|
| 1 | +--- |
| 2 | +apiVersion: v1 |
| 3 | +kind: ConfigMap |
| 4 | +metadata: |
| 5 | + name: contour |
| 6 | + namespace: projectcontour |
| 7 | +data: |
| 8 | + contour.yaml: | |
| 9 | + # |
| 10 | + # server: |
| 11 | + # determine which XDS Server implementation to utilize in Contour. |
| 12 | + # xds-server-type: envoy |
| 13 | + # |
| 14 | + # Specify the Gateway API configuration. |
| 15 | + # gateway: |
| 16 | + # namespace: projectcontour |
| 17 | + # name: contour |
| 18 | + # |
| 19 | + # should contour expect to be running inside a k8s cluster |
| 20 | + # incluster: true |
| 21 | + # |
| 22 | + # path to kubeconfig (if not running inside a k8s cluster) |
| 23 | + # kubeconfig: /path/to/.kube/config |
| 24 | + # |
| 25 | + # Disable RFC-compliant behavior to strip "Content-Length" header if |
| 26 | + # "Tranfer-Encoding: chunked" is also set. |
| 27 | + # disableAllowChunkedLength: false |
| 28 | + # |
| 29 | + # Disable Envoy's non-standard merge_slashes path transformation option |
| 30 | + # that strips duplicate slashes from request URLs. |
| 31 | + # disableMergeSlashes: false |
| 32 | + # |
| 33 | + # Disable HTTPProxy permitInsecure field |
| 34 | + disablePermitInsecure: false |
| 35 | + tls: |
| 36 | + # minimum TLS version that Contour will negotiate |
| 37 | + minimum-protocol-version: "$CONTOUR_TLS_MINIMUM_PROTOCOL_VERSION" |
| 38 | + # TLS ciphers to be supported by Envoy TLS listeners when negotiating |
| 39 | + # TLS 1.2. |
| 40 | + # cipher-suites: |
| 41 | + # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' |
| 42 | + # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' |
| 43 | + # - 'ECDHE-ECDSA-AES256-GCM-SHA384' |
| 44 | + # - 'ECDHE-RSA-AES256-GCM-SHA384' |
| 45 | + # Defines the Kubernetes name/namespace matching a secret to use |
| 46 | + # as the fallback certificate when requests which don't match the |
| 47 | + # SNI defined for a vhost. |
| 48 | + fallback-certificate: |
| 49 | + # name: fallback-secret-name |
| 50 | + # namespace: projectcontour |
| 51 | + envoy-client-certificate: |
| 52 | + # name: envoy-client-cert-secret-name |
| 53 | + # namespace: projectcontour |
| 54 | + #### |
| 55 | + # ExternalName Services are disabled by default due to CVE-2021-XXXXX |
| 56 | + # You can re-enable them by setting this setting to `true`. |
| 57 | + # This is not recommended without understanding the security implications. |
| 58 | + # Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details. |
| 59 | + # enableExternalNameService: false |
| 60 | + ## |
| 61 | + # Address to be placed in status.loadbalancer field of Ingress objects. |
| 62 | + # May be either a literal IP address or a host name. |
| 63 | + # The value will be placed directly into the relevant field inside the status.loadBalancer struct. |
| 64 | + # ingress-status-address: local.projectcontour.io |
| 65 | + ### Logging options |
| 66 | + # Default setting |
| 67 | + accesslog-format: envoy |
| 68 | + # The default access log format is defined by Envoy but it can be customized by setting following variable. |
| 69 | + # accesslog-format-string: "...\n" |
| 70 | + # To enable JSON logging in Envoy |
| 71 | + # accesslog-format: json |
| 72 | + # accesslog-level: info |
| 73 | + # The default fields that will be logged are specified below. |
| 74 | + # To customise this list, just add or remove entries. |
| 75 | + # The canonical list is available at |
| 76 | + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields |
| 77 | + # json-fields: |
| 78 | + # - "@timestamp" |
| 79 | + # - "authority" |
| 80 | + # - "bytes_received" |
| 81 | + # - "bytes_sent" |
| 82 | + # - "downstream_local_address" |
| 83 | + # - "downstream_remote_address" |
| 84 | + # - "duration" |
| 85 | + # - "method" |
| 86 | + # - "path" |
| 87 | + # - "protocol" |
| 88 | + # - "request_id" |
| 89 | + # - "requested_server_name" |
| 90 | + # - "response_code" |
| 91 | + # - "response_flags" |
| 92 | + # - "uber_trace_id" |
| 93 | + # - "upstream_cluster" |
| 94 | + # - "upstream_host" |
| 95 | + # - "upstream_local_address" |
| 96 | + # - "upstream_service_time" |
| 97 | + # - "user_agent" |
| 98 | + # - "x_forwarded_for" |
| 99 | + # - "grpc_status" |
| 100 | + # - "grpc_status_number" |
| 101 | + # |
| 102 | + # default-http-versions: |
| 103 | + # - "HTTP/2" |
| 104 | + # - "HTTP/1.1" |
| 105 | + # |
| 106 | + # The following shows the default proxy timeout settings. |
| 107 | + # timeouts: |
| 108 | + # request-timeout: infinity |
| 109 | + # connection-idle-timeout: 60s |
| 110 | + # stream-idle-timeout: 5m |
| 111 | + # max-connection-duration: infinity |
| 112 | + # delayed-close-timeout: 1s |
| 113 | + # connection-shutdown-grace-period: 5s |
| 114 | + # connect-timeout: 2s |
| 115 | + # |
| 116 | + # Envoy cluster settings. |
| 117 | + # cluster: |
| 118 | + # configure the cluster dns lookup family |
| 119 | + # valid options are: auto (default), v4, v6 |
| 120 | + # dns-lookup-family: auto |
| 121 | + # |
| 122 | + # Envoy network settings. |
| 123 | + # network: |
| 124 | + # Configure the number of additional ingress proxy hops from the |
| 125 | + # right side of the x-forwarded-for HTTP header to trust. |
| 126 | + # num-trusted-hops: 0 |
| 127 | + # Configure the port used to access the Envoy Admin interface. |
| 128 | + # admin-port: 9001 |
| 129 | + # |
| 130 | + # Configure an optional global rate limit service. |
| 131 | + # rateLimitService: |
| 132 | + # Identifies the extension service defining the rate limit service, |
| 133 | + # formatted as <namespace>/<name>. |
| 134 | + # extensionService: projectcontour/ratelimit |
| 135 | + # Defines the rate limit domain to pass to the rate limit service. |
| 136 | + # Acts as a container for a set of rate limit definitions within |
| 137 | + # the RLS. |
| 138 | + # domain: contour |
| 139 | + # Defines whether to allow requests to proceed when the rate limit |
| 140 | + # service fails to respond with a valid rate limit decision within |
| 141 | + # the timeout defined on the extension service. |
| 142 | + # failOpen: false |
| 143 | + # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, |
| 144 | + # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF |
| 145 | + # Internet-Draft linked below), on responses to clients when the Rate |
| 146 | + # Limit Service is consulted for a request. |
| 147 | + # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html |
| 148 | + # enableXRateLimitHeaders: false |
| 149 | + # Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED |
| 150 | + # instead of the default UNAVAILABLE |
| 151 | + # enableResourceExhaustedCode: false |
| 152 | + # |
| 153 | + # Global Policy settings. |
| 154 | + # policy: |
| 155 | + # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) |
| 156 | + # request-headers: |
| 157 | + # set: |
| 158 | + # # example: the hostname of the Envoy instance that proxied the request |
| 159 | + # X-Envoy-Hostname: %HOSTNAME% |
| 160 | + # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for |
| 161 | + # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% |
| 162 | + # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) |
| 163 | + # response-headers: |
| 164 | + # set: |
| 165 | + # # example: Envoy flags that provide additional details about the response or connection |
| 166 | + # X-Envoy-Response-Flags: %RESPONSE_FLAGS% |
| 167 | + # |
| 168 | + # metrics: |
| 169 | + # contour: |
| 170 | + # address: 0.0.0.0 |
| 171 | + # port: 8000 |
| 172 | + # server-certificate-path: /path/to/server-cert.pem |
| 173 | + # server-key-path: /path/to/server-private-key.pem |
| 174 | + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem |
| 175 | + # envoy: |
| 176 | + # address: 0.0.0.0 |
| 177 | + # port: 8002 |
| 178 | + # server-certificate-path: /path/to/server-cert.pem |
| 179 | + # server-key-path: /path/to/server-private-key.pem |
| 180 | + # ca-certificate-path: /path/to/root-ca-for-client-validation.pem |
| 181 | + # |
| 182 | + # listener: |
| 183 | + # connection-balancer: exact |
| 184 | + # socket-options: |
| 185 | + # tos: 64 |
| 186 | + # traffic-class: 64 |
| 187 | +
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments