# This file is generated from the individual yaml files by examples/render.sh. # Do not edit this file directly but instead edit the source files and # re-render. --- apiVersion: v1 kind: Namespace metadata: name: projectcontour --- apiVersion: v1 kind: ServiceAccount metadata: name: contour namespace: projectcontour --- apiVersion: v1 kind: ConfigMap metadata: name: contour namespace: projectcontour data: contour.yaml: | # should contour expect to be running inside a k8s cluster # incluster: true # # path to kubeconfig (if not running inside a k8s cluster) # kubeconfig: /path/to/.kube/config # # Client request timeout to be passed to Envoy # as the connection manager request_timeout. # Defaults to 0, which Envoy interprets as disabled. # Note that this is the timeout for the whole request, # not an idle timeout. # request-timeout: 0s # disable ingressroute permitInsecure field disablePermitInsecure: false tls: # minimum TLS version that Contour will negotiate # minimum-protocol-version: "1.1" # The following config shows the defaults for the leader election. # leaderelection: # configmap-name: contour # configmap-namespace: leader-elect ### Logging options # Default setting accesslog-format: envoy # To enable JSON logging in Envoy # accesslog-format: json # The default fields that will be logged are specified below. # To customise this list, just add or remove entries. # The canonical list is available at # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields # json-fields: # - "@timestamp" # - "authority" # - "bytes_received" # - "bytes_sent" # - "downstream_local_address" # - "downstream_remote_address" # - "duration" # - "method" # - "path" # - "protocol" # - "request_id" # - "requested_server_name" # - "response_code" # - "response_flags" # - "uber_trace_id" # - "upstream_cluster" # - "upstream_host" # - "upstream_local_address" # - "upstream_service_time" # - "user_agent" # - "x_forwarded_for" --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null name: ingressroutes.contour.heptio.com spec: additionalPrinterColumns: - JSONPath: .spec.virtualhost.fqdn description: Fully qualified domain name name: FQDN type: string - JSONPath: .spec.virtualhost.tls.secretName description: Secret with TLS credentials name: TLS Secret type: string - JSONPath: .spec.routes[0].match description: First routes defined name: First route type: string - JSONPath: .status.currentStatus description: The current status of the HTTPProxy name: Status type: string - JSONPath: .status.description description: Description of the current status name: Status Description type: string group: contour.heptio.com names: kind: IngressRoute listKind: IngressRouteList plural: ingressroutes singular: ingressroute scope: Namespaced subresources: {} validation: openAPIV3Schema: description: IngressRoute is an Ingress CRD specificiation properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: IngressRouteSpec defines the spec of the CRD properties: routes: description: Routes are the ingress routes. If TCPProxy is present, Routes is ignored. items: description: Route contains the set of routes for a virtual host properties: delegate: description: Delegate specifies that this route should be delegated to another IngressRoute properties: name: description: Name of the IngressRoute type: string namespace: description: Namespace of the IngressRoute. Defaults to the current namespace if not supplied. type: string required: - name type: object enableWebsockets: description: Enables websocket support for the route type: boolean match: description: Match defines the prefix match type: string permitInsecure: description: Allow this path to respond to insecure requests over HTTP which are normally not permitted when a `virtualhost.tls` block is present. type: boolean prefixRewrite: description: Indicates that during forwarding, the matched prefix (or path) should be swapped with this value type: string retryPolicy: description: The retry policy for this route properties: count: description: NumRetries is maximum allowed number of retries. If not supplied, the number of retries is one. format: int32 type: integer perTryTimeout: description: PerTryTimeout specifies the timeout per retry attempt. Ignored if NumRetries is not supplied. type: string type: object services: description: Services are the services to proxy traffic items: description: Service defines an upstream to proxy traffic to properties: healthCheck: description: HealthCheck defines optional healthchecks on the upstream service properties: healthyThresholdCount: description: The number of healthy health checks required before a host is marked healthy format: int32 type: integer host: description: The value of the host header in the HTTP health check request. If left empty (default value), the name "contour-envoy-healthcheck" will be used. type: string intervalSeconds: description: The interval (seconds) between health checks format: int64 type: integer path: description: HTTP endpoint used to perform health checks on upstream service type: string timeoutSeconds: description: The time to wait (seconds) for a health check response format: int64 type: integer unhealthyThresholdCount: description: The number of unhealthy health checks required before a host is marked unhealthy format: int32 type: integer required: - path type: object name: description: Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic to since a service can have multiple defined type: integer strategy: description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) type: string validation: description: UpstreamValidation defines how to verify the backend service's certificate properties: caSecret: description: Name of the Kubernetes secret be used to validate the certificate presented by the backend type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate type: string required: - caSecret - subjectName type: object weight: description: Weight defines percentage of traffic to balance traffic format: int32 type: integer required: - name - port type: object type: array timeoutPolicy: description: The timeout policy for this route properties: request: description: Timeout for receiving a response from the server after processing a request from client. If not supplied the timeout duration is undefined. type: string type: object required: - match type: object type: array tcpproxy: description: TCPProxy holds TCP proxy information. properties: delegate: description: Delegate specifies that this tcpproxy should be delegated to another IngressRoute properties: name: description: Name of the IngressRoute type: string namespace: description: Namespace of the IngressRoute. Defaults to the current namespace if not supplied. type: string required: - name type: object services: description: Services are the services to proxy traffic items: description: Service defines an upstream to proxy traffic to properties: healthCheck: description: HealthCheck defines optional healthchecks on the upstream service properties: healthyThresholdCount: description: The number of healthy health checks required before a host is marked healthy format: int32 type: integer host: description: The value of the host header in the HTTP health check request. If left empty (default value), the name "contour-envoy-healthcheck" will be used. type: string intervalSeconds: description: The interval (seconds) between health checks format: int64 type: integer path: description: HTTP endpoint used to perform health checks on upstream service type: string timeoutSeconds: description: The time to wait (seconds) for a health check response format: int64 type: integer unhealthyThresholdCount: description: The number of unhealthy health checks required before a host is marked unhealthy format: int32 type: integer required: - path type: object name: description: Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic to since a service can have multiple defined type: integer strategy: description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing) type: string validation: description: UpstreamValidation defines how to verify the backend service's certificate properties: caSecret: description: Name of the Kubernetes secret be used to validate the certificate presented by the backend type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate type: string required: - caSecret - subjectName type: object weight: description: Weight defines percentage of traffic to balance traffic format: int32 type: integer required: - name - port type: object type: array type: object virtualhost: description: Virtualhost appears at most once. If it is present, the object is considered to be a "root". properties: fqdn: description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn type: string tls: description: If present describes tls properties. The CNI names that will be matched on are described in fqdn, the tls.secretName secret must contain a matching certificate properties: minimumProtocolVersion: description: Minimum TLS version this vhost should negotiate type: string passthrough: description: If Passthrough is set to true, the SecretName will be ignored and the encrypted handshake will be passed through to the backing cluster. type: boolean secretName: description: required, the name of a secret in the current namespace type: string type: object required: - fqdn type: object type: object status: description: Status reports the current state of the HTTPProxy. properties: currentStatus: type: string description: type: string required: - currentStatus - description type: object required: - metadata - spec type: object version: v1beta1 versions: - name: v1beta1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null name: tlscertificatedelegations.contour.heptio.com spec: group: contour.heptio.com names: kind: TLSCertificateDelegation listKind: TLSCertificateDelegationList plural: tlscertificatedelegations singular: tlscertificatedelegation scope: "" validation: openAPIV3Schema: description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation. See design/tls-certificate-delegation.md for details. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: TLSCertificateDelegationSpec defines the spec of the CRD properties: delegations: items: description: CertificateDelegation maps the authority to reference a secret in the current namespace to a set of namespaces. properties: secretName: description: required, the name of a secret in the current namespace. type: string targetNamespaces: description: required, the namespaces the authority to reference the the secret will be delegated to. If TargetNamespaces is nil or empty, the CertificateDelegation' is ignored. If the TargetNamespace list contains the character, "*" the secret will be delegated to all namespaces. items: type: string type: array required: - secretName - targetNamespaces type: object type: array required: - delegations type: object required: - metadata - spec type: object version: v1beta1 versions: - name: v1beta1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null name: httpproxies.projectcontour.io spec: additionalPrinterColumns: - JSONPath: .spec.virtualhost.fqdn description: Fully qualified domain name name: FQDN type: string - JSONPath: .spec.virtualhost.tls.secretName description: Secret with TLS credentials name: TLS Secret type: string - JSONPath: .status.currentStatus description: The current status of the HTTPProxy name: Status type: string - JSONPath: .status.description description: Description of the current status name: Status Description type: string group: projectcontour.io names: kind: HTTPProxy listKind: HTTPProxyList plural: httpproxies shortNames: - proxy - proxies singular: httpproxy scope: Namespaced subresources: {} validation: openAPIV3Schema: description: HTTPProxy is an Ingress CRD specification properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: HTTPProxySpec defines the spec of the CRD. properties: includes: description: Includes allow for specific routing configuration to be appended to another HTTPProxy in another namespace. items: description: Include describes a set of policies that can be applied to an HTTPProxy in a namespace. properties: conditions: description: Conditions are a set of routing properties that is applied to an HTTPProxy in a namespace. items: description: Condition are policies that are applied on top of HTTPProxies. One of Prefix or Header must be provided. properties: header: description: Header specifies the header condition to match. properties: contains: description: Contains is true if the Header containing this string is present in the request. type: string exact: description: Exact is true if the Header containing this string matches exactly in the request. type: string name: description: Name is the name of the header to match on. Name is required. Header names are case insensitive. type: string notcontains: description: NotContains is true if the Header containing this string is not present in the request. type: string notexact: description: NotExact is true if the Header containing this string doesn't match exactly in the request. type: string present: description: Present is true if the Header is present in the request. type: boolean required: - name type: object prefix: description: Prefix defines a prefix match for a request. type: string type: object type: array name: description: Name of the HTTPProxy type: string namespace: description: Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied. type: string required: - name type: object type: array routes: description: Routes are the ingress routes. If TCPProxy is present, Routes is ignored. items: description: Route contains the set of routes for a virtual host. properties: conditions: description: Conditions are a set of routing properties that is applied to an HTTPProxy in a namespace. items: description: Condition are policies that are applied on top of HTTPProxies. One of Prefix or Header must be provided. properties: header: description: Header specifies the header condition to match. properties: contains: description: Contains is true if the Header containing this string is present in the request. type: string exact: description: Exact is true if the Header containing this string matches exactly in the request. type: string name: description: Name is the name of the header to match on. Name is required. Header names are case insensitive. type: string notcontains: description: NotContains is true if the Header containing this string is not present in the request. type: string notexact: description: NotExact is true if the Header containing this string doesn't match exactly in the request. type: string present: description: Present is true if the Header is present in the request. type: boolean required: - name type: object prefix: description: Prefix defines a prefix match for a request. type: string type: object type: array enableWebsockets: description: Enables websocket support for the route. type: boolean healthCheckPolicy: description: The health check policy for this route. properties: healthyThresholdCount: description: The number of healthy health checks required before a host is marked healthy format: int32 type: integer host: description: The value of the host header in the HTTP health check request. If left empty (default value), the name "contour-envoy-healthcheck" will be used. type: string intervalSeconds: description: The interval (seconds) between health checks format: int64 type: integer path: description: HTTP endpoint used to perform health checks on upstream service type: string timeoutSeconds: description: The time to wait (seconds) for a health check response format: int64 type: integer unhealthyThresholdCount: description: The number of unhealthy health checks required before a host is marked unhealthy format: int32 type: integer required: - path type: object loadBalancerPolicy: description: The load balancing policy for this route. properties: strategy: type: string type: object permitInsecure: description: Allow this path to respond to insecure requests over HTTP which are normally not permitted when a `virtualhost.tls` block is present. type: boolean retryPolicy: description: The retry policy for this route. properties: count: description: NumRetries is maximum allowed number of retries. If not supplied, the number of retries is one. format: int32 type: integer perTryTimeout: description: PerTryTimeout specifies the timeout per retry attempt. Ignored if NumRetries is not supplied. type: string type: object services: description: Services are the services to proxy traffic. items: description: Service defines an Kubernetes Service to proxy traffic. properties: mirror: description: If Mirror is true the Service will receive a read only mirror of the traffic for this route. type: boolean name: description: Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic to since a service can have multiple defined. type: integer validation: description: UpstreamValidation defines how to verify the backend service's certificate properties: caSecret: description: Name of the Kubernetes secret be used to validate the certificate presented by the backend type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate type: string required: - caSecret - subjectName type: object weight: description: Weight defines percentage of traffic to balance traffic format: int32 type: integer required: - name - port type: object type: array timeoutPolicy: description: The timeout policy for this route. properties: idle: description: Timeout after which if there are no active requests, the connection between Envoy and the backend will be closed. type: string response: description: Timeout for receiving a response from the server after processing a request from client. If not supplied the timeout duration is undefined. type: string required: - idle - response type: object type: object type: array tcpproxy: description: TCPProxy holds TCP proxy information. properties: includes: description: Include specifies that this tcpproxy should be delegated to another HTTPProxy. properties: name: description: Name of the child HTTPProxy type: string namespace: description: Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied. type: string required: - name type: object loadBalancerPolicy: description: The load balancing policy for the backend services. properties: strategy: type: string type: object services: description: Services are the services to proxy traffic items: description: Service defines an Kubernetes Service to proxy traffic. properties: mirror: description: If Mirror is true the Service will receive a read only mirror of the traffic for this route. type: boolean name: description: Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic to since a service can have multiple defined. type: integer validation: description: UpstreamValidation defines how to verify the backend service's certificate properties: caSecret: description: Name of the Kubernetes secret be used to validate the certificate presented by the backend type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate type: string required: - caSecret - subjectName type: object weight: description: Weight defines percentage of traffic to balance traffic format: int32 type: integer required: - name - port type: object type: array type: object virtualhost: description: Virtualhost appears at most once. If it is present, the object is considered to be a "root". properties: fqdn: description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn type: string tls: description: If present describes tls properties. The CNI names that will be matched on are described in fqdn, the tls.secretName secret must contain a matching certificate properties: minimumProtocolVersion: description: Minimum TLS version this vhost should negotiate type: string passthrough: description: If Passthrough is set to true, the SecretName will be ignored and the encrypted handshake will be passed through to the backing cluster. type: boolean secretName: description: required, the name of a secret in the current namespace type: string type: object required: - fqdn type: object type: object status: description: Status reports the current state of the HTTPProxy. properties: currentStatus: type: string description: type: string required: - currentStatus - description type: object required: - metadata - spec type: object version: v1 versions: - name: v1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null name: tlscertificatedelegations.projectcontour.io spec: group: projectcontour.io names: kind: TLSCertificateDelegation listKind: TLSCertificateDelegationList plural: tlscertificatedelegations shortNames: - tlscerts singular: tlscertificatedelegation scope: Namespaced validation: openAPIV3Schema: description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation. See design/tls-certificate-delegation.md for details. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: TLSCertificateDelegationSpec defines the spec of the CRD properties: delegations: items: description: CertificateDelegation maps the authority to reference a secret in the current namespace to a set of namespaces. properties: secretName: description: required, the name of a secret in the current namespace. type: string targetNamespaces: description: required, the namespaces the authority to reference the the secret will be delegated to. If TargetNamespaces is nil or empty, the CertificateDelegation' is ignored. If the TargetNamespace list contains the character, "*" the secret will be delegated to all namespaces. items: type: string type: array required: - secretName - targetNamespaces type: object type: array required: - delegations type: object required: - metadata - spec type: object version: v1 versions: - name: v1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: v1 kind: ServiceAccount metadata: name: contour-certgen namespace: projectcontour --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: contour namespace: projectcontour roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: contour-certgen subjects: - kind: ServiceAccount name: contour-certgen namespace: projectcontour --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: contour-certgen namespace: projectcontour rules: - apiGroups: - "" resources: - secrets verbs: - list - watch - create - get - put - post - patch --- apiVersion: batch/v1 kind: Job metadata: name: contour-certgen namespace: projectcontour spec: template: metadata: labels: app: "contour-certgen" spec: containers: - name: contour image: docker.io/projectcontour/contour:v1.0.1 imagePullPolicy: IfNotPresent command: - contour - certgen - --incluster - --kube restartPolicy: Never serviceAccountName: contour-certgen parallelism: 1 completions: 1 backoffLimit: 1 --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: contour roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: contour subjects: - kind: ServiceAccount name: contour namespace: projectcontour --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: contour rules: - apiGroups: - "" resources: - configmaps - endpoints - nodes - pods - secrets verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - apiGroups: - "networking.k8s.io" resources: - ingresses verbs: - get - list - watch - apiGroups: ["contour.heptio.com"] resources: ["ingressroutes", "tlscertificatedelegations"] verbs: - get - list - watch - put - post - patch - apiGroups: ["projectcontour.io"] resources: ["httpproxies", "tlscertificatedelegations"] verbs: - get - list - watch - put - post - patch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: contour-leaderelection namespace: projectcontour rules: - apiGroups: - "" resources: - configmaps verbs: - create - get - list - watch - update - apiGroups: - "" resources: - events verbs: - create - update - patch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: contour-leaderelection namespace: projectcontour roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: contour-leaderelection subjects: - kind: ServiceAccount name: contour namespace: projectcontour --- apiVersion: v1 kind: Service metadata: name: contour namespace: projectcontour spec: ports: - port: 8001 name: xds protocol: TCP targetPort: 8001 selector: app: contour type: ClusterIP --- apiVersion: v1 kind: Service metadata: name: envoy namespace: projectcontour annotations: # This annotation puts the AWS ELB into "TCP" mode so that it does not # do HTTP negotiation for HTTPS connections at the ELB edge. # The downside of this is the remote IP address of all connections will # appear to be the internal address of the ELB. See docs/proxy-proto.md # for information about enabling the PROXY protocol on the ELB to recover # the original remote IP address. service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp spec: externalTrafficPolicy: Local ports: - port: 80 name: http protocol: TCP - port: 443 name: https protocol: TCP selector: app: envoy type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: contour name: contour namespace: projectcontour spec: replicas: 2 strategy: type: RollingUpdate rollingUpdate: # This value of maxSurge means that during a rolling update # the new ReplicaSet will be created first. maxSurge: 50% selector: matchLabels: app: contour template: metadata: annotations: prometheus.io/scrape: "true" prometheus.io/port: "8000" labels: app: contour spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app: contour topologyKey: kubernetes.io/hostname weight: 100 containers: - args: - serve - --incluster - --use-extensions-v1beta1-ingress - --xds-address=0.0.0.0 - --xds-port=8001 - --envoy-service-http-port=80 - --envoy-service-https-port=443 - --contour-cafile=/ca/cacert.pem - --contour-cert-file=/certs/tls.crt - --contour-key-file=/certs/tls.key - --config-path=/config/contour.yaml command: ["contour"] image: docker.io/projectcontour/contour:v1.0.1 imagePullPolicy: IfNotPresent name: contour ports: - containerPort: 8001 name: xds protocol: TCP - containerPort: 8000 name: debug protocol: TCP livenessProbe: httpGet: path: /healthz port: 8000 readinessProbe: tcpSocket: port: 8001 initialDelaySeconds: 15 periodSeconds: 10 volumeMounts: - name: contourcert mountPath: /certs readOnly: true - name: cacert mountPath: /ca readOnly: true - name: contour-config mountPath: /config readOnly: true env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name dnsPolicy: ClusterFirst serviceAccountName: contour volumes: - name: contourcert secret: secretName: contourcert - name: cacert secret: secretName: cacert - name: contour-config configMap: name: contour defaultMode: 0644 items: - key: contour.yaml path: contour.yaml --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app: envoy name: envoy namespace: projectcontour spec: updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 10% selector: matchLabels: app: envoy template: metadata: annotations: prometheus.io/scrape: "true" prometheus.io/port: "8002" prometheus.io/path: "/stats/prometheus" labels: app: envoy spec: containers: - args: - -c - /config/envoy.json - --service-cluster $(CONTOUR_NAMESPACE) - --service-node $(ENVOY_POD_NAME) - --log-level info command: - envoy image: docker.io/envoyproxy/envoy:v1.12.2 imagePullPolicy: IfNotPresent name: envoy env: - name: CONTOUR_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: ENVOY_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name ports: - containerPort: 80 hostPort: 80 name: http protocol: TCP - containerPort: 443 hostPort: 443 name: https protocol: TCP readinessProbe: httpGet: path: /ready port: 8002 initialDelaySeconds: 3 periodSeconds: 3 volumeMounts: - name: envoy-config mountPath: /config - name: envoycert mountPath: /certs - name: cacert mountPath: /ca lifecycle: preStop: exec: command: - bash - -c - -- - echo - -ne - "POST /healthcheck/fail HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" - '>/dev/tcp/localhost/9001' initContainers: - args: - bootstrap - /config/envoy.json - --xds-address=contour - --xds-port=8001 - --envoy-cafile=/ca/cacert.pem - --envoy-cert-file=/certs/tls.crt - --envoy-key-file=/certs/tls.key command: - contour image: docker.io/projectcontour/contour:v1.0.1 imagePullPolicy: IfNotPresent name: envoy-initconfig volumeMounts: - name: envoy-config mountPath: /config - name: envoycert mountPath: /certs readOnly: true - name: cacert mountPath: /ca readOnly: true env: - name: CONTOUR_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace automountServiceAccountToken: false volumes: - name: envoy-config emptyDir: {} - name: envoycert secret: secretName: envoycert - name: cacert secret: secretName: cacert restartPolicy: Always