string `json:"interval"` - Jitter string `json:"jitter"` - Fails int `json:"fails"` - Passes int `json:"passes"` - Port int `json:"port"` - TLS *UpstreamTLS `json:"tls"` - ConnectTimeout string `json:"connect-timeout"` - ReadTimeout string `json:"read-timeout"` - SendTimeout string `json:"send-timeout"` - Headers []Header `json:"headers"` - StatusMatch string `json:"statusMatch"` - GRPCStatus *int `json:"grpcStatus"` - GRPCService string `json:"grpcService"` - Mandatory bool `json:"mandatory"` - Persistent bool `json:"persistent"` - KeepaliveTime string `json:"keepalive-time"` + // Enables a health check for an upstream server. The default is false. + Enable bool `json:"enable"` + // The path used for health check requests. The default is /. This is not configurable for gRPC type upstreams. + Path string `json:"path"` + // The interval between two consecutive health checks. The default is 5s. + Interval string `json:"interval"` + // The time within which each health check will be randomly delayed. By default, there is no delay. + Jitter string `json:"jitter"` + // The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. + Fails int `json:"fails"` + // The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. + Passes int `json:"passes"` + // The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. + Port int `json:"port"` + // The TLS configuration used for health check requests. By default, the tls field of the upstream is used. + TLS *UpstreamTLS `json:"tls"` + // The timeout for establishing a connection with an upstream server. By default, the connect-timeout of the upstream is used. + ConnectTimeout string `json:"connect-timeout"` + // The timeout for reading a response from an upstream server. By default, the read-timeout of the upstream is used. + ReadTimeout string `json:"read-timeout"` + // The timeout for transmitting a request to an upstream server. By default, the send-timeout of the upstream is used. + SendTimeout string `json:"send-timeout"` + // The request headers used for health check requests. NGINX Plus always sets the Host, User-Agent and Connection headers for health check requests. + Headers []Header `json:"headers"` + // The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This not supported for gRPC type upstreams. + StatusMatch string `json:"statusMatch"` + // The expected gRPC status code of the upstream server response to the Check method. Configure this field only if your gRPC services do not implement the gRPC health checking protocol. For example, configure 12 if the upstream server responds with 12 (UNIMPLEMENTED) status code. Only valid on gRPC type upstreams. + GRPCStatus *int `json:"grpcStatus"` + // The gRPC service to be monitored on the upstream server. Only valid on gRPC type upstreams. + GRPCService string `json:"grpcService"` + // Require every newly added server to pass all configured health checks before NGINX Plus sends traffic to it. If this is not specified, or is set to false, the server will be initially considered healthy. When combined with slow-start, it gives a new server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. + Mandatory bool `json:"mandatory"` + // Set the initial “up” state for a server after reload if the server was considered healthy before reload. Enabling persistent requires that the mandatory parameter is also set to true. + Persistent bool `json:"persistent"` + // Enables keepalive connections for health checks and specifies the time during which requests can be processed through one keepalive connection. The default is 60s. + KeepaliveTime string `json:"keepalive-time"` } // Header defines an HTTP Header. type Header struct { - Name string `json:"name"` + // The name of the header. + Name string `json:"name"` + // The value of the header. Value string `json:"value"` } // SessionCookie defines the parameters for session persistence. type SessionCookie struct { - Enable bool `json:"enable"` - Name string `json:"name"` - Path string `json:"path"` - Expires string `json:"expires"` - Domain string `json:"domain"` - HTTPOnly bool `json:"httpOnly"` - Secure bool `json:"secure"` + // Enables session persistence with a session cookie for an upstream server. The default is false. + Enable bool `json:"enable"` + // The name of the cookie. + Name string `json:"name"` + // The path for which the cookie is set. + Path string `json:"path"` + // The time for which a browser should keep the cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. + Expires string `json:"expires"` + // The domain for which the cookie is set. + Domain string `json:"domain"` + // Adds the HttpOnly attribute to the cookie. + HTTPOnly bool `json:"httpOnly"` + // Adds the Secure attribute to the cookie. + Secure bool `json:"secure"` + // Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none SameSite string `json:"samesite"` } // Route defines a route. type Route struct { - Path string `json:"path"` - Policies []PolicyReference `json:"policies"` - Route string `json:"route"` - Action *Action `json:"action"` - Splits []Split `json:"splits"` - Matches []Match `json:"matches"` - ErrorPages []ErrorPage `json:"errorPages"` - LocationSnippets string `json:"location-snippets"` - Dos string `json:"dos"` + // The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. + Path string `json:"path"` + // A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. + Policies []PolicyReference `json:"policies"` + // The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. + Route string `json:"route"` + // The default action to perform for a request. + Action *Action `json:"action"` + // The default splits configuration for traffic splitting. Must include at least 2 splits. + Splits []Split `json:"splits"` + // The matching rules for advanced content-based routing. Requires the default Action or Splits. Unmatched requests will be handled by the default Action or Splits. + Matches []Match `json:"matches"` + // The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. + ErrorPages []ErrorPage `json:"errorPages"` + // Sets a custom snippet in the location context. Overrides the location-snippets ConfigMap key. + LocationSnippets string `json:"location-snippets"` + // A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. + Dos string `json:"dos"` } // Action defines an action. type Action struct { - Pass string `json:"pass"` + // Passes requests to an upstream. The upstream with that name must be defined in the resource. + Pass string `json:"pass"` + // Redirects requests to a provided URL. Redirect *ActionRedirect `json:"redirect"` - Return *ActionReturn `json:"return"` - Proxy *ActionProxy `json:"proxy"` + // Returns a preconfigured response. + Return *ActionReturn `json:"return"` + // Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). + Proxy *ActionProxy `json:"proxy"` } // ActionRedirect defines a redirect in an Action. type ActionRedirect struct { - URL string `json:"url"` - Code int `json:"code"` + // The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. + URL string `json:"url"` + // The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. + Code int `json:"code"` } // ActionReturn defines a return in an Action. type ActionReturn struct { - Code int `json:"code"` - Type string `json:"type"` - Body string `json:"body"` + // The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. + Code int `json:"code"` + // The MIME type of the response. The default is text/plain. + Type string `json:"type"` + // The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. + Body string `json:"body"` + // The custom headers of the response. Headers []Header `json:"headers"` } // ActionProxy defines a proxy in an Action. type ActionProxy struct { - Upstream string `json:"upstream"` - RewritePath string `json:"rewritePath"` - RequestHeaders *ProxyRequestHeaders `json:"requestHeaders"` + // The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. + Upstream string `json:"upstream"` + // The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. + RewritePath string `json:"rewritePath"` + // The request headers modifications. + RequestHeaders *ProxyRequestHeaders `json:"requestHeaders"` + // The response headers modifications. ResponseHeaders *ProxyResponseHeaders `json:"responseHeaders"` } // ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type ProxyRequestHeaders struct { - Pass *bool `json:"pass"` - Set []Header `json:"set"` + // Passes the original request headers to the proxied upstream server. Default is true. + Pass *bool `json:"pass"` + // Allows redefining or appending fields to present request headers passed to the proxied upstream servers. + Set []Header `json:"set"` } // ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type ProxyResponseHeaders struct { - Hide []string `json:"hide"` - Pass []string `json:"pass"` - Ignore []string `json:"ignore"` - Add []AddHeader `json:"add"` + // The headers that will not be passed* in the response to the client from a proxied upstream server. + Hide []string `json:"hide"` + // Allows passing the hidden header fields* to the client from a proxied upstream server. + Pass []string `json:"pass"` + // Disables processing of certain headers** to the client from a proxied upstream server. + Ignore []string `json:"ignore"` + // Adds headers to the response to the client. + Add []AddHeader `json:"add"` } // AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. type AddHeader struct { Header `json:",inline"` + // If set to true, add the header regardless of the response status code**. Default is false. Always bool `json:"always"` } // Split defines a split. type Split struct { - Weight int `json:"weight"` + // The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. + Weight int `json:"weight"` + // The action to perform for a request. Action *Action `json:"action"` } // Condition defines a condition in a MatchRule. type Condition struct { - Header string `json:"header"` - Cookie string `json:"cookie"` + // The name of a header. Must consist of alphanumeric characters or -. + Header string `json:"header"` + // The name of a cookie. Must consist of alphanumeric characters or _. + Cookie string `json:"cookie"` + // The name of an argument. Must consist of alphanumeric characters or _. Argument string `json:"argument"` + // The name of an NGINX variable. Must start with $. Variable string `json:"variable"` - Value string `json:"value"` + // The value to match the condition against. + Value string `json:"value"` } // Match defines a match. type Match struct { + // A list of conditions. Must include at least 1 condition. Conditions []Condition `json:"conditions"` - Action *Action `json:"action"` - Splits []Split `json:"splits"` + // The action to perform for a request. + Action *Action `json:"action"` + // The splits configuration for traffic splitting. Must include at least 2 splits. + Splits []Split `json:"splits"` } // ErrorPage defines an ErrorPage in a Route. type ErrorPage struct { - Codes []int `json:"codes"` - Return *ErrorPageReturn `json:"return"` + // A list of error status codes. + Codes []int `json:"codes"` + // The redirect action for the given status codes. + Return *ErrorPageReturn `json:"return"` + // The canned response action for the given status codes. Redirect *ErrorPageRedirect `json:"redirect"` } @@ -284,29 +405,44 @@ type ErrorPageRedirect struct { // TLS defines TLS configuration for a VirtualServer. type TLS struct { - Secret string `json:"secret"` - Redirect *TLSRedirect `json:"redirect"` + // The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type kubernetes.io/tls and contain keys named tls.crt and tls.key that contain the certificate and private key as described here. If the secret doesn’t exist or is invalid, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. If the secret is not specified but wildcard TLS secret is configured, NGINX will use the wildcard secret for TLS termination. + Secret string `json:"secret"` + // The redirect configuration of the TLS for a VirtualServer. + Redirect *TLSRedirect `json:"redirect"` + // The cert-manager configuration of the TLS for a VirtualServer. CertManager *CertManager `json:"cert-manager"` } // TLSRedirect defines a redirect for a TLS. type TLSRedirect struct { - Enable bool `json:"enable"` - Code *int `json:"code"` + // Enables a TLS redirect for a VirtualServer. The default is False. + Enable bool `json:"enable"` + // The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. + Code *int `json:"code"` + // The attribute of a request that NGINX will evaluate to send a redirect. The allowed values are scheme (the scheme of the request) or x-forwarded-proto (the X-Forwarded-Proto header of the request). The default is scheme. BasedOn string `json:"basedOn"` } // CertManager defines a cert manager config for a TLS. type CertManager struct { + // the name of a ClusterIssuer. A ClusterIssuer is a cert-manager resource which describes the certificate authority capable of signing certificates. It does not matter which namespace your VirtualServer resides, as ClusterIssuers are non-namespaced resources. Please note that one of issuer and cluster-issuer are required, but they are mutually exclusive - one and only one must be defined. ClusterIssuer string `json:"cluster-issuer"` - Issuer string `json:"issuer"` - IssuerKind string `json:"issuer-kind"` - IssuerGroup string `json:"issuer-group"` - CommonName string `json:"common-name"` - Duration string `json:"duration"` - RenewBefore string `json:"renew-before"` - Usages string `json:"usages"` - IssueTempCert bool `json:"issue-temp-cert"` + // the name of an Issuer. An Issuer is a cert-manager resource which describes the certificate authority capable of signing certificates. The Issuer must be in the same namespace as the VirtualServer resource. Please note that one of issuer and cluster-issuer are required, but they are mutually exclusive - one and only one must be defined. + Issuer string `json:"issuer"` + // The kind of the external issuer resource, for example AWSPCAIssuer. This is only necessary for out-of-tree issuers. This cannot be defined if cluster-issuer is also defined. + IssuerKind string `json:"issuer-kind"` + // The API group of the external issuer controller, for example awspca.cert-manager.io. This is only necessary for out-of-tree issuers. This cannot be defined if cluster-issuer is also defined. + IssuerGroup string `json:"issuer-group"` + // This field allows you to configure spec.commonName for the Certificate to be generated. This configuration adds a CN to the x509 certificate. + CommonName string `json:"common-name"` + // This field allows you to configure spec.duration field for the Certificate to be generated. Must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. + Duration string `json:"duration"` + // this annotation allows you to configure spec.renewBefore field for the Certificate to be generated. Must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. + RenewBefore string `json:"renew-before"` + // This field allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. key agreement,digital signature, server auth. An exhaustive list of supported key usages can be found in the the cert-manager api documentation. + Usages string `json:"usages"` + // When true, ask cert-manager for a temporary self-signed certificate pending the issuance of the Certificate. This allows HTTPS-only servers to use ACME HTTP01 challenges when the TLS secret does not exist yet. + IssueTempCert bool `json:"issue-temp-cert"` } // VirtualServerStatus defines the status for the VirtualServer resource. @@ -357,10 +493,14 @@ type VirtualServerRoute struct { // VirtualServerRouteSpec is the spec of the VirtualServerRoute resource. type VirtualServerRouteSpec struct { - IngressClass string `json:"ingressClassName"` - Host string `json:"host"` - Upstreams []Upstream `json:"upstreams"` - Subroutes []Route `json:"subroutes"` + // Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. + IngressClass string `json:"ingressClassName"` + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. Must be the same as the host of the VirtualServer that references this resource. + Host string `json:"host"` + // A list of upstreams. + Upstreams []Upstream `json:"upstreams"` + // A list of subroutes. + Subroutes []Route `json:"subroutes"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -375,16 +515,23 @@ type VirtualServerRouteList struct { // UpstreamQueue defines Queue Configuration for an Upstream. type UpstreamQueue struct { - Size int `json:"size"` + // The size of the queue. + Size int `json:"size"` + // The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. Timeout string `json:"timeout"` } // VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. type VirtualServerRouteStatus struct { - State string `json:"state"` - Reason string `json:"reason"` - Message string `json:"message"` - ReferencedBy string `json:"referencedBy"` + // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or NGINX + State string `json:"state"` + // The reason of the current state of the resource. + Reason string `json:"reason"` + // The message of the current state of the resource. It can contain more detailed information about the reason. + Message string `json:"message"` + // Defines how other resources reference this resource. + ReferencedBy string `json:"referencedBy"` + // Defines the IPs, hostnames and ports used to connect to this resource. ExternalEndpoints []ExternalEndpoint `json:"externalEndpoints,omitempty"` } @@ -398,23 +545,29 @@ type VirtualServerRouteStatus struct { type GlobalConfiguration struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec GlobalConfigurationSpec `json:"spec"` + Spec GlobalConfigurationSpec `json:"spec"` } -// GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. +// GlobalConfigurationSpec resource defines the global configuration parameters of the Ingress Controller. type GlobalConfigurationSpec struct { + // Listeners field of the GlobalConfigurationSpec resource Listeners []Listener `json:"listeners"` } // Listener defines a listener. type Listener struct { - Name string `json:"name"` - Port int `json:"port"` - IPv4 string `json:"ipv4"` - IPv6 string `json:"ipv6"` + // The name of the listener. The name must be unique across all listeners. + Name string `json:"name"` + // The protocol of the listener. For example, HTTP. Protocol string `json:"protocol"` - Ssl bool `json:"ssl"` + // The port on which the listener will accept connections. + Port int `json:"port"` + // Specifies the IPv4 address to listen on. + IPv4 string `json:"ipv4"` + // ipv6 addresse that NGINX will listen on. + IPv6 string `json:"ipv6"` + // Whether the listener will be listening for SSL connections + Ssl bool `json:"ssl"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -423,6 +576,7 @@ type Listener struct { type GlobalConfigurationList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` + // Items field of the GlobalConfigurationList resource Items []GlobalConfiguration `json:"items"` } @@ -441,23 +595,33 @@ type GlobalConfigurationList struct { type TransportServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec TransportServerSpec `json:"spec"` + Spec TransportServerSpec `json:"spec"` + // The status of the TransportServer resource Status TransportServerStatus `json:"status"` } // TransportServerSpec is the spec of the TransportServer resource. type TransportServerSpec struct { - IngressClass string `json:"ingressClassName"` - TLS *TransportServerTLS `json:"tls"` - Listener TransportServerListener `json:"listener"` - ServerSnippets string `json:"serverSnippets"` - StreamSnippets string `json:"streamSnippets"` - Host string `json:"host"` - Upstreams []TransportServerUpstream `json:"upstreams"` - UpstreamParameters *UpstreamParameters `json:"upstreamParameters"` - SessionParameters *SessionParameters `json:"sessionParameters"` - Action *TransportServerAction `json:"action"` + // Specifies which Ingress Controller must handle the VirtualServer resource. + IngressClass string `json:"ingressClassName"` + // The TLS termination configuration. + TLS *TransportServerTLS `json:"tls"` + // Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource + Listener TransportServerListener `json:"listener"` + // Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. + ServerSnippets string `json:"serverSnippets"` + // Sets a custom snippet in the stream context. Overrides the stream-snippets ConfigMap key. + StreamSnippets string `json:"streamSnippets"` + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. + Host string `json:"host"` + // A list of upstreams. + Upstreams []TransportServerUpstream `json:"upstreams"` + // UpstreamParameters defines parameters for an upstream. + UpstreamParameters *UpstreamParameters `json:"upstreamParameters"` + // The parameters of the session to be used for the Server context + SessionParameters *SessionParameters `json:"sessionParameters"` + // The action to perform for a request. + Action *TransportServerAction `json:"action"` } // TransportServerTLS defines TransportServerTLS configuration for a TransportServer. @@ -467,67 +631,99 @@ type TransportServerTLS struct { // TransportServerListener defines a listener for a TransportServer. type TransportServerListener struct { - Name string `json:"name"` + // The name of a listener defined in a GlobalConfiguration resource. + Name string `json:"name"` + // The protocol of the listener. Protocol string `json:"protocol"` } // TransportServerUpstream defines an upstream. type TransportServerUpstream struct { - Name string `json:"name"` - Service string `json:"service"` - Port int `json:"port"` - FailTimeout string `json:"failTimeout"` - MaxFails *int `json:"maxFails"` - MaxConns *int `json:"maxConns"` - HealthCheck *TransportServerHealthCheck `json:"healthCheck"` - LoadBalancingMethod string `json:"loadBalancingMethod"` - Backup string `json:"backup"` - BackupPort *uint16 `json:"backupPort"` + // The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. + Name string `json:"name"` + // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. + Service string `json:"service"` + // The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. The port must fall into the range 1..65535. + Port int `json:"port"` + // Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default is 1. + FailTimeout string `json:"failTimeout"` + // Sets the number of maximum connections to the proxied server. Default value is zero, meaning there is no limit. The default is 0. + MaxFails *int `json:"maxFails"` + // Sets the time during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable and the period of time the server will be considered unavailable. The default is 10s. + MaxConns *int `json:"maxConns"` + // The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. + HealthCheck *TransportServerHealthCheck `json:"healthCheck"` + // The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. + LoadBalancingMethod string `json:"loadBalancingMethod"` + // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. + Backup string `json:"backup"` + // The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. + BackupPort *uint16 `json:"backupPort"` } // TransportServerHealthCheck defines the parameters for active Upstream HealthChecks. type TransportServerHealthCheck struct { - Enabled bool `json:"enable"` - Timeout string `json:"timeout"` - Jitter string `json:"jitter"` - Port int `json:"port"` - Interval string `json:"interval"` - Passes int `json:"passes"` - Fails int `json:"fails"` - Match *TransportServerMatch `json:"match"` + // Enables a health check for an upstream server. The default is false. + Enabled bool `json:"enable"` + // This overrides the timeout set by proxy_timeout which is set in SessionParameters for health checks. The default value is 5s. + Timeout string `json:"timeout"` + // The time within which each health check will be randomly delayed. By default, there is no delay. + Jitter string `json:"jitter"` + // The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. + Port int `json:"port"` + // The interval between two consecutive health checks. The default is 5s. + Interval string `json:"interval"` + // The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. + Passes int `json:"passes"` + // The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. + Fails int `json:"fails"` + // Controls the data to send and the response to expect for the healthcheck. + Match *TransportServerMatch `json:"match"` } // TransportServerMatch defines the parameters of a custom health check. type TransportServerMatch struct { - Send string `json:"send"` + // A string to send to an upstream server. + Send string `json:"send"` + // A literal string or a regular expression that the data obtained from the server should match. The regular expression is specified with the preceding ~* modifier (for case-insensitive matching), or the ~ modifier (for case-sensitive matching). NGINX Ingress Controller validates a regular expression using the RE2 syntax. Expect string `json:"expect"` } // UpstreamParameters defines parameters for an upstream. type UpstreamParameters struct { - UDPRequests *int `json:"udpRequests"` + // The number of datagrams, after receiving which, the next datagram from the same client starts a new session. The default is 0. + UDPRequests *int `json:"udpRequests"` + // The number of datagrams expected from the proxied server in response to a client datagram. By default, the number of datagrams is not limited. UDPResponses *int `json:"udpResponses"` - - ConnectTimeout string `json:"connectTimeout"` - NextUpstream bool `json:"nextUpstream"` + // The timeout for establishing a connection with a proxied server. The default is 60s. + ConnectTimeout string `json:"connectTimeout"` + // If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. The default is true. + NextUpstream bool `json:"nextUpstream"` + // The time allowed to pass a connection to the next server. The default is 0. NextUpstreamTimeout string `json:"nextUpstreamTimeout"` - NextUpstreamTries int `json:"nextUpstreamTries"` + // The number of tries for passing a connection to the next server. The default is 0. + NextUpstreamTries int `json:"nextUpstreamTries"` } // SessionParameters defines session parameters. type SessionParameters struct { + // The timeout between two successive read or write operations on client or proxied server connections. The default is 10m. Timeout string `json:"timeout"` } // TransportServerAction defines an action. type TransportServerAction struct { + // Passes connections/datagrams to an upstream. The upstream with that name must be defined in the resource. Pass string `json:"pass"` } // TransportServerStatus defines the status for the TransportServer resource. type TransportServerStatus struct { - State string `json:"state"` - Reason string `json:"reason"` + // Represents the current state of the resource. Possible values: Valid (resource validated and accepted), Invalid (validation failed or config reload failed), or Warning (validated but may work in degraded state). + State string `json:"state"` + // The reason of the current state of the resource. + Reason string `json:"reason"` + // The message of the current state of the resource. It can contain more detailed information about the reason. Message string `json:"message"` } @@ -537,8 +733,7 @@ type TransportServerStatus struct { type TransportServerList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` - - Items []TransportServer `json:"items"` + Items []TransportServer `json:"items"` } // +genclient @@ -554,15 +749,18 @@ type TransportServerList struct { type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec PolicySpec `json:"spec"` + Spec PolicySpec `json:"spec"` + // the status of the Policy resource Status PolicyStatus `json:"status"` } // PolicyStatus is the status of the policy resource type PolicyStatus struct { - State string `json:"state"` - Reason string `json:"reason"` + // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or + State string `json:"state"` + // The reason of the current state of the resource. + Reason string `json:"reason"` + // The message of the current state of the resource. It can contain more detailed information about the reason. Message string `json:"message"` } @@ -570,16 +768,26 @@ type PolicyStatus struct { // The spec includes multiple fields, where each field represents a different policy. // Only one policy (field) is allowed. type PolicySpec struct { - IngressClass string `json:"ingressClassName"` + // Specifies which instance of NGINX Ingress Controller must handle the Policy resource. + IngressClass string `json:"ingressClassName"` + // The access control policy based on the client IP address. AccessControl *AccessControl `json:"accessControl"` - RateLimit *RateLimit `json:"rateLimit"` - JWTAuth *JWTAuth `json:"jwt"` - BasicAuth *BasicAuth `json:"basicAuth"` - IngressMTLS *IngressMTLS `json:"ingressMTLS"` - EgressMTLS *EgressMTLS `json:"egressMTLS"` - OIDC *OIDC `json:"oidc"` - WAF *WAF `json:"waf"` - APIKey *APIKey `json:"apiKey"` + // The rate limit policy controls the rate of processing requests per a defined key. + RateLimit *RateLimit `json:"rateLimit"` + // The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens. + JWTAuth *JWTAuth `json:"jwt"` + // The basic auth policy configures NGINX to authenticate client requests using HTTP Basic authentication credentials. + BasicAuth *BasicAuth `json:"basicAuth"` + // The IngressMTLS policy configures client certificate verification. + IngressMTLS *IngressMTLS `json:"ingressMTLS"` + // The EgressMTLS policy configures upstreams authentication and certificate verification. + EgressMTLS *EgressMTLS `json:"egressMTLS"` + // The OpenID Connect policy configures NGINX to authenticate client requests by validating a JWT token against an OAuth2/OIDC token provider, such as Auth0 or Keycloak. + OIDC *OIDC `json:"oidc"` + // The WAF policy configures WAF and log configuration policies for NGINX AppProtect + WAF *WAF `json:"waf"` + // The API Key policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. + APIKey *APIKey `json:"apiKey"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -589,6 +797,7 @@ type PolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` + // Items field of the PolicyList resource Items []Policy `json:"items"` } @@ -600,16 +809,29 @@ type AccessControl struct { // RateLimit defines a rate limit policy. type RateLimit struct { - Rate string `json:"rate"` - Key string `json:"key"` - Delay *int `json:"delay"` - NoDelay *bool `json:"noDelay"` - Burst *int `json:"burst"` - ZoneSize string `json:"zoneSize"` - DryRun *bool `json:"dryRun"` - LogLevel string `json:"logLevel"` - RejectCode *int `json:"rejectCode"` - Scale bool `json:"scale"` + // The rate of requests permitted. The rate is specified in requests per second (r/s) or requests per minute (r/m). + Rate string `json:"rate"` + // The key to which the rate limit is applied. Can contain text, variables, or a combination of them. + // Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are + // $binary_remote_addr, $request_uri, $request_method, $url, $http_, $args, $arg_, $cookie_,$jwt_claim_ . + Key string `json:"key"` + // The delay parameter specifies a limit at which excessive requests become delayed. If not set all excessive requests are delayed. + Delay *int `json:"delay"` + // Disables the delaying of excessive requests while requests are being limited. Overrides delay if both are set. + NoDelay *bool `json:"noDelay"` + // Excessive requests are delayed until their number exceeds the burst size, in which case the request is terminated with an error. + Burst *int `json:"burst"` + // Size of the shared memory zone. Only positive values are allowed. Allowed suffixes are k or m, if none are present k is assumed. + ZoneSize string `json:"zoneSize"` + // Enables the dry run mode. In this mode, the rate limit is not actually applied, but the number of excessive requests is accounted as usual in the shared memory zone. + DryRun *bool `json:"dryRun"` + // Sets the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing. Allowed values are info, notice, warn or error. Default is error. + LogLevel string `json:"logLevel"` + // Sets the status code to return in response to rejected requests. Must fall into the range 400..599. Default is 503. + RejectCode *int `json:"rejectCode"` + // Enables a constant rate-limit by dividing the configured rate by the number of nginx-ingress pods currently serving traffic. This adjustment ensures that the rate-limit remains consistent, even as the number of nginx-pods fluctuates due to autoscaling. This will not work properly if requests from a client are not evenly distributed across all ingress pods (Such as with sticky sessions, long lived TCP Connections with many requests, and so forth). In such cases using zone-sync instead would give better results. Enabling zone-sync will suppress this setting. + Scale bool `json:"scale"` + // Add a condition to a rate-limit policy. // +kubebuilder:validation:Optional Condition *RateLimitCondition `json:"condition"` } @@ -652,10 +874,15 @@ type VariableCondition struct { // JWTAuth holds JWT authentication configuration. type JWTAuth struct { - Realm string `json:"realm"` - Secret string `json:"secret"` - Token string `json:"token"` - JwksURI string `json:"jwksURI"` + // The realm of the JWT. + Realm string `json:"realm"` + // The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. + Secret string `json:"secret"` + // The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the Authorization header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: $cookie_auth_token. Accepted variables are $http_, $arg_, $cookie_. + Token string `json:"token"` + // The remote URI where the request will be sent to retrieve JSON Web Key set + JwksURI string `json:"jwksURI"` + // Enables in-memory caching of JWKS (JSON Web Key Sets) that are obtained from the jwksURI and sets a valid time for expiration. KeyCache string `json:"keyCache"` // Enables SNI (Server Name Indication) for the JWT policy. This is useful when the remote server requires SNI to serve the correct certificate. SNIEnabled bool `json:"sniEnabled"` @@ -665,73 +892,114 @@ type JWTAuth struct { // BasicAuth holds HTTP Basic authentication configuration type BasicAuth struct { - Realm string `json:"realm"` + // The realm for the basic authentication. + Realm string `json:"realm"` + // The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. Secret string `json:"secret"` } -// IngressMTLS defines an Ingress MTLS policy. +// The IngressMTLS policy configures client certificate verification. type IngressMTLS struct { + // The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. ClientCertSecret string `json:"clientCertSecret"` - CrlFileName string `json:"crlFileName"` - VerifyClient string `json:"verifyClient"` - VerifyDepth *int `json:"verifyDepth"` + // The file name of the Certificate Revocation List. NGINX Ingress Controller will look for this file in /etc/nginx/secrets + CrlFileName string `json:"crlFileName"` + // Verification for the client. Possible values are "on", "off", "optional", "optional_no_ca". The default is "on". + VerifyClient string `json:"verifyClient"` + // Sets the verification depth in the client certificates chain. The default is 1. + VerifyDepth *int `json:"verifyDepth"` } -// EgressMTLS defines an Egress MTLS policy. +// The EgressMTLS policy configures upstreams authentication and certificate verification. type EgressMTLS struct { - TLSSecret string `json:"tlsSecret"` - VerifyServer bool `json:"verifyServer"` - VerifyDepth *int `json:"verifyDepth"` - Protocols string `json:"protocols"` - SessionReuse *bool `json:"sessionReuse"` - Ciphers string `json:"ciphers"` + // The name of the Kubernetes secret that stores the TLS certificate and key. It must be in the same namespace as the Policy resource. The secret must be of the type kubernetes.io/tls, the certificate must be stored in the secret under the key tls.crt, and the key must be stored under the key tls.key, otherwise the secret will be rejected as invalid. + TLSSecret string `json:"tlsSecret"` + // Enables verification of the upstream HTTPS server certificate. + VerifyServer bool `json:"verifyServer"` + // Sets the verification depth in the proxied HTTPS server certificates chain. The default is 1. + VerifyDepth *int `json:"verifyDepth"` + // Specifies the protocols for requests to an upstream HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. + Protocols string `json:"protocols"` + // Enables reuse of SSL sessions to the upstreams. The default is true. + SessionReuse *bool `json:"sessionReuse"` + // Specifies the enabled ciphers for requests to an upstream HTTPS server. The default is DEFAULT. + Ciphers string `json:"ciphers"` + // The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. TrustedCertSecret string `json:"trustedCertSecret"` - ServerName bool `json:"serverName"` - SSLName string `json:"sslName"` + // Enables passing of the server name through Server Name Indication extension. + ServerName bool `json:"serverName"` + // Allows overriding the server name used to verify the certificate of the upstream HTTPS server. + SSLName string `json:"sslName"` } -// OIDC defines an Open ID Connect policy. +// The OIDC policy configures NGINX Plus as a relying party for OpenID Connect authentication. type OIDC struct { - AuthEndpoint string `json:"authEndpoint"` - TokenEndpoint string `json:"tokenEndpoint"` - JWKSURI string `json:"jwksURI"` - ClientID string `json:"clientID"` - ClientSecret string `json:"clientSecret"` - Scope string `json:"scope"` - RedirectURI string `json:"redirectURI"` - EndSessionEndpoint string `json:"endSessionEndpoint"` - PostLogoutRedirectURI string `json:"postLogoutRedirectURI"` - ZoneSyncLeeway *int `json:"zoneSyncLeeway"` - AuthExtraArgs []string `json:"authExtraArgs"` - AccessTokenEnable bool `json:"accessTokenEnable"` - PKCEEnable bool `json:"pkceEnable"` -} - -// WAF defines an WAF policy. + // URL for the authorization endpoint provided by your OpenID Connect provider. + AuthEndpoint string `json:"authEndpoint"` + // URL for the token endpoint provided by your OpenID Connect provider. + TokenEndpoint string `json:"tokenEndpoint"` + // URL for the JSON Web Key Set (JWK) document provided by your OpenID Connect provider. + JWKSURI string `json:"jwksURI"` + // The client ID provided by your OpenID Connect provider. + ClientID string `json:"clientID"` + // The name of the Kubernetes secret that stores the client secret provided by your OpenID Connect provider. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/oidc, and the secret under the key client-secret, otherwise the secret will be rejected as invalid. If PKCE is enabled, this should be not configured. + ClientSecret string `json:"clientSecret"` + // List of OpenID Connect scopes. The scope openid always needs to be present and others can be added concatenating them with a + sign, for example openid+profile+email, openid+email+userDefinedScope. The default is openid. + Scope string `json:"scope"` + // Allows overriding the default redirect URI. The default is /_codexch. + RedirectURI string `json:"redirectURI"` + // URL provided by your OpenID Connect provider to request the end user be logged out. + EndSessionEndpoint string `json:"endSessionEndpoint"` + // URI to redirect to after the logout has been performed. Requires endSessionEndpoint. The default is /_logout. + PostLogoutRedirectURI string `json:"postLogoutRedirectURI"` + // Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is 200. + ZoneSyncLeeway *int `json:"zoneSyncLeeway"` + // A list of extra URL arguments to pass to the authorization endpoint provided by your OpenID Connect provider. Arguments must be URL encoded, multiple arguments may be included in the list, for example [ arg1=value1, arg2=value2 ] + AuthExtraArgs []string `json:"authExtraArgs"` + // Option of whether Bearer token is used to authorize NGINX to access protected backend. + AccessTokenEnable bool `json:"accessTokenEnable"` + // Switches Proof Key for Code Exchange on. The OpenID client needs to be in public mode. clientSecret is not used in this mode. + PKCEEnable bool `json:"pkceEnable"` +} + +// The WAF policy configures NGINX Plus to secure client requests using App Protect WAF policies. type WAF struct { - Enable bool `json:"enable"` - ApPolicy string `json:"apPolicy"` - ApBundle string `json:"apBundle"` - SecurityLog *SecurityLog `json:"securityLog"` + // Enables NGINX App Protect WAF. + Enable bool `json:"enable"` + // The App Protect WAF policy of the WAF. Accepts an optional namespace. Mutually exclusive with apBundle. + ApPolicy string `json:"apPolicy"` + // The App Protect WAF policy bundle. Mutually exclusive with apPolicy. + ApBundle string `json:"apBundle"` + // + SecurityLog *SecurityLog `json:"securityLog"` + // SecurityLogs []*SecurityLog `json:"securityLogs"` } // SecurityLog defines the security log of a WAF policy. type SecurityLog struct { - Enable bool `json:"enable"` - ApLogConf string `json:"apLogConf"` + // Enables security log. + Enable bool `json:"enable"` + // The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. + ApLogConf string `json:"apLogConf"` + // The App Protect WAF log bundle resource. Only works with apBundle. ApLogBundle string `json:"apLogBundle"` - LogDest string `json:"logDest"` + // The log destination for the security log. Only accepted variables are syslog:server=; localhost; fqdn>:, stderr, . + LogDest string `json:"logDest"` } -// APIKey defines an API Key policy. +// The APIKey policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. type APIKey struct { - SuppliedIn *SuppliedIn `json:"suppliedIn"` - ClientSecret string `json:"clientSecret"` + // The location of the API Key. For example, $http_auth, $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, $cookie_. + SuppliedIn *SuppliedIn `json:"suppliedIn"` + // The key to which the API key is applied. Can contain text, variables, or a combination of them. Accepted variables are $http_, $arg_, $cookie_. + ClientSecret string `json:"clientSecret"` } // SuppliedIn defines the locations API Key should be supplied in. type SuppliedIn struct { + // The location of the API Key as a request header. For example, $http_auth. Accepted variables are $http_. Header []string `json:"header"` - Query []string `json:"query"` + // The location of the API Key as a query param. For example, $arg_apikey. Accepted variables are $arg_. + Query []string `json:"query"` }