github.com/projectcontour/contour@v1.28.2/site/content/docs/1.24/configuration.md (about) 1 # Contour Configuration Reference 2 3 - [Serve Flags](#serve-flags) 4 - [Configuration File](#configuration-file) 5 - [Environment Variables](#environment-variables) 6 - [Bootstrap Config File](#bootstrap-config-file) 7 8 ## Overview 9 10 There are various ways to configure Contour, flags, the configuration file, as well as environment variables. 11 Contour has a precedence of configuration for contour serve, meaning anything configured in the config file is overridden by environment vars which are overridden by cli flags. 12 13 ## Serve Flags 14 15 The `contour serve` command is the main command which is used to watch for Kubernetes resource and process them into Envoy configuration which is then streamed to any Envoy via its xDS gRPC connection. 16 There are a number of flags that can be passed to this command which further configures how Contour operates. 17 Many of these flags are mirrored in the [Contour Configuration File](#configuration-file). 18 19 | Flag Name | Description | 20 | -------------------------------------------------------- | ---------------------------------------------------------------------- | 21 | `--config-path` | Path to base configuration | 22 | `--contour-config-name` | Name of the ContourConfiguration resource to use | 23 | `--incluster` | Use in cluster configuration | 24 | `--kubeconfig=</path/to/file>` | Path to kubeconfig (if not in running inside a cluster) | 25 | `--xds-address=<ipaddr>` | xDS gRPC API address | 26 | `--xds-port=<port>` | xDS gRPC API port | 27 | `--stats-address=<ipaddr>` | Envoy /stats interface address | 28 | `--stats-port=<port>` | Envoy /stats interface port | 29 | `--debug-http-address=<address>` | Address the debug http endpoint will bind to. | 30 | `--debug-http-port=<port>` | Port the debug http endpoint will bind to | 31 | `--http-address=<ipaddr>` | Address the metrics HTTP endpoint will bind to | 32 | `--http-port=<port>` | Port the metrics HTTP endpoint will bind to. | 33 | `--health-address=<ipaddr>` | Address the health HTTP endpoint will bind to | 34 | `--health-port=<port>` | Port the health HTTP endpoint will bind to | 35 | `--contour-cafile=</path/to/file\|CONTOUR_CERT_FILE>` | CA bundle file name for serving gRPC with TLS | 36 | `--contour-cert-file=</path/to/file\|CONTOUR_CERT_FILE>` | Contour certificate file name for serving gRPC over TLS | 37 | `--contour-key-file=</path/to/file\|CONTOUR_KEY_FILE>` | Contour key file name for serving gRPC over TLS | 38 | `--insecure` | Allow serving without TLS secured gRPC | 39 | `--root-namespaces=<ns,ns>` | Restrict contour to searching these namespaces for root ingress routes | 40 | `--ingress-class-name=<name>` | Contour IngressClass name (comma-separated list allowed) | 41 | `--ingress-status-address=<address>` | Address to set in Ingress object status | 42 | `--envoy-http-access-log=</path/to/file>` | Envoy HTTP access log | 43 | `--envoy-https-access-log=</path/to/file>` | Envoy HTTPS access log | 44 | `--envoy-service-http-address=<ipaddr>` | Kubernetes Service address for HTTP requests | 45 | `--envoy-service-https-address=<ipaddr>` | Kubernetes Service address for HTTPS requests | 46 | `--envoy-service-http-port=<port>` | Kubernetes Service port for HTTP requests | 47 | `--envoy-service-https-port=<port>` | Kubernetes Service port for HTTPS requests | 48 | `--envoy-service-name=<name>` | Name of the Envoy service to inspect for Ingress status details. | 49 | `--envoy-service-namespace=<namespace>` | Envoy Service Namespace | 50 | `--use-proxy-protocol` | Use PROXY protocol for all listeners | 51 | `--accesslog-format=<envoy\|json>` | Format for Envoy access logs | 52 | `--disable-leader-election` | Disable leader election mechanism | 53 | `--leader-election-lease-duration` | The duration of the leadership lease. | 54 | `--leader-election-renew-deadline` | The duration leader will retry refreshing leadership before giving up. | 55 | `--leader-election-retry-period` | The interval which Contour will attempt to acquire leadership lease. | 56 | `--leader-election-resource-name` | The name of the resource (Lease) leader election will lease. | 57 | `--leader-election-resource-namespace` | The namespace of the resource (Lease) leader election will lease. | 58 | `-d, --debug` | Enable debug logging | 59 | `--kubernetes-debug=<log level>` | Enable Kubernetes client debug logging | 60 | `--log-format=<text\|json>` | Log output format for Contour. Either text (default) or json. | 61 | `--kubernetes-client-qps=<qps>` | QPS allowed for the Kubernetes client. | 62 | `--kubernetes-client-burst=<burst>` | Burst allowed for the Kubernetes client. | 63 64 ## Configuration File 65 66 A configuration file can be passed to the `--config-path` argument of the `contour serve` command to specify additional configuration to Contour. 67 In most deployments, this file is passed to Contour via a ConfigMap which is mounted as a volume to the Contour pod. 68 69 The Contour configuration file is optional. 70 In its absence, Contour will operate with reasonable defaults. 71 Where Contour settings can also be specified with command-line flags, the command-line value takes precedence over the configuration file. 72 73 | Field Name | Type | Default | Description | 74 |---------------------------| ---------------------- |------------------------------------------------------------------------------------------------------| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 75 | accesslog-format | string | `envoy` | This key sets the global [access log format][2] for Envoy. Valid options are `envoy` or `json`. | 76 | accesslog-format-string | string | None | If present, this specifies custom access log format for Envoy. See [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage) for more information about the syntax. This field only has effect if `accesslog-format` is `envoy` | 77 | accesslog-level | string | `info` | This field specifies the verbosity level of the access log. Valid options are `info`, `error` and `disabled`. | 78 | debug | boolean | `false` | Enables debug logging. | 79 | default-http-versions | string array | <code style="white-space:nowrap">HTTP/1.1</code> <br> <code style="white-space:nowrap">HTTP/2</code> | This array specifies the HTTP versions that Contour should program Envoy to serve. HTTP versions are specified as strings of the form "HTTP/x", where "x" represents the version number. | 80 | disableAllowChunkedLength | boolean | `false` | If this field is true, Contour will disable the RFC-compliant Envoy behavior to strip the `Content-Length` header if `Transfer-Encoding: chunked` is also set. This is an emergency off-switch to revert back to Envoy's default behavior in case of failures. 81 | disableMergeSlashes | boolean | `false` | This field disables Envoy's non-standard merge_slashes path transformation behavior that strips duplicate slashes from request URL paths. 82 | serverHeaderTransformation | string | `overwrite` | This field defines the action to be applied to the Server header on the response path. Values: `overwrite` (default), `append_if_absent`, `pass_through` 83 | disablePermitInsecure | boolean | `false` | If this field is true, Contour will ignore `PermitInsecure` field in HTTPProxy documents. | 84 | envoy-service-name | string | `envoy` | This sets the service name that will be inspected for address details to be applied to Ingress objects. | 85 | envoy-service-namespace | string | `projectcontour` | This sets the namespace of the service that will be inspected for address details to be applied to Ingress objects. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | 86 | ingress-status-address | string | None | If present, this specifies the address that will be copied into the Ingress status for each Ingress that Contour manages. It is exclusive with `envoy-service-name` and `envoy-service-namespace`. | 87 | incluster | boolean | `false` | This field specifies that Contour is running in a Kubernetes cluster and should use the in-cluster client access configuration. | 88 | json-fields | string array | [fields][5] | This is the list the field names to include in the JSON [access log format][2]. This field only has effect if `accesslog-format` is `json`. | 89 | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | 90 | kubernetesClientQPS | float32 | | QPS allowed for the Kubernetes client. | 91 | kubernetesClientBurst | int | | Burst allowed for the Kubernetes client. | 92 | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | 93 | tls | TLS | | The default [TLS configuration](#tls-configuration). | 94 | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | 95 | cluster | ClusterConfig | | The [cluster configuration](#cluster-configuration). | 96 | network | NetworkConfig | | The [network configuration](#network-configuration). | 97 | listener | ListenerConfig | | The [listener configuration](#listener-configuration). | 98 | server | ServerConfig | | The [server configuration](#server-configuration) for `contour serve` command. | 99 | gateway | GatewayConfig | | The [gateway-api Gateway configuration](#gateway-configuration). | 100 | rateLimitService | RateLimitServiceConfig | | The [rate limit service configuration](#rate-limit-service-configuration). | 101 | enableExternalNameService | boolean | `false` | Enable ExternalName Service processing. Enabling this has security implications. Please see the [advisory](https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc) for more details. | 102 | metrics | MetricsParameters | | The [metrics configuration](#metrics-configuration) | 103 104 ### TLS Configuration 105 106 The TLS configuration block can be used to configure default values for how 107 Contour should provision TLS hosts. 108 109 | Field Name | Type | Default | Description | 110 | ------------------------ | -------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 111 | minimum-protocol-version | string | `1.2` | This field specifies the minimum TLS protocol version that is allowed. Valid options are `1.2` (default) and `1.3`. Any other value defaults to TLS 1.2. | 112 | fallback-certificate | | | [Fallback certificate configuration](#fallback-certificate). | 113 | envoy-client-certificate | | | [Client certificate configuration for Envoy](#envoy-client-certificate). | 114 | cipher-suites | []string | See [config package documentation](https://pkg.go.dev/github.com/projectcontour/contour/pkg/config#pkg-variables) | This field specifies the TLS ciphers to be supported by TLS listeners when negotiating TLS 1.2. This parameter should only be used by advanced users. Note that this is ignored when TLS 1.3 is in use. The set of ciphers that are allowed is a superset of those supported by default in stock, non-FIPS Envoy builds and FIPS builds as specified [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). Custom ciphers not accepted by Envoy in a standard build are not supported. | 115 116 ### Fallback Certificate 117 118 | Field Name | Type | Default | Description | 119 | ---------- | ------ | ------- | ----------------------------------------------------------------------------------------------- | 120 | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the fallback certificate. | 121 | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the fallback certificate. | 122 123 124 ### Envoy Client Certificate 125 126 | Field Name | Type | Default | Description | 127 | ---------- | ------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 128 | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | 129 | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | 130 131 132 ### Timeout Configuration 133 134 The timeout configuration block can be used to configure various timeouts for the proxies. All fields are optional; Contour/Envoy defaults apply if a field is not specified. 135 136 | Field Name | Type | Default | Description | 137 | -------------------------------- | ------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 138 | request-timeout | string | none* | This field specifies the default request timeout. Note that this is a timeout for the entire request, not an idle timeout. Must be a [valid Go duration string][4], or omitted or set to `infinity` to disable the timeout entirely. See [the Envoy documentation][12] for more information.<br /><br />_Note: A value of `0s` previously disabled this timeout entirely. This is no longer the case. Use `infinity` or omit this field to disable the timeout._ | 139 | connection-idle-timeout | string | `60s` | This field defines how long the proxy should wait while there are no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating an HTTP connection. The timeout applies to downstream connections only. Must be a [valid Go duration string][4], or `infinity` to disable the timeout entirely. See [the Envoy documentation][8] for more information. | 140 | stream-idle-timeout | string | `5m`* | This field defines how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. Must be a [valid Go duration string][4], or `infinity` to disable the timeout entirely. See [the Envoy documentation][9] for more information. | 141 | max-connection-duration | string | none* | This field defines the maximum period of time after an HTTP connection has been established from the client to the proxy before it is closed by the proxy, regardless of whether there has been activity or not. Must be a [valid Go duration string][4], or omitted or set to `infinity` for no max duration. See [the Envoy documentation][10] for more information. | 142 | delayed-close-timeout | string | `1s`* | *Note: this is an advanced setting that should not normally need to be tuned.* <br /><br /> This field defines how long envoy will wait, once connection close processing has been initiated, for the downstream peer to close the connection before Envoy closes the socket associated with the connection. Setting this timeout to 'infinity' will disable it. See [the Envoy documentation][13] for more information. | 143 | connection-shutdown-grace-period | string | `5s`* | This field defines how long the proxy will wait between sending an initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. During this grace period, the proxy will continue to respond to new streams. After the final GOAWAY frame has been sent, the proxy will refuse new streams. Must be a [valid Go duration string][4]. See [the Envoy documentation][11] for more information. | 144 | connect-timeout | string | `2s` | This field defines how long the proxy will wait for the upstream connection to be established. 145 146 _This is Envoy's default setting value and is not explicitly configured by Contour._ 147 148 ### Cluster Configuration 149 150 The cluster configuration block can be used to configure various parameters for Envoy clusters. 151 152 | Field Name | Type | Default | Description | 153 | ----------------- | ------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 154 | dns-lookup-family | string | auto | This field specifies the dns-lookup-family to use for upstream requests to externalName type Kubernetes services from an HTTPProxy route. Values are: `auto`, `v4`, `v6`, `all` | 155 156 ### Network Configuration 157 158 The network configuration block can be used to configure various parameters network connections. 159 160 | Field Name | Type | Default | Description | 161 | ---------------- | ---- | ------- | ----------------------------------------------------------------------------------------------------------------------- | 162 | num-trusted-hops | int | 0 | Configures the number of additional ingress proxy hops from the right side of the x-forwarded-for HTTP header to trust. | 163 | admin-port | int | 9001 | Configures the Envoy Admin read-only listener on Envoy. Set to `0` to disable. | 164 165 ### Listener Configuration 166 167 The listener configuration block can be used to configure various parameters for Envoy listener. 168 169 | Field Name | Type | Default | Description | 170 | ------------------- | ------ | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 171 | connection-balancer | string | `""` | This field specifies the listener connection balancer. If the value is `exact`, the listener will use the exact connection balancer to balance connections between threads in a single Envoy process. See [the Envoy documentation][14] for more information. | 172 | max-requests-per-io-cycle | int | none | Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the `http.max_requests_per_io_cycle` Envoy runtime setting. The default value when this is not set is no limit. | 173 | http2-max-concurrent-streams | int | none | Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited. | 174 175 ### Server Configuration 176 177 The server configuration block can be used to configure various settings for the `contour serve` command. 178 179 | Field Name | Type | Default | Description | 180 | --------------- | ------ | ------- | ----------------------------------------------------------------------------- | 181 | xds-server-type | string | contour | This field specifies the xDS Server to use. Options are `contour` or `envoy`. | 182 183 ### Gateway Configuration 184 185 The gateway configuration block is used to configure which gateway-api Gateway Contour should configure: 186 187 | Field Name | Type | Default | Description | 188 | -------------- | -------------- | ------- | ------------------------------------------------------------------------------ | 189 | controllerName | string | | Gateway Class controller name (i.e. projectcontour.io/gateway-controller). If set, Contour will reconcile the oldest GatewayClass, and its oldest Gateway, with this controller string. Only one of `controllerName` or `gatewayRef` must be set. | 190 | gatewayRef | NamespacedName | | [Gateway namespace and name](#gateway-ref). If set, Contour will reconcile this specific Gateway. Only one of `controllerName` or `gatewayRef` must be set. | 191 192 ### Gateway Ref 193 194 | Field Name | Type | Default | Description | 195 | ---------- | ------ | ------- | ----------------------------------------------------------------------------------------------- | 196 | name | string | `""` | This field specifies the name of the specific Gateway to reconcile. | 197 | namespace | string | `""` | This field specifies the namespace of the specific Gateway to reconcile. | 198 199 ### Policy Configuration 200 201 The Policy configuration block can be used to configure default policy values 202 that are set if not overridden by the user. 203 204 The `request-headers` field is used to rewrite headers on a HTTP request, and 205 the `response-headers` field is used to rewrite headers on a HTTP response. 206 207 | Field Name | Type | Default | Description | 208 | ---------------- | ------------ | ------- | ------------------------------------------------------------------------------------------------- | 209 | request-headers | HeaderPolicy | none | The default request headers set or removed on all service routes if not overridden in the object | 210 | response-headers | HeaderPolicy | none | The default response headers set or removed on all service routes if not overridden in the object | 211 | applyToIngress | Boolean | false | Whether the global policy should apply to Ingress objects | 212 213 #### HeaderPolicy 214 215 The `set` field sets an HTTP header value, creating it if it doesn't already exist but not overwriting it if it does. 216 The `remove` field removes an HTTP header. 217 218 | Field Name | Type | Default | Description | 219 | ---------- | ----------------- | ------- | ------------------------------------------------------------------------------- | 220 | set | map[string]string | none | Map of headers to set on all service routes if not overridden in the object | 221 | remove | []string | none | List of headers to remove on all service routes if not overridden in the object | 222 223 Note: the values of entries in the `set` and `remove` fields can be overridden in HTTPProxy objects but it it not possible to remove these entries. 224 225 ### Rate Limit Service Configuration 226 227 The rate limit service configuration block is used to configure an optional global rate limit service: 228 229 | Field Name | Type | Default | Description | 230 |-----------------------------| ------ | ------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 231 | extensionService | string | <none> | This field identifies the extension service defining the rate limit service, formatted as <namespace>/<name>. | 232 | domain | string | contour | This field defines the rate limit domain value to pass to the rate limit service. Acts as a container for a set of rate limit definitions within the RLS. | 233 | failOpen | bool | false | This field defines whether to allow requests to proceed when the rate limit service fails to respond with a valid rate limit decision within the timeout defined on the extension service. | 234 | enableXRateLimitHeaders | bool | false | This field defines whether to include the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF Internet-Draft https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html), on responses to clients when the Rate Limit Service is consulted for a request. | 235 | enableResourceExhaustedCode | bool | false | This field defines whether to translate status code 429 to gRPC RESOURCE_EXHAUSTED instead of UNAVAILABLE. | 236 237 ### Metrics Configuration 238 239 MetricsParameters holds configurable parameters for Contour and Envoy metrics. 240 241 | Field Name | Type | Default | Description | 242 | ----------- | ----------------------- | ------- | -------------------------------------------------------------------- | 243 | contour | MetricsServerParameters | | [Metrics Server Parameters](#metrics-server-parameters) for Contour. | 244 | envoy | MetricsServerParameters | | [Metrics Server Parameters](#metrics-server-parameters) for Envoy. | 245 246 ### Metrics Server Parameters 247 248 MetricsServerParameters holds configurable parameters for Contour and Envoy metrics. 249 Metrics are served over HTTPS if `server-certificate-path` and `server-key-path` are set. 250 Metrics and health endpoints cannot have the same port number when metrics are served over HTTPS. 251 252 | Field Name | Type | Default | Description | 253 | ----------------------- | ------ | ---------------------------- | -----------------------------------------------------------------------------| 254 | address | string | 0.0.0.0 | Address that metrics server will bind to. | 255 | port | int | 8000 (Contour), 8002 (Envoy) | Port that metrics server will bind to. | 256 | server-certificate-path | string | none | Optional path to the server certificate file. | 257 | server-key-path | string | none | Optional path to the server private key file. | 258 | ca-certificate-path | string | none | Optional path to the CA certificate file used to verify client certificates. | 259 260 ### Configuration Example 261 262 The following is an example ConfigMap with configuration file included: 263 264 ```yaml 265 apiVersion: v1 266 kind: ConfigMap 267 metadata: 268 name: contour 269 namespace: projectcontour 270 data: 271 contour.yaml: | 272 # 273 # server: 274 # determine which XDS Server implementation to utilize in Contour. 275 # xds-server-type: contour 276 # 277 # specify the gateway-api Gateway Contour should configure 278 # gateway: 279 # controllerName: projectcontour.io/gateway-controller 280 # 281 # should contour expect to be running inside a k8s cluster 282 # incluster: true 283 # 284 # path to kubeconfig (if not running inside a k8s cluster) 285 # kubeconfig: /path/to/.kube/config 286 # 287 # Disable RFC-compliant behavior to strip "Content-Length" header if 288 # "Tranfer-Encoding: chunked" is also set. 289 # disableAllowChunkedLength: false 290 # Disable HTTPProxy permitInsecure field 291 disablePermitInsecure: false 292 tls: 293 # minimum TLS version that Contour will negotiate 294 # minimum-protocol-version: "1.2" 295 # TLS ciphers to be supported by Envoy TLS listeners when negotiating 296 # TLS 1.2. 297 # cipher-suites: 298 # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' 299 # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' 300 # - 'ECDHE-ECDSA-AES256-GCM-SHA384' 301 # - 'ECDHE-RSA-AES256-GCM-SHA384' 302 # Defines the Kubernetes name/namespace matching a secret to use 303 # as the fallback certificate when requests which don't match the 304 # SNI defined for a vhost. 305 fallback-certificate: 306 # name: fallback-secret-name 307 # namespace: projectcontour 308 envoy-client-certificate: 309 # name: envoy-client-cert-secret-name 310 # namespace: projectcontour 311 ### Logging options 312 # Default setting 313 accesslog-format: envoy 314 # The default access log format is defined by Envoy but it can be customized by setting following variable. 315 # accesslog-format-string: "...\n" 316 # To enable JSON logging in Envoy 317 # accesslog-format: json 318 # accesslog-level: info 319 # The default fields that will be logged are specified below. 320 # To customise this list, just add or remove entries. 321 # The canonical list is available at 322 # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields 323 # json-fields: 324 # - "@timestamp" 325 # - "authority" 326 # - "bytes_received" 327 # - "bytes_sent" 328 # - "downstream_local_address" 329 # - "downstream_remote_address" 330 # - "duration" 331 # - "method" 332 # - "path" 333 # - "protocol" 334 # - "request_id" 335 # - "requested_server_name" 336 # - "response_code" 337 # - "response_flags" 338 # - "uber_trace_id" 339 # - "upstream_cluster" 340 # - "upstream_host" 341 # - "upstream_local_address" 342 # - "upstream_service_time" 343 # - "user_agent" 344 # - "x_forwarded_for" 345 # 346 # default-http-versions: 347 # - "HTTP/2" 348 # - "HTTP/1.1" 349 # 350 # The following shows the default proxy timeout settings. 351 # timeouts: 352 # request-timeout: infinity 353 # connection-idle-timeout: 60s 354 # stream-idle-timeout: 5m 355 # max-connection-duration: infinity 356 # connection-shutdown-grace-period: 5s 357 # 358 # Envoy cluster settings. 359 # cluster: 360 # configure the cluster dns lookup family 361 # valid options are: auto (default), v4, v6, all 362 # dns-lookup-family: auto 363 # 364 # network: 365 # Configure the number of additional ingress proxy hops from the 366 # right side of the x-forwarded-for HTTP header to trust. 367 # num-trusted-hops: 0 368 # Configure the port used to access the Envoy Admin interface. 369 # admin-port: 9001 370 # 371 # Configure an optional global rate limit service. 372 # rateLimitService: 373 # Identifies the extension service defining the rate limit service, 374 # formatted as <namespace>/<name>. 375 # extensionService: projectcontour/ratelimit 376 # Defines the rate limit domain to pass to the rate limit service. 377 # Acts as a container for a set of rate limit definitions within 378 # the RLS. 379 # domain: contour 380 # Defines whether to allow requests to proceed when the rate limit 381 # service fails to respond with a valid rate limit decision within 382 # the timeout defined on the extension service. 383 # failOpen: false 384 # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, 385 # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF 386 # Internet-Draft linked below), on responses to clients when the Rate 387 # Limit Service is consulted for a request. 388 # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html 389 # enableXRateLimitHeaders: false 390 # Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED 391 # instead of the default UNAVAILABLE 392 # enableResourceExhaustedCode: false 393 # 394 # Global Policy settings. 395 # policy: 396 # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) 397 # request-headers: 398 # set: 399 # # example: the hostname of the Envoy instance that proxied the request 400 # X-Envoy-Hostname: %HOSTNAME% 401 # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for 402 # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% 403 # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) 404 # response-headers: 405 # set: 406 # # example: Envoy flags that provide additional details about the response or connection 407 # X-Envoy-Response-Flags: %RESPONSE_FLAGS% 408 # Whether or not the policy settings should apply to ingress objects 409 # applyToIngress: true 410 # 411 # metrics: 412 # contour: 413 # address: 0.0.0.0 414 # port: 8000 415 # server-certificate-path: /path/to/server-cert.pem 416 # server-key-path: /path/to/server-private-key.pem 417 # ca-certificate-path: /path/to/root-ca-for-client-validation.pem 418 # envoy: 419 # address: 0.0.0.0 420 # port: 8002 421 # server-certificate-path: /path/to/server-cert.pem 422 # server-key-path: /path/to/server-private-key.pem 423 # ca-certificate-path: /path/to/root-ca-for-client-validation.pem 424 ``` 425 426 _Note:_ The default example `contour` includes this [file][1] for easy deployment of Contour. 427 428 ## Environment Variables 429 430 ### CONTOUR_NAMESPACE 431 432 If present, the value of the `CONTOUR_NAMESPACE` environment variable is used as: 433 434 1. The value for the `contour bootstrap --namespace` flag unless otherwise specified. 435 1. The value for the `contour certgen --namespace` flag unless otherwise specified. 436 1. The value for the `contour serve --envoy-service-namespace` flag unless otherwise specified. 437 1. The value for the `contour serve --leader-election-resource-namespace` flag unless otherwise specified. 438 439 The `CONTOUR_NAMESPACE` environment variable is set via the [Downward API][6] in the Contour [example manifests][7]. 440 441 ## Bootstrap Config File 442 443 The bootstrap configuration file is generated by an initContainer in the Envoy daemonset which runs the `contour bootstrap` command to generate the file. 444 This configuration file configures the Envoy container to connect to Contour and receive configuration via xDS. 445 446 The next section outlines all the available flags that can be passed to the `contour bootstrap` command which are used to customize 447 the configuration file to match the environment in which Envoy is deployed. 448 449 ### Bootstrap Flags 450 451 There are flags that can be passed to `contour bootstrap` that help configure how Envoy 452 connects to Contour: 453 454 | Flag | Default | Description | 455 | -------------------------------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | 456 | <nobr>--resources-dir</nobr> | "" | Directory where resource files will be written. | 457 | <nobr>--admin-address</nobr> | /admin/admin.sock | Path to Envoy admin unix domain socket. | 458 | <nobr>--admin-port (Deprecated)</nobr> | 9001 | Deprecated: Port is now configured as a Contour flag. | 459 | <nobr>--xds-address</nobr> | 127.0.0.1 | Address to connect to Contour xDS server on. | 460 | <nobr>--xds-port</nobr> | 8001 | Port to connect to Contour xDS server on. | 461 | <nobr>--envoy-cafile</nobr> | "" | CA filename for Envoy secure xDS gRPC communication. | 462 | <nobr>--envoy-cert-file</nobr> | "" | Client certificate filename for Envoy secure xDS gRPC communication. | 463 | <nobr>--envoy-key-file</nobr> | "" | Client key filename for Envoy secure xDS gRPC communication. | 464 | <nobr>--namespace</nobr> | projectcontour | Namespace the Envoy container will run, also configured via ENV variable "CONTOUR_NAMESPACE". Namespace is used as part of the metric names on static resources defined in the bootstrap configuration file. | 465 | <nobr>--xds-resource-version</nobr> | v3 | Currently, the only valid xDS API resource version is `v3`. | 466 | <nobr>--dns-lookup-family</nobr> | auto | Defines what DNS Resolution Policy to use for Envoy -> Contour cluster name lookup. Either v4, v6, auto or all. | 467 | <nobr>--log-format | text | Log output format for Contour. Either text or json. | 468 | <nobr>--overload-max-heap | "" | Defines the maximum heap size in bytes until Envoy overload manager stops accepting new connections. | 469 470 471 [1]: {{< param github_url>}}/tree/{{< param branch >}}/examples/contour/01-contour-config.yaml 472 [2]: guides/structured-logs 473 [3]: https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/ 474 [4]: https://golang.org/pkg/time/#ParseDuration 475 [5]: https://godoc.org/github.com/projectcontour/contour/internal/envoy#DefaultFields 476 [6]: https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/ 477 [7]: {{< param github_url>}}/tree/{{< param branch >}}/examples/contour 478 [8]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout 479 [9]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout 480 [10]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration 481 [11]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout 482 [12]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout 483 [13]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout 484 [14]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener-connectionbalanceconfig