---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: contourconfigurations.projectcontour.io
spec:
  preserveUnknownFields: false
  group: projectcontour.io
  names:
    kind: ContourConfiguration
    listKind: ContourConfigurationList
    plural: contourconfigurations
    shortNames:
    - contourconfig
    singular: contourconfiguration
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ContourConfiguration is the schema for a Contour instance.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: |-
              ContourConfigurationSpec represents a configuration of a Contour controller.
              It contains most of all the options that can be customized, the
              other remaining options being command line flags.
            properties:
              debug:
                description: |-
                  Debug contains parameters to enable debug logging
                  and debug interfaces inside Contour.
                properties:
                  address:
                    description: |-
                      Defines the Contour debug address interface.
                      Contour's default is "127.0.0.1".
                    type: string
                  port:
                    description: |-
                      Defines the Contour debug address port.
                      Contour's default is 6060.
                    type: integer
                type: object
              enableExternalNameService:
                description: |-
                  EnableExternalNameService allows processing of ExternalNameServices
                  Contour's default is false for security reasons.
                type: boolean
              envoy:
                description: |-
                  Envoy contains parameters for Envoy as well
                  as how to optionally configure a managed Envoy fleet.
                properties:
                  clientCertificate:
                    description: |-
                      ClientCertificate defines the namespace/name of the Kubernetes
                      secret containing the client certificate and private key
                      to be used when establishing TLS connection to upstream
                      cluster.
                    properties:
                      name:
                        type: string
                      namespace:
                        type: string
                    required:
                    - name
                    - namespace
                    type: object
                  cluster:
                    description: |-
                      Cluster holds various configurable Envoy cluster values that can
                      be set in the config file.
                    properties:
                      circuitBreakers:
                        description: |-
                          GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
                          If defined, this will be used as the default for all services.
                        properties:
                          maxConnections:
                            description: The maximum number of connections that a
                              single Envoy instance allows to the Kubernetes Service;
                              defaults to 1024.
                            format: int32
                            type: integer
                          maxPendingRequests:
                            description: The maximum number of pending requests that
                              a single Envoy instance allows to the Kubernetes Service;
                              defaults to 1024.
                            format: int32
                            type: integer
                          maxRequests:
                            description: The maximum parallel requests a single Envoy
                              instance allows to the Kubernetes Service; defaults
                              to 1024
                            format: int32
                            type: integer
                          maxRetries:
                            description: The maximum number of parallel retries a
                              single Envoy instance allows to the Kubernetes Service;
                              defaults to 3.
                            format: int32
                            type: integer
                        type: object
                      dnsLookupFamily:
                        description: |-
                          DNSLookupFamily defines how external names are looked up
                          When configured as V4, the DNS resolver will only perform a lookup
                          for addresses in the IPv4 family. If V6 is configured, the DNS resolver
                          will only perform a lookup for addresses in the IPv6 family.
                          If AUTO is configured, the DNS resolver will first perform a lookup
                          for addresses in the IPv6 family and fallback to a lookup for addresses
                          in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for
                          both IPv4 and IPv6 families, and return all resolved addresses.
                          When this is used, Happy Eyeballs will be enabled for upstream connections.
                          Refer to Happy Eyeballs Support for more information.
                          Note: This only applies to externalName clusters.
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
                          for more information.
                          Values: `auto` (default), `v4`, `v6`, `all`.
                          Other values will produce an error.
                        type: string
                      maxRequestsPerConnection:
                        description: |-
                          Defines the maximum requests for upstream connections. If not specified, there is no limit.
                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
                          for more information.
                        format: int32
                        minimum: 1
                        type: integer
                      per-connection-buffer-limit-bytes:
                        description: |-
                          Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.
                          If unspecified, an implementation defined default is applied (1MiB).
                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
                          for more information.
                        format: int32
                        minimum: 1
                        type: integer
                      upstreamTLS:
                        description: UpstreamTLS contains the TLS policy parameters
                          for upstream connections
                        properties:
                          cipherSuites:
                            description: |-
                              CipherSuites defines the TLS ciphers to be supported by Envoy TLS
                              listeners when negotiating TLS 1.2. Ciphers are validated against the
                              set that Envoy supports by default. This parameter should only be used
                              by advanced users. Note that these will be ignored when TLS 1.3 is in
                              use.
                              This field is optional; when it is undefined, a Contour-managed ciphersuite list
                              will be used, which may be updated to keep it secure.
                              Contour's default list is:
                                - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
                                - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
                                - "ECDHE-ECDSA-AES256-GCM-SHA384"
                                - "ECDHE-RSA-AES256-GCM-SHA384"
                              Ciphers provided are validated against the following list:
                                - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
                                - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
                                - "ECDHE-ECDSA-AES128-GCM-SHA256"
                                - "ECDHE-RSA-AES128-GCM-SHA256"
                                - "ECDHE-ECDSA-AES128-SHA"
                                - "ECDHE-RSA-AES128-SHA"
                                - "AES128-GCM-SHA256"
                                - "AES128-SHA"
                                - "ECDHE-ECDSA-AES256-GCM-SHA384"
                                - "ECDHE-RSA-AES256-GCM-SHA384"
                                - "ECDHE-ECDSA-AES256-SHA"
                                - "ECDHE-RSA-AES256-SHA"
                                - "AES256-GCM-SHA384"
                                - "AES256-SHA"
                              Contour recommends leaving this undefined unless you are sure you must.
                              See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
                              Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
                            items:
                              type: string
                            type: array
                          maximumProtocolVersion:
                            description: |-
                              MaximumProtocolVersion is the maximum TLS version this vhost should
                              negotiate.
                              Values: `1.2`, `1.3`(default).
                              Other values will produce an error.
                            type: string
                          minimumProtocolVersion:
                            description: |-
                              MinimumProtocolVersion is the minimum TLS version this vhost should
                              negotiate.
                              Values: `1.2` (default), `1.3`.
                              Other values will produce an error.
                            type: string
                        type: object
                    type: object
                  defaultHTTPVersions:
                    description: |-
                      DefaultHTTPVersions defines the default set of HTTPS
                      versions the proxy should accept. HTTP versions are
                      strings of the form "HTTP/xx". Supported versions are
                      "HTTP/1.1" and "HTTP/2".
                      Values: `HTTP/1.1`, `HTTP/2` (default: both).
                      Other values will produce an error.
                    items:
                      description: HTTPVersionType is the name of a supported HTTP
                        version.
                      type: string
                    type: array
                  health:
                    description: |-
                      Health defines the endpoint Envoy uses to serve health checks.
                      Contour's default is { address: "0.0.0.0", port: 8002 }.
                    properties:
                      address:
                        description: Defines the health address interface.
                        minLength: 1
                        type: string
                      port:
                        description: Defines the health port.
                        type: integer
                    type: object
                  http:
                    description: |-
                      Defines the HTTP Listener for Envoy.
                      Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }.
                    properties:
                      accessLog:
                        description: AccessLog defines where Envoy logs are outputted
                          for this listener.
                        type: string
                      address:
                        description: Defines an Envoy Listener Address.
                        minLength: 1
                        type: string
                      port:
                        description: Defines an Envoy listener Port.
                        type: integer
                    type: object
                  https:
                    description: |-
                      Defines the HTTPS Listener for Envoy.
                      Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }.
                    properties:
                      accessLog:
                        description: AccessLog defines where Envoy logs are outputted
                          for this listener.
                        type: string
                      address:
                        description: Defines an Envoy Listener Address.
                        minLength: 1
                        type: string
                      port:
                        description: Defines an Envoy listener Port.
                        type: integer
                    type: object
                  listener:
                    description: Listener hold various configurable Envoy listener
                      values.
                    properties:
                      connectionBalancer:
                        description: |-
                          ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
                          for more information.
                          Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
                          Other values will produce an error.
                        type: string
                      disableAllowChunkedLength:
                        description: |-
                          DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to
                          strip the "Content-Length" header if "Transfer-Encoding: chunked" is
                          also set. This is an emergency off-switch to revert back to Envoy's
                          default behavior in case of failures. Please file an issue if failures
                          are encountered.
                          See: https://github.com/projectcontour/contour/issues/3221
                          Contour's default is false.
                        type: boolean
                      disableMergeSlashes:
                        description: |-
                          DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option
                          which strips duplicate slashes from request URL paths.
                          Contour's default is false.
                        type: boolean
                      httpMaxConcurrentStreams:
                        description: |-
                          Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
                          SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
                          for a peer on a single HTTP/2 connection. It is recommended to not set this lower
                          than 100 but this field can be used to bound resource usage by HTTP/2 connections
                          and mitigate attacks like CVE-2023-44487. The default value when this is not set is
                          unlimited.
                        format: int32
                        minimum: 1
                        type: integer
                      maxConnectionsPerListener:
                        description: |-
                          Defines the limit on number of active connections to a listener. The limit is applied
                          per listener. The default value when this is not set is unlimited.
                        format: int32
                        minimum: 1
                        type: integer
                      maxRequestsPerConnection:
                        description: |-
                          Defines the maximum requests for downstream connections. If not specified, there is no limit.
                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
                          for more information.
                        format: int32
                        minimum: 1
                        type: integer
                      maxRequestsPerIOCycle:
                        description: |-
                          Defines the limit on number of HTTP requests that Envoy will process from a single
                          connection in a single I/O cycle. Requests over this limit are processed in subsequent
                          I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
                          detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
                          value when this is not set is no limit.
                        format: int32
                        minimum: 1
                        type: integer
                      per-connection-buffer-limit-bytes:
                        description: |-
                          Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.
                          If unspecified, an implementation defined default is applied (1MiB).
                          see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
                          for more information.
                        format: int32
                        minimum: 1
                        type: integer
                      serverHeaderTransformation:
                        description: |-
                          Defines the action to be applied to the Server header on the response path.
                          When configured as overwrite, overwrites any Server header with "envoy".
                          When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
                          When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
                          Values: `overwrite` (default), `append_if_absent`, `pass_through`
                          Other values will produce an error.
                          Contour's default is overwrite.
                        type: string
                      socketOptions:
                        description: |-
                          SocketOptions defines configurable socket options for the listeners.
                          Single set of options are applied to all listeners.
                        properties:
                          tos:
                            description: |-
                              Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
                              Single value is applied to all listeners.
                              If listeners are bound to IPv6-only addresses, setting this option will cause an error.
                            format: int32
                            maximum: 255
                            minimum: 0
                            type: integer
                          trafficClass:
                            description: |-
                              Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
                              Single value is applied to all listeners.
                              If listeners are bound to IPv4-only addresses, setting this option will cause an error.
                            format: int32
                            maximum: 255
                            minimum: 0
                            type: integer
                        type: object
                      tls:
                        description: TLS holds various configurable Envoy TLS listener
                          values.
                        properties:
                          cipherSuites:
                            description: |-
                              CipherSuites defines the TLS ciphers to be supported by Envoy TLS
                              listeners when negotiating TLS 1.2. Ciphers are validated against the
                              set that Envoy supports by default. This parameter should only be used
                              by advanced users. Note that these will be ignored when TLS 1.3 is in
                              use.
                              This field is optional; when it is undefined, a Contour-managed ciphersuite list
                              will be used, which may be updated to keep it secure.
                              Contour's default list is:
                                - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
                                - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
                                - "ECDHE-ECDSA-AES256-GCM-SHA384"
                                - "ECDHE-RSA-AES256-GCM-SHA384"
                              Ciphers provided are validated against the following list:
                                - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
                                - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
                                - "ECDHE-ECDSA-AES128-GCM-SHA256"
                                - "ECDHE-RSA-AES128-GCM-SHA256"
                                - "ECDHE-ECDSA-AES128-SHA"
                                - "ECDHE-RSA-AES128-SHA"
                                - "AES128-GCM-SHA256"
                                - "AES128-SHA"
                                - "ECDHE-ECDSA-AES256-GCM-SHA384"
                                - "ECDHE-RSA-AES256-GCM-SHA384"
                                - "ECDHE-ECDSA-AES256-SHA"
                                - "ECDHE-RSA-AES256-SHA"
                                - "AES256-GCM-SHA384"
                                - "AES256-SHA"
                              Contour recommends leaving this undefined unless you are sure you must.
                              See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
                              Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
                            items:
                              type: string
                            type: array
                          maximumProtocolVersion:
                            description: |-
                              MaximumProtocolVersion is the maximum TLS version this vhost should
                              negotiate.
                              Values: `1.2`, `1.3`(default).
                              Other values will produce an error.
                            type: string
                          minimumProtocolVersion:
                            description: |-
                              MinimumProtocolVersion is the minimum TLS version this vhost should
                              negotiate.
                              Values: `1.2` (default), `1.3`.
                              Other values will produce an error.
                            type: string
                        type: object
                      useProxyProtocol:
                        description: |-
                          Use PROXY protocol for all listeners.
                          Contour's default is false.
                        type: boolean
                    type: object
                  logging:
                    description: Logging defines how Envoy's logs can be configured.
                    properties:
                      accessLogFormat:
                        description: |-
                          AccessLogFormat sets the global access log format.
                          Values: `envoy` (default), `json`.
                          Other values will produce an error.
                        type: string
                      accessLogFormatString:
                        description: |-
                          AccessLogFormatString sets the access log format when format is set to `envoy`.
                          When empty, Envoy's default format is used.
                        type: string
                      accessLogJSONFields:
                        description: |-
                          AccessLogJSONFields sets the fields that JSON logging will
                          output when AccessLogFormat is json.
                        items:
                          type: string
                        type: array
                      accessLogLevel:
                        description: |-
                          AccessLogLevel sets the verbosity level of the access log.
                          Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.
                          Other values will produce an error.
                        type: string
                    type: object
                  metrics:
                    description: |-
                      Metrics defines the endpoint Envoy uses to serve metrics.
                      Contour's default is { address: "0.0.0.0", port: 8002 }.
                    properties:
                      address:
                        description: Defines the metrics address interface.
                        maxLength: 253
                        minLength: 1
                        type: string
                      port:
                        description: Defines the metrics port.
                        type: integer
                      tls:
                        description: |-
                          TLS holds TLS file config details.
                          Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
                        properties:
                          caFile:
                            description: CA filename.
                            type: string
                          certFile:
                            description: Client certificate filename.
                            type: string
                          keyFile:
                            description: Client key filename.
                            type: string
                        type: object
                    type: object
                  network:
                    description: Network holds various configurable Envoy network
                      values.
                    properties:
                      adminPort:
                        description: |-
                          Configure the port used to access the Envoy Admin interface.
                          If configured to port "0" then the admin interface is disabled.
                          Contour's default is 9001.
                        type: integer
                      numTrustedHops:
                        description: |-
                          XffNumTrustedHops defines the number of additional ingress proxy hops from the
                          right side of the x-forwarded-for HTTP header to trust when determining the origin
                          client’s IP address.
                          See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
                          for more information.
                          Contour's default is 0.
                        format: int32
                        type: integer
                    type: object
                  service:
                    description: |-
                      Service holds Envoy service parameters for setting Ingress status.
                      Contour's default is { namespace: "projectcontour", name: "envoy" }.
                    properties:
                      name:
                        type: string
                      namespace:
                        type: string
                    required:
                    - name
                    - namespace
                    type: object
                  timeouts:
                    description: |-
                      Timeouts holds various configurable timeouts that can
                      be set in the config file.
                    properties:
                      connectTimeout:
                        description: |-
                          ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
                          If not set, a default value of 2 seconds will be used.
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
                          for more information.
                        type: string
                      connectionIdleTimeout:
                        description: |-
                          ConnectionIdleTimeout defines how long the proxy should wait while there are
                          no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating
                          an HTTP connection. Set to "infinity" to disable the timeout entirely.
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
                          for more information.
                        type: string
                      connectionShutdownGracePeriod:
                        description: |-
                          ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an
                          initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.
                          During this grace period, the proxy will continue to respond to new streams. After the final
                          GOAWAY frame has been sent, the proxy will refuse new streams.
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
                          for more information.
                        type: string
                      delayedCloseTimeout:
                        description: |-
                          DelayedCloseTimeout defines how long envoy will wait, once connection
                          close processing has been initiated, for the downstream peer to close
                          the connection before Envoy closes the socket associated with the connection.
                          Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0'
                          in Envoy. Leaving it unset will result in the Envoy default value being used.
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
                          for more information.
                        type: string
                      maxConnectionDuration:
                        description: |-
                          MaxConnectionDuration defines the maximum period of time after an HTTP connection
                          has been established from the client to the proxy before it is closed by the proxy,
                          regardless of whether there has been activity or not. Omit or set to "infinity" for
                          no max duration.
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
                          for more information.
                        type: string
                      requestTimeout:
                        description: |-
                          RequestTimeout sets the client request timeout globally for Contour. Note that
                          this is a timeout for the entire request, not an idle timeout. Omit or set to
                          "infinity" to disable the timeout entirely.
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
                          for more information.
                        type: string
                      streamIdleTimeout:
                        description: |-
                          StreamIdleTimeout defines how long the proxy should wait while there is no
                          request activity (for HTTP/1.1) or stream activity (for HTTP/2) before
                          terminating the HTTP request or stream. Set to "infinity" to disable the
                          timeout entirely.
                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
                          for more information.
                        type: string
                    type: object
                type: object
              featureFlags:
                description: |-
                  FeatureFlags defines toggle to enable new contour features.
                  Available toggles are:
                  useEndpointSlices - configures contour to fetch endpoint data
                  from k8s endpoint slices. defaults to false and reading endpoint
                  data from the k8s endpoints.
                items:
                  type: string
                type: array
              gateway:
                description: |-
                  Gateway contains parameters for the gateway-api Gateway that Contour
                  is configured to serve traffic.
                properties:
                  gatewayRef:
                    description: |-
                      GatewayRef defines the specific Gateway that this Contour
                      instance corresponds to.
                    properties:
                      name:
                        type: string
                      namespace:
                        type: string
                    required:
                    - name
                    - namespace
                    type: object
                required:
                - gatewayRef
                type: object
              globalExtAuth:
                description: |-
                  GlobalExternalAuthorization allows envoys external authorization filter
                  to be enabled for all virtual hosts.
                properties:
                  authPolicy:
                    description: |-
                      AuthPolicy sets a default authorization policy for client requests.
                      This policy will be used unless overridden by individual routes.
                    properties:
                      context:
                        additionalProperties:
                          type: string
                        description: |-
                          Context is a set of key/value pairs that are sent to the
                          authentication server in the check request. If a context
                          is provided at an enclosing scope, the entries are merged
                          such that the inner scope overrides matching keys from the
                          outer scope.
                        type: object
                      disabled:
                        description: |-
                          When true, this field disables client request authentication
                          for the scope of the policy.
                        type: boolean
                    type: object
                  extensionRef:
                    description: ExtensionServiceRef specifies the extension resource
                      that will authorize client requests.
                    properties:
                      apiVersion:
                        description: |-
                          API version of the referent.
                          If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
                        minLength: 1
                        type: string
                      name:
                        description: |-
                          Name of the referent.
                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        minLength: 1
                        type: string
                      namespace:
                        description: |-
                          Namespace of the referent.
                          If this field is not specifies, the namespace of the resource that targets the referent will be used.
                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                        minLength: 1
                        type: string
                    type: object
                  failOpen:
                    description: |-
                      If FailOpen is true, the client request is forwarded to the upstream service
                      even if the authorization server fails to respond. This field should not be
                      set in most cases. It is intended for use only while migrating applications
                      from internal authorization to Contour external authorization.
                    type: boolean
                  responseTimeout:
                    description: |-
                      ResponseTimeout configures maximum time to wait for a check response from the authorization server.
                      Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
                      Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
                      The string "infinity" is also a valid input and specifies no timeout.
                    pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                    type: string
                  withRequestBody:
                    description: WithRequestBody specifies configuration for sending
                      the client request's body to authorization server.
                    properties:
                      allowPartialMessage:
                        description: If AllowPartialMessage is true, then Envoy will
                          buffer the body until MaxRequestBytes are reached.
                        type: boolean
                      maxRequestBytes:
                        default: 1024
                        description: MaxRequestBytes sets the maximum size of message
                          body ExtAuthz filter will hold in-memory.
                        format: int32
                        minimum: 1
                        type: integer
                      packAsBytes:
                        description: If PackAsBytes is true, the body sent to Authorization
                          Server is in raw bytes.
                        type: boolean
                    type: object
                type: object
              health:
                description: |-
                  Health defines the endpoints Contour uses to serve health checks.
                  Contour's default is { address: "0.0.0.0", port: 8000 }.
                properties:
                  address:
                    description: Defines the health address interface.
                    minLength: 1
                    type: string
                  port:
                    description: Defines the health port.
                    type: integer
                type: object
              httpproxy:
                description: HTTPProxy defines parameters on HTTPProxy.
                properties:
                  disablePermitInsecure:
                    description: |-
                      DisablePermitInsecure disables the use of the
                      permitInsecure field in HTTPProxy.
                      Contour's default is false.
                    type: boolean
                  fallbackCertificate:
                    description: |-
                      FallbackCertificate defines the namespace/name of the Kubernetes secret to
                      use as fallback when a non-SNI request is received.
                    properties:
                      name:
                        type: string
                      namespace:
                        type: string
                    required:
                    - name
                    - namespace
                    type: object
                  rootNamespaces:
                    description: Restrict Contour to searching these namespaces for
                      root ingress routes.
                    items:
                      type: string
                    type: array
                type: object
              ingress:
                description: Ingress contains parameters for ingress options.
                properties:
                  classNames:
                    description: Ingress Class Names Contour should use.
                    items:
                      type: string
                    type: array
                  statusAddress:
                    description: Address to set in Ingress object status.
                    type: string
                type: object
              metrics:
                description: |-
                  Metrics defines the endpoint Contour uses to serve metrics.
                  Contour's default is { address: "0.0.0.0", port: 8000 }.
                properties:
                  address:
                    description: Defines the metrics address interface.
                    maxLength: 253
                    minLength: 1
                    type: string
                  port:
                    description: Defines the metrics port.
                    type: integer
                  tls:
                    description: |-
                      TLS holds TLS file config details.
                      Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
                    properties:
                      caFile:
                        description: CA filename.
                        type: string
                      certFile:
                        description: Client certificate filename.
                        type: string
                      keyFile:
                        description: Client key filename.
                        type: string
                    type: object
                type: object
              policy:
                description: Policy specifies default policy applied if not overridden
                  by the user
                properties:
                  applyToIngress:
                    description: |-
                      ApplyToIngress determines if the Policies will apply to ingress objects
                      Contour's default is false.
                    type: boolean
                  requestHeaders:
                    description: RequestHeadersPolicy defines the request headers
                      set/removed on all routes
                    properties:
                      remove:
                        items:
                          type: string
                        type: array
                      set:
                        additionalProperties:
                          type: string
                        type: object
                    type: object
                  responseHeaders:
                    description: ResponseHeadersPolicy defines the response headers
                      set/removed on all routes
                    properties:
                      remove:
                        items:
                          type: string
                        type: array
                      set:
                        additionalProperties:
                          type: string
                        type: object
                    type: object
                type: object
              rateLimitService:
                description: |-
                  RateLimitService optionally holds properties of the Rate Limit Service
                  to be used for global rate limiting.
                properties:
                  defaultGlobalRateLimitPolicy:
                    description: |-
                      DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.
                      HTTPProxy can overwrite this configuration.
                    properties:
                      descriptors:
                        description: |-
                          Descriptors defines the list of descriptors that will
                          be generated and sent to the rate limit service. Each
                          descriptor contains 1+ key-value pair entries.
                        items:
                          description: RateLimitDescriptor defines a list of key-value
                            pair generators.
                          properties:
                            entries:
                              description: Entries is the list of key-value pair generators.
                              items:
                                description: |-
                                  RateLimitDescriptorEntry is a key-value pair generator. Exactly
                                  one field on this struct must be non-nil.
                                properties:
                                  genericKey:
                                    description: GenericKey defines a descriptor entry
                                      with a static key and value.
                                    properties:
                                      key:
                                        description: |-
                                          Key defines the key of the descriptor entry. If not set, the
                                          key is set to "generic_key".
                                        type: string
                                      value:
                                        description: Value defines the value of the
                                          descriptor entry.
                                        minLength: 1
                                        type: string
                                    type: object
                                  remoteAddress:
                                    description: |-
                                      RemoteAddress defines a descriptor entry with a key of "remote_address"
                                      and a value equal to the client's IP address (from x-forwarded-for).
                                    type: object
                                  requestHeader:
                                    description: |-
                                      RequestHeader defines a descriptor entry that's populated only if
                                      a given header is present on the request. The descriptor key is static,
                                      and the descriptor value is equal to the value of the header.
                                    properties:
                                      descriptorKey:
                                        description: DescriptorKey defines the key
                                          to use on the descriptor entry.
                                        minLength: 1
                                        type: string
                                      headerName:
                                        description: HeaderName defines the name of
                                          the header to look for on the request.
                                        minLength: 1
                                        type: string
                                    type: object
                                  requestHeaderValueMatch:
                                    description: |-
                                      RequestHeaderValueMatch defines a descriptor entry that's populated
                                      if the request's headers match a set of 1+ match criteria. The
                                      descriptor key is "header_match", and the descriptor value is static.
                                    properties:
                                      expectMatch:
                                        default: true
                                        description: |-
                                          ExpectMatch defines whether the request must positively match the match
                                          criteria in order to generate a descriptor entry (i.e. true), or not
                                          match the match criteria in order to generate a descriptor entry (i.e. false).
                                          The default is true.
                                        type: boolean
                                      headers:
                                        description: |-
                                          Headers is a list of 1+ match criteria to apply against the request
                                          to determine whether to populate the descriptor entry or not.
                                        items:
                                          description: |-
                                            HeaderMatchCondition specifies how to conditionally match against HTTP
                                            headers. The Name field is required, only one of Present, NotPresent,
                                            Contains, NotContains, Exact, NotExact and Regex can be set.
                                            For negative matching rules only (e.g. NotContains or NotExact) you can set
                                            TreatMissingAsEmpty.
                                            IgnoreCase has no effect for Regex.
                                          properties:
                                            contains:
                                              description: |-
                                                Contains specifies a substring that must be present in
                                                the header value.
                                              type: string
                                            exact:
                                              description: Exact specifies a string
                                                that the header value must be equal
                                                to.
                                              type: string
                                            ignoreCase:
                                              description: |-
                                                IgnoreCase specifies that string matching should be case insensitive.
                                                Note that this has no effect on the Regex parameter.
                                              type: boolean
                                            name:
                                              description: |-
                                                Name is the name of the header to match against. Name is required.
                                                Header names are case insensitive.
                                              type: string
                                            notcontains:
                                              description: |-
                                                NotContains specifies a substring that must not be present
                                                in the header value.
                                              type: string
                                            notexact:
                                              description: |-
                                                NoExact specifies a string that the header value must not be
                                                equal to. The condition is true if the header has any other value.
                                              type: string
                                            notpresent:
                                              description: |-
                                                NotPresent specifies that condition is true when the named header
                                                is not present. Note that setting NotPresent to false does not
                                                make the condition true if the named header is present.
                                              type: boolean
                                            present:
                                              description: |-
                                                Present specifies that condition is true when the named header
                                                is present, regardless of its value. Note that setting Present
                                                to false does not make the condition true if the named header
                                                is absent.
                                              type: boolean
                                            regex:
                                              description: |-
                                                Regex specifies a regular expression pattern that must match the header
                                                value.
                                              type: string
                                            treatMissingAsEmpty:
                                              description: |-
                                                TreatMissingAsEmpty specifies if the header match rule specified header
                                                does not exist, this header value will be treated as empty. Defaults to false.
                                                Unlike the underlying Envoy implementation this is **only** supported for
                                                negative matches (e.g. NotContains, NotExact).
                                              type: boolean
                                          required:
                                          - name
                                          type: object
                                        minItems: 1
                                        type: array
                                      value:
                                        description: Value defines the value of the
                                          descriptor entry.
                                        minLength: 1
                                        type: string
                                    type: object
                                type: object
                              minItems: 1
                              type: array
                          type: object
                        minItems: 1
                        type: array
                      disabled:
                        description: |-
                          Disabled configures the HTTPProxy to not use
                          the default global rate limit policy defined by the Contour configuration.
                        type: boolean
                    type: object
                  domain:
                    description: Domain is passed to the Rate Limit Service.
                    type: string
                  enableResourceExhaustedCode:
                    description: |-
                      EnableResourceExhaustedCode enables translating error code 429 to
                      grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
                    type: boolean
                  enableXRateLimitHeaders:
                    description: |-
                      EnableXRateLimitHeaders defines whether to include the X-RateLimit
                      headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset
                      (as defined by the IETF Internet-Draft linked below), on responses
                      to clients when the Rate Limit Service is consulted for a request.
                      ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
                    type: boolean
                  extensionService:
                    description: ExtensionService identifies the extension service
                      defining the RLS.
                    properties:
                      name:
                        type: string
                      namespace:
                        type: string
                    required:
                    - name
                    - namespace
                    type: object
                  failOpen:
                    description: |-
                      FailOpen defines whether to allow requests to proceed when the
                      Rate Limit Service fails to respond with a valid rate limit
                      decision within the timeout defined on the extension service.
                    type: boolean
                required:
                - extensionService
                type: object
              tracing:
                description: Tracing defines properties for exporting trace data to
                  OpenTelemetry.
                properties:
                  customTags:
                    description: CustomTags defines a list of custom tags with unique
                      tag name.
                    items:
                      description: |-
                        CustomTag defines custom tags with unique tag name
                        to create tags for the active span.
                      properties:
                        literal:
                          description: |-
                            Literal is a static custom tag value.
                            Precisely one of Literal, RequestHeaderName must be set.
                          type: string
                        requestHeaderName:
                          description: |-
                            RequestHeaderName indicates which request header
                            the label value is obtained from.
                            Precisely one of Literal, RequestHeaderName must be set.
                          type: string
                        tagName:
                          description: TagName is the unique name of the custom tag.
                          type: string
                      required:
                      - tagName
                      type: object
                    type: array
                  extensionService:
                    description: ExtensionService identifies the extension service
                      defining the otel-collector.
                    properties:
                      name:
                        type: string
                      namespace:
                        type: string
                    required:
                    - name
                    - namespace
                    type: object
                  includePodDetail:
                    description: |-
                      IncludePodDetail defines a flag.
                      If it is true, contour will add the pod name and namespace to the span of the trace.
                      the default is true.
                      Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.
                    type: boolean
                  maxPathTagLength:
                    description: |-
                      MaxPathTagLength defines maximum length of the request path
                      to extract and include in the HttpUrl tag.
                      contour's default is 256.
                    format: int32
                    type: integer
                  overallSampling:
                    description: |-
                      OverallSampling defines the sampling rate of trace data.
                      contour's default is 100.
                    type: string
                  serviceName:
                    description: |-
                      ServiceName defines the name for the service.
                      contour's default is contour.
                    type: string
                required:
                - extensionService
                type: object
              xdsServer:
                description: XDSServer contains parameters for the xDS server.
                properties:
                  address:
                    description: |-
                      Defines the xDS gRPC API address which Contour will serve.
                      Contour's default is "0.0.0.0".
                    minLength: 1
                    type: string
                  port:
                    description: |-
                      Defines the xDS gRPC API port which Contour will serve.
                      Contour's default is 8001.
                    type: integer
                  tls:
                    description: |-
                      TLS holds TLS file config details.
                      Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }.
                    properties:
                      caFile:
                        description: CA filename.
                        type: string
                      certFile:
                        description: Client certificate filename.
                        type: string
                      insecure:
                        description: Allow serving the xDS gRPC API without TLS.
                        type: boolean
                      keyFile:
                        description: Client key filename.
                        type: string
                    type: object
                  type:
                    description: |-
                      Defines the XDSServer to use for `contour serve`.
                      Values: `contour` (default), `envoy`.
                      Other values will produce an error.
                    type: string
                type: object
            type: object
          status:
            description: ContourConfigurationStatus defines the observed state of
              a ContourConfiguration resource.
            properties:
              conditions:
                description: |-
                  Conditions contains the current status of the Contour resource.
                  Contour will update a single condition, `Valid`, that is in normal-true polarity.
                  Contour will not modify any other Conditions set in this block,
                  in case some other controller wants to add a Condition.
                items:
                  description: |-
                    DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
                    fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
                    of the condition.
                    `errors` holds information about sub-conditions which are fatal to that condition and render its state False.
                    `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
                    Remember that Conditions have a type, a status, and a reason.
                    The type is the type of the condition, the most important one in this CRD set is `Valid`.
                    `Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
                    In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
                    `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
                    slice in this case.
                    `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
                    The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
                    slice if `status` is `false`.
                    For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
                    When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
                    When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
                    In either case, there may be entries in the `warnings` slice.
                    Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
                    (if there is one and only one entry in total across both the `errors` and `warnings` slices), or
                    `MultipleReasons` if there is more than one entry.
                  properties:
                    errors:
                      description: |-
                        Errors contains a slice of relevant error subconditions for this object.
                        Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
                        An empty slice here indicates no errors.
                      items:
                        description: |-
                          SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
                          It contains a subset of the Condition fields.
                          It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
                          that is, they should be of the form "ErrorPresent: true".
                          The expected lifecycle for these errors is that they should only be present when the error or warning is,
                          and should be removed when they are not relevant.
                        properties:
                          message:
                            description: |-
                              Message is a human readable message indicating details about the transition.
                              This may be an empty string.
                            maxLength: 32768
                            type: string
                          reason:
                            description: |-
                              Reason contains a programmatic identifier indicating the reason for the condition's last transition.
                              Producers of specific condition types may define expected values and meanings for this field,
                              and whether the values are considered a guaranteed API.
                              The value should be a CamelCase string.
                              This field may not be empty.
                            maxLength: 1024
                            minLength: 1
                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                            type: string
                          status:
                            description: Status of the condition, one of True, False,
                              Unknown.
                            enum:
                            - "True"
                            - "False"
                            - Unknown
                            type: string
                          type:
                            description: |-
                              Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
                              This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                            maxLength: 316
                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                            type: string
                        required:
                        - message
                        - reason
                        - status
                        - type
                        type: object
                      type: array
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                    warnings:
                      description: |-
                        Warnings contains a slice of relevant warning subconditions for this object.
                        Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
                        An empty slice here indicates no warnings.
                      items:
                        description: |-
                          SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
                          It contains a subset of the Condition fields.
                          It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
                          that is, they should be of the form "ErrorPresent: true".
                          The expected lifecycle for these errors is that they should only be present when the error or warning is,
                          and should be removed when they are not relevant.
                        properties:
                          message:
                            description: |-
                              Message is a human readable message indicating details about the transition.
                              This may be an empty string.
                            maxLength: 32768
                            type: string
                          reason:
                            description: |-
                              Reason contains a programmatic identifier indicating the reason for the condition's last transition.
                              Producers of specific condition types may define expected values and meanings for this field,
                              and whether the values are considered a guaranteed API.
                              The value should be a CamelCase string.
                              This field may not be empty.
                            maxLength: 1024
                            minLength: 1
                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                            type: string
                          status:
                            description: Status of the condition, one of True, False,
                              Unknown.
                            enum:
                            - "True"
                            - "False"
                            - Unknown
                            type: string
                          type:
                            description: |-
                              Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
                              This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                            maxLength: 316
                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                            type: string
                        required:
                        - message
                        - reason
                        - status
                        - type
                        type: object
                      type: array
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: contourdeployments.projectcontour.io
spec:
  preserveUnknownFields: false
  group: projectcontour.io
  names:
    kind: ContourDeployment
    listKind: ContourDeploymentList
    plural: contourdeployments
    shortNames:
    - contourdeploy
    singular: contourdeployment
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ContourDeployment is the schema for a Contour Deployment.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: |-
              ContourDeploymentSpec specifies options for how a Contour
              instance should be provisioned.
            properties:
              contour:
                description: |-
                  Contour specifies deployment-time settings for the Contour
                  part of the installation, i.e. the xDS server/control plane
                  and associated resources, including things like replica count
                  for the Deployment, and node placement constraints for the pods.
                properties:
                  deployment:
                    description: Deployment describes the settings for running contour
                      as a `Deployment`.
                    properties:
                      replicas:
                        description: Replicas is the desired number of replicas.
                        format: int32
                        minimum: 0
                        type: integer
                      strategy:
                        description: Strategy describes the deployment strategy to
                          use to replace existing pods with new pods.
                        properties:
                          rollingUpdate:
                            description: |-
                              Rolling update config params. Present only if DeploymentStrategyType =
                              RollingUpdate.
                              ---
                              TODO: Update this to follow our convention for oneOf, whatever we decide it
                              to be.
                            properties:
                              maxSurge:
                                anyOf:
                                - type: integer
                                - type: string
                                description: |-
                                  The maximum number of pods that can be scheduled above the desired number of
                                  pods.
                                  Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
                                  This can not be 0 if MaxUnavailable is 0.
                                  Absolute number is calculated from percentage by rounding up.
                                  Defaults to 25%.
                                  Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
                                  the rolling update starts, such that the total number of old and new pods do not exceed
                                  130% of desired pods. Once old pods have been killed,
                                  new ReplicaSet can be scaled up further, ensuring that total number of pods running
                                  at any time during the update is at most 130% of desired pods.
                                x-kubernetes-int-or-string: true
                              maxUnavailable:
                                anyOf:
                                - type: integer
                                - type: string
                                description: |-
                                  The maximum number of pods that can be unavailable during the update.
                                  Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
                                  Absolute number is calculated from percentage by rounding down.
                                  This can not be 0 if MaxSurge is 0.
                                  Defaults to 25%.
                                  Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
                                  immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
                                  can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
                                  that the total number of pods available at all times during the update is at
                                  least 70% of desired pods.
                                x-kubernetes-int-or-string: true
                            type: object
                          type:
                            description: Type of deployment. Can be "Recreate" or
                              "RollingUpdate". Default is RollingUpdate.
                            type: string
                        type: object
                    type: object
                  disabledFeatures:
                    description: |-
                      DisabledFeatures defines an array of resources that will be ignored by
                      contour reconciler.
                    items:
                      enum:
                      - grpcroutes
                      - tlsroutes
                      - extensionservices
                      - backendtlspolicies
                      type: string
                    maxItems: 42
                    minItems: 1
                    type: array
                  kubernetesLogLevel:
                    description: |-
                      KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset,
                      defaults to 0.
                    maximum: 9
                    minimum: 0
                    type: integer
                  logLevel:
                    description: |-
                      LogLevel sets the log level for Contour
                      Allowed values are "info", "debug".
                    type: string
                  nodePlacement:
                    description: NodePlacement describes node scheduling configuration
                      of Contour pods.
                    properties:
                      nodeSelector:
                        additionalProperties:
                          type: string
                        description: |-
                          NodeSelector is the simplest recommended form of node selection constraint
                          and specifies a map of key-value pairs. For the pod to be eligible
                          to run on a node, the node must have each of the indicated key-value pairs
                          as labels (it can have additional labels as well).
                          If unset, the pod(s) will be scheduled to any available node.
                        type: object
                      tolerations:
                        description: |-
                          Tolerations work with taints to ensure that pods are not scheduled
                          onto inappropriate nodes. One or more taints are applied to a node; this
                          marks that the node should not accept any pods that do not tolerate the
                          taints.
                          The default is an empty list.
                          See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
                          for additional details.
                        items:
                          description: |-
                            The pod this Toleration is attached to tolerates any taint that matches
                            the triple <key,value,effect> using the matching operator <operator>.
                          properties:
                            effect:
                              description: |-
                                Effect indicates the taint effect to match. Empty means match all taint effects.
                                When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
                              type: string
                            key:
                              description: |-
                                Key is the taint key that the toleration applies to. Empty means match all taint keys.
                                If the key is empty, operator must be Exists; this combination means to match all values and all keys.
                              type: string
                            operator:
                              description: |-
                                Operator represents a key's relationship to the value.
                                Valid operators are Exists and Equal. Defaults to Equal.
                                Exists is equivalent to wildcard for value, so that a pod can
                                tolerate all taints of a particular category.
                              type: string
                            tolerationSeconds:
                              description: |-
                                TolerationSeconds represents the period of time the toleration (which must be
                                of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
                                it is not set, which means tolerate the taint forever (do not evict). Zero and
                                negative values will be treated as 0 (evict immediately) by the system.
                              format: int64
                              type: integer
                            value:
                              description: |-
                                Value is the taint value the toleration matches to.
                                If the operator is Exists, the value should be empty, otherwise just a regular string.
                              type: string
                          type: object
                        type: array
                    type: object
                  podAnnotations:
                    additionalProperties:
                      type: string
                    description: |-
                      PodAnnotations defines annotations to add to the Contour pods.
                      the annotations for Prometheus will be appended or overwritten with predefined value.
                    type: object
                  replicas:
                    description: |-
                      Deprecated: Use `DeploymentSettings.Replicas` instead.
                      Replicas is the desired number of Contour replicas. If if unset,
                      defaults to 2.
                      if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`.
                    format: int32
                    minimum: 0
                    type: integer
                  resources:
                    description: |-
                      Compute Resources required by contour container.
                      Cannot be updated.
                      More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                    properties:
                      claims:
                        description: |-
                          Claims lists the names of resources, defined in spec.resourceClaims,
                          that are used by this container.
                          This is an alpha field and requires enabling the
                          DynamicResourceAllocation feature gate.
                          This field is immutable. It can only be set for containers.
                        items:
                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                          properties:
                            name:
                              description: |-
                                Name must match the name of one entry in pod.spec.resourceClaims of
                                the Pod where this field is used. It makes that resource available
                                inside a container.
                              type: string
                          required:
                          - name
                          type: object
                        type: array
                        x-kubernetes-list-map-keys:
                        - name
                        x-kubernetes-list-type: map
                      limits:
                        additionalProperties:
                          anyOf:
                          - type: integer
                          - type: string
                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                          x-kubernetes-int-or-string: true
                        description: |-
                          Limits describes the maximum amount of compute resources allowed.
                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                        type: object
                      requests:
                        additionalProperties:
                          anyOf:
                          - type: integer
                          - type: string
                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                          x-kubernetes-int-or-string: true
                        description: |-
                          Requests describes the minimum amount of compute resources required.
                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                        type: object
                    type: object
                  watchNamespaces:
                    description: |-
                      WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance
                      to only watch this subset of namespaces.
                    items:
                      description: |-
                        Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.
                        This validation is based off of the corresponding Kubernetes validation:
                        https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187
                        This is used for Namespace name validation here:
                        https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63
                        Valid values include:
                        * "example"
                        Invalid values include:
                        * "example.com" - "." is an invalid character
                      maxLength: 63
                      minLength: 1
                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                      type: string
                    maxItems: 42
                    minItems: 1
                    type: array
                type: object
              envoy:
                description: |-
                  Envoy specifies deployment-time settings for the Envoy
                  part of the installation, i.e. the xDS client/data plane
                  and associated resources, including things like the workload
                  type to use (DaemonSet or Deployment), node placement constraints
                  for the pods, and various options for the Envoy service.
                properties:
                  baseID:
                    description: |-
                      The base ID to use when allocating shared memory regions.
                      if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID
                      so that the shared memory regions do not conflict.
                      defaults to 0.
                    format: int32
                    minimum: 0
                    type: integer
                  daemonSet:
                    description: |-
                      DaemonSet describes the settings for running envoy as a `DaemonSet`.
                      if `WorkloadType` is `Deployment`,it's must be nil
                    properties:
                      updateStrategy:
                        description: Strategy describes the deployment strategy to
                          use to replace existing DaemonSet pods with new pods.
                        properties:
                          rollingUpdate:
                            description: |-
                              Rolling update config params. Present only if type = "RollingUpdate".
                              ---
                              TODO: Update this to follow our convention for oneOf, whatever we decide it
                              to be. Same as Deployment `strategy.rollingUpdate`.
                              See https://github.com/kubernetes/kubernetes/issues/35345
                            properties:
                              maxSurge:
                                anyOf:
                                - type: integer
                                - type: string
                                description: |-
                                  The maximum number of nodes with an existing available DaemonSet pod that
                                  can have an updated DaemonSet pod during during an update.
                                  Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
                                  This can not be 0 if MaxUnavailable is 0.
                                  Absolute number is calculated from percentage by rounding up to a minimum of 1.
                                  Default value is 0.
                                  Example: when this is set to 30%, at most 30% of the total number of nodes
                                  that should be running the daemon pod (i.e. status.desiredNumberScheduled)
                                  can have their a new pod created before the old pod is marked as deleted.
                                  The update starts by launching new pods on 30% of nodes. Once an updated
                                  pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
                                  on that node is marked deleted. If the old pod becomes unavailable for any
                                  reason (Ready transitions to false, is evicted, or is drained) an updated
                                  pod is immediatedly created on that node without considering surge limits.
                                  Allowing surge implies the possibility that the resources consumed by the
                                  daemonset on any given node can double if the readiness check fails, and
                                  so resource intensive daemonsets should take into account that they may
                                  cause evictions during disruption.
                                x-kubernetes-int-or-string: true
                              maxUnavailable:
                                anyOf:
                                - type: integer
                                - type: string
                                description: |-
                                  The maximum number of DaemonSet pods that can be unavailable during the
                                  update. Value can be an absolute number (ex: 5) or a percentage of total
                                  number of DaemonSet pods at the start of the update (ex: 10%). Absolute
                                  number is calculated from percentage by rounding up.
                                  This cannot be 0 if MaxSurge is 0
                                  Default value is 1.
                                  Example: when this is set to 30%, at most 30% of the total number of nodes
                                  that should be running the daemon pod (i.e. status.desiredNumberScheduled)
                                  can have their pods stopped for an update at any given time. The update
                                  starts by stopping at most 30% of those DaemonSet pods and then brings
                                  up new DaemonSet pods in their place. Once the new pods are available,
                                  it then proceeds onto other DaemonSet pods, thus ensuring that at least
                                  70% of original number of DaemonSet pods are available at all times during
                                  the update.
                                x-kubernetes-int-or-string: true
                            type: object
                          type:
                            description: Type of daemon set update. Can be "RollingUpdate"
                              or "OnDelete". Default is RollingUpdate.
                            type: string
                        type: object
                    type: object
                  deployment:
                    description: |-
                      Deployment describes the settings for running envoy as a `Deployment`.
                      if `WorkloadType` is `DaemonSet`,it's must be nil
                    properties:
                      replicas:
                        description: Replicas is the desired number of replicas.
                        format: int32
                        minimum: 0
                        type: integer
                      strategy:
                        description: Strategy describes the deployment strategy to
                          use to replace existing pods with new pods.
                        properties:
                          rollingUpdate:
                            description: |-
                              Rolling update config params. Present only if DeploymentStrategyType =
                              RollingUpdate.
                              ---
                              TODO: Update this to follow our convention for oneOf, whatever we decide it
                              to be.
                            properties:
                              maxSurge:
                                anyOf:
                                - type: integer
                                - type: string
                                description: |-
                                  The maximum number of pods that can be scheduled above the desired number of
                                  pods.
                                  Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
                                  This can not be 0 if MaxUnavailable is 0.
                                  Absolute number is calculated from percentage by rounding up.
                                  Defaults to 25%.
                                  Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
                                  the rolling update starts, such that the total number of old and new pods do not exceed
                                  130% of desired pods. Once old pods have been killed,
                                  new ReplicaSet can be scaled up further, ensuring that total number of pods running
                                  at any time during the update is at most 130% of desired pods.
                                x-kubernetes-int-or-string: true
                              maxUnavailable:
                                anyOf:
                                - type: integer
                                - type: string
                                description: |-
                                  The maximum number of pods that can be unavailable during the update.
                                  Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
                                  Absolute number is calculated from percentage by rounding down.
                                  This can not be 0 if MaxSurge is 0.
                                  Defaults to 25%.
                                  Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
                                  immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
                                  can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
                                  that the total number of pods available at all times during the update is at
                                  least 70% of desired pods.
                                x-kubernetes-int-or-string: true
                            type: object
                          type:
                            description: Type of deployment. Can be "Recreate" or
                              "RollingUpdate". Default is RollingUpdate.
                            type: string
                        type: object
                    type: object
                  extraVolumeMounts:
                    description: ExtraVolumeMounts holds the extra volume mounts to
                      add (normally used with extraVolumes).
                    items:
                      description: VolumeMount describes a mounting of a Volume within
                        a container.
                      properties:
                        mountPath:
                          description: |-
                            Path within the container at which the volume should be mounted.  Must
                            not contain ':'.
                          type: string
                        mountPropagation:
                          description: |-
                            mountPropagation determines how mounts are propagated from the host
                            to container and the other way around.
                            When not set, MountPropagationNone is used.
                            This field is beta in 1.10.
                          type: string
                        name:
                          description: This must match the Name of a Volume.
                          type: string
                        readOnly:
                          description: |-
                            Mounted read-only if true, read-write otherwise (false or unspecified).
                            Defaults to false.
                          type: boolean
                        subPath:
                          description: |-
                            Path within the volume from which the container's volume should be mounted.
                            Defaults to "" (volume's root).
                          type: string
                        subPathExpr:
                          description: |-
                            Expanded path within the volume from which the container's volume should be mounted.
                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
                            Defaults to "" (volume's root).
                            SubPathExpr and SubPath are mutually exclusive.
                          type: string
                      required:
                      - mountPath
                      - name
                      type: object
                    type: array
                  extraVolumes:
                    description: ExtraVolumes holds the extra volumes to add.
                    items:
                      description: Volume represents a named volume in a pod that
                        may be accessed by any container in the pod.
                      properties:
                        awsElasticBlockStore:
                          description: |-
                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
                            kubelet's host machine and then exposed to the pod.
                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
                          properties:
                            fsType:
                              description: |-
                                fsType is the filesystem type of the volume that you want to mount.
                                Tip: Ensure that the filesystem type is supported by the host operating system.
                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
                                TODO: how do we prevent errors in the filesystem from compromising the machine
                              type: string
                            partition:
                              description: |-
                                partition is the partition in the volume that you want to mount.
                                If omitted, the default is to mount by volume name.
                                Examples: For volume /dev/sda1, you specify the partition as "1".
                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
                              format: int32
                              type: integer
                            readOnly:
                              description: |-
                                readOnly value true will force the readOnly setting in VolumeMounts.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
                              type: boolean
                            volumeID:
                              description: |-
                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
                              type: string
                          required:
                          - volumeID
                          type: object
                        azureDisk:
                          description: azureDisk represents an Azure Data Disk mount
                            on the host and bind mount to the pod.
                          properties:
                            cachingMode:
                              description: 'cachingMode is the Host Caching mode:
                                None, Read Only, Read Write.'
                              type: string
                            diskName:
                              description: diskName is the Name of the data disk in
                                the blob storage
                              type: string
                            diskURI:
                              description: diskURI is the URI of data disk in the
                                blob storage
                              type: string
                            fsType:
                              description: |-
                                fsType is Filesystem type to mount.
                                Must be a filesystem type supported by the host operating system.
                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                              type: string
                            kind:
                              description: 'kind expected values are Shared: multiple
                                blob disks per storage account  Dedicated: single
                                blob disk per storage account  Managed: azure managed
                                data disk (only in managed availability set). defaults
                                to shared'
                              type: string
                            readOnly:
                              description: |-
                                readOnly Defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                              type: boolean
                          required:
                          - diskName
                          - diskURI
                          type: object
                        azureFile:
                          description: azureFile represents an Azure File Service
                            mount on the host and bind mount to the pod.
                          properties:
                            readOnly:
                              description: |-
                                readOnly defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                              type: boolean
                            secretName:
                              description: secretName is the  name of secret that
                                contains Azure Storage Account Name and Key
                              type: string
                            shareName:
                              description: shareName is the azure share Name
                              type: string
                          required:
                          - secretName
                          - shareName
                          type: object
                        cephfs:
                          description: cephFS represents a Ceph FS mount on the host
                            that shares a pod's lifetime
                          properties:
                            monitors:
                              description: |-
                                monitors is Required: Monitors is a collection of Ceph monitors
                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
                              items:
                                type: string
                              type: array
                            path:
                              description: 'path is Optional: Used as the mounted
                                root, rather than the full Ceph tree, default is /'
                              type: string
                            readOnly:
                              description: |-
                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
                              type: boolean
                            secretFile:
                              description: |-
                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
                              type: string
                            secretRef:
                              description: |-
                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
                              properties:
                                name:
                                  description: |-
                                    Name of the referent.
                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                    TODO: Add other useful fields. apiVersion, kind, uid?
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            user:
                              description: |-
                                user is optional: User is the rados user name, default is admin
                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
                              type: string
                          required:
                          - monitors
                          type: object
                        cinder:
                          description: |-
                            cinder represents a cinder volume attached and mounted on kubelets host machine.
                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
                          properties:
                            fsType:
                              description: |-
                                fsType is the filesystem type to mount.
                                Must be a filesystem type supported by the host operating system.
                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
                              type: string
                            readOnly:
                              description: |-
                                readOnly defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
                              type: boolean
                            secretRef:
                              description: |-
                                secretRef is optional: points to a secret object containing parameters used to connect
                                to OpenStack.
                              properties:
                                name:
                                  description: |-
                                    Name of the referent.
                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                    TODO: Add other useful fields. apiVersion, kind, uid?
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            volumeID:
                              description: |-
                                volumeID used to identify the volume in cinder.
                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
                              type: string
                          required:
                          - volumeID
                          type: object
                        configMap:
                          description: configMap represents a configMap that should
                            populate this volume
                          properties:
                            defaultMode:
                              description: |-
                                defaultMode is optional: mode bits used to set permissions on created files by default.
                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                Defaults to 0644.
                                Directories within the path are not affected by this setting.
                                This might be in conflict with other options that affect the file
                                mode, like fsGroup, and the result can be other mode bits set.
                              format: int32
                              type: integer
                            items:
                              description: |-
                                items if unspecified, each key-value pair in the Data field of the referenced
                                ConfigMap will be projected into the volume as a file whose name is the
                                key and content is the value. If specified, the listed keys will be
                                projected into the specified paths, and unlisted keys will not be
                                present. If a key is specified which is not present in the ConfigMap,
                                the volume setup will error unless it is marked optional. Paths must be
                                relative and may not contain the '..' path or start with '..'.
                              items:
                                description: Maps a string key to a path within a
                                  volume.
                                properties:
                                  key:
                                    description: key is the key to project.
                                    type: string
                                  mode:
                                    description: |-
                                      mode is Optional: mode bits used to set permissions on this file.
                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                      If not specified, the volume defaultMode will be used.
                                      This might be in conflict with other options that affect the file
                                      mode, like fsGroup, and the result can be other mode bits set.
                                    format: int32
                                    type: integer
                                  path:
                                    description: |-
                                      path is the relative path of the file to map the key to.
                                      May not be an absolute path.
                                      May not contain the path element '..'.
                                      May not start with the string '..'.
                                    type: string
                                required:
                                - key
                                - path
                                type: object
                              type: array
                            name:
                              description: |-
                                Name of the referent.
                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                TODO: Add other useful fields. apiVersion, kind, uid?
                              type: string
                            optional:
                              description: optional specify whether the ConfigMap
                                or its keys must be defined
                              type: boolean
                          type: object
                          x-kubernetes-map-type: atomic
                        csi:
                          description: csi (Container Storage Interface) represents
                            ephemeral storage that is handled by certain external
                            CSI drivers (Beta feature).
                          properties:
                            driver:
                              description: |-
                                driver is the name of the CSI driver that handles this volume.
                                Consult with your admin for the correct name as registered in the cluster.
                              type: string
                            fsType:
                              description: |-
                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
                                If not provided, the empty value is passed to the associated CSI driver
                                which will determine the default filesystem to apply.
                              type: string
                            nodePublishSecretRef:
                              description: |-
                                nodePublishSecretRef is a reference to the secret object containing
                                sensitive information to pass to the CSI driver to complete the CSI
                                NodePublishVolume and NodeUnpublishVolume calls.
                                This field is optional, and  may be empty if no secret is required. If the
                                secret object contains more than one secret, all secret references are passed.
                              properties:
                                name:
                                  description: |-
                                    Name of the referent.
                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                    TODO: Add other useful fields. apiVersion, kind, uid?
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            readOnly:
                              description: |-
                                readOnly specifies a read-only configuration for the volume.
                                Defaults to false (read/write).
                              type: boolean
                            volumeAttributes:
                              additionalProperties:
                                type: string
                              description: |-
                                volumeAttributes stores driver-specific properties that are passed to the CSI
                                driver. Consult your driver's documentation for supported values.
                              type: object
                          required:
                          - driver
                          type: object
                        downwardAPI:
                          description: downwardAPI represents downward API about the
                            pod that should populate this volume
                          properties:
                            defaultMode:
                              description: |-
                                Optional: mode bits to use on created files by default. Must be a
                                Optional: mode bits used to set permissions on created files by default.
                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                Defaults to 0644.
                                Directories within the path are not affected by this setting.
                                This might be in conflict with other options that affect the file
                                mode, like fsGroup, and the result can be other mode bits set.
                              format: int32
                              type: integer
                            items:
                              description: Items is a list of downward API volume
                                file
                              items:
                                description: DownwardAPIVolumeFile represents information
                                  to create the file containing the pod field
                                properties:
                                  fieldRef:
                                    description: 'Required: Selects a field of the
                                      pod: only annotations, labels, name and namespace
                                      are supported.'
                                    properties:
                                      apiVersion:
                                        description: Version of the schema the FieldPath
                                          is written in terms of, defaults to "v1".
                                        type: string
                                      fieldPath:
                                        description: Path of the field to select in
                                          the specified API version.
                                        type: string
                                    required:
                                    - fieldPath
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  mode:
                                    description: |-
                                      Optional: mode bits used to set permissions on this file, must be an octal value
                                      between 0000 and 0777 or a decimal value between 0 and 511.
                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                      If not specified, the volume defaultMode will be used.
                                      This might be in conflict with other options that affect the file
                                      mode, like fsGroup, and the result can be other mode bits set.
                                    format: int32
                                    type: integer
                                  path:
                                    description: 'Required: Path is  the relative
                                      path name of the file to be created. Must not
                                      be absolute or contain the ''..'' path. Must
                                      be utf-8 encoded. The first item of the relative
                                      path must not start with ''..'''
                                    type: string
                                  resourceFieldRef:
                                    description: |-
                                      Selects a resource of the container: only resources limits and requests
                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
                                    properties:
                                      containerName:
                                        description: 'Container name: required for
                                          volumes, optional for env vars'
                                        type: string
                                      divisor:
                                        anyOf:
                                        - type: integer
                                        - type: string
                                        description: Specifies the output format of
                                          the exposed resources, defaults to "1"
                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                        x-kubernetes-int-or-string: true
                                      resource:
                                        description: 'Required: resource to select'
                                        type: string
                                    required:
                                    - resource
                                    type: object
                                    x-kubernetes-map-type: atomic
                                required:
                                - path
                                type: object
                              type: array
                          type: object
                        emptyDir:
                          description: |-
                            emptyDir represents a temporary directory that shares a pod's lifetime.
                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
                          properties:
                            medium:
                              description: |-
                                medium represents what type of storage medium should back this directory.
                                The default is "" which means to use the node's default medium.
                                Must be an empty string (default) or Memory.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
                              type: string
                            sizeLimit:
                              anyOf:
                              - type: integer
                              - type: string
                              description: |-
                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
                                The size limit is also applicable for memory medium.
                                The maximum usage on memory medium EmptyDir would be the minimum value between
                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
                                The default is nil which means that the limit is undefined.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                              x-kubernetes-int-or-string: true
                          type: object
                        ephemeral:
                          description: |-
                            ephemeral represents a volume that is handled by a cluster storage driver.
                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
                            and deleted when the pod is removed.
                            Use this if:
                            a) the volume is only needed while the pod runs,
                            b) features of normal volumes like restoring from snapshot or capacity
                               tracking are needed,
                            c) the storage driver is specified through a storage class, and
                            d) the storage driver supports dynamic volume provisioning through
                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
                               information on the connection between this volume type
                               and PersistentVolumeClaim).
                            Use PersistentVolumeClaim or one of the vendor-specific
                            APIs for volumes that persist for longer than the lifecycle
                            of an individual pod.
                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
                            be used that way - see the documentation of the driver for
                            more information.
                            A pod can use both types of ephemeral volumes and
                            persistent volumes at the same time.
                          properties:
                            volumeClaimTemplate:
                              description: |-
                                Will be used to create a stand-alone PVC to provision the volume.
                                The pod in which this EphemeralVolumeSource is embedded will be the
                                owner of the PVC, i.e. the PVC will be deleted together with the
                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
                                `<volume name>` is the name from the `PodSpec.Volumes` array
                                entry. Pod validation will reject the pod if the concatenated name
                                is not valid for a PVC (for example, too long).
                                An existing PVC with that name that is not owned by the pod
                                will *not* be used for the pod to avoid using an unrelated
                                volume by mistake. Starting the pod is then blocked until
                                the unrelated PVC is removed. If such a pre-created PVC is
                                meant to be used by the pod, the PVC has to updated with an
                                owner reference to the pod once the pod exists. Normally
                                this should not be necessary, but it may be useful when
                                manually reconstructing a broken cluster.
                                This field is read-only and no changes will be made by Kubernetes
                                to the PVC after it has been created.
                                Required, must not be nil.
                              properties:
                                metadata:
                                  description: |-
                                    May contain labels and annotations that will be copied into the PVC
                                    when creating it. No other fields are allowed and will be rejected during
                                    validation.
                                  type: object
                                spec:
                                  description: |-
                                    The specification for the PersistentVolumeClaim. The entire content is
                                    copied unchanged into the PVC that gets created from this
                                    template. The same fields as in a PersistentVolumeClaim
                                    are also valid here.
                                  properties:
                                    accessModes:
                                      description: |-
                                        accessModes contains the desired access modes the volume should have.
                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
                                      items:
                                        type: string
                                      type: array
                                    dataSource:
                                      description: |-
                                        dataSource field can be used to specify either:
                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
                                        * An existing PVC (PersistentVolumeClaim)
                                        If the provisioner or an external controller can support the specified data source,
                                        it will create a new volume based on the contents of the specified data source.
                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup is the group for the resource being referenced.
                                            If APIGroup is not specified, the specified Kind must be in the core API group.
                                            For any other third-party types, APIGroup is required.
                                          type: string
                                        kind:
                                          description: Kind is the type of resource
                                            being referenced
                                          type: string
                                        name:
                                          description: Name is the name of resource
                                            being referenced
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    dataSourceRef:
                                      description: |-
                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
                                        volume is desired. This may be any object from a non-empty API group (non
                                        core object) or a PersistentVolumeClaim object.
                                        When this field is specified, volume binding will only succeed if the type of
                                        the specified object matches some installed volume populator or dynamic
                                        provisioner.
                                        This field will replace the functionality of the dataSource field and as such
                                        if both fields are non-empty, they must have the same value. For backwards
                                        compatibility, when namespace isn't specified in dataSourceRef,
                                        both fields (dataSource and dataSourceRef) will be set to the same
                                        value automatically if one of them is empty and the other is non-empty.
                                        When namespace is specified in dataSourceRef,
                                        dataSource isn't set to the same value and must be empty.
                                        There are three important differences between dataSource and dataSourceRef:
                                        * While dataSource only allows two specific types of objects, dataSourceRef
                                          allows any non-core object, as well as PersistentVolumeClaim objects.
                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
                                          preserves all values, and generates an error if a disallowed value is
                                          specified.
                                        * While dataSource only allows local objects, dataSourceRef allows objects
                                          in any namespaces.
                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup is the group for the resource being referenced.
                                            If APIGroup is not specified, the specified Kind must be in the core API group.
                                            For any other third-party types, APIGroup is required.
                                          type: string
                                        kind:
                                          description: Kind is the type of resource
                                            being referenced
                                          type: string
                                        name:
                                          description: Name is the name of resource
                                            being referenced
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace is the namespace of resource being referenced
                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                    resources:
                                      description: |-
                                        resources represents the minimum resources the volume should have.
                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
                                        that are lower than previous value but must still be higher than capacity recorded in the
                                        status field of the claim.
                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
                                      properties:
                                        limits:
                                          additionalProperties:
                                            anyOf:
                                            - type: integer
                                            - type: string
                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                            x-kubernetes-int-or-string: true
                                          description: |-
                                            Limits describes the maximum amount of compute resources allowed.
                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                                          type: object
                                        requests:
                                          additionalProperties:
                                            anyOf:
                                            - type: integer
                                            - type: string
                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                            x-kubernetes-int-or-string: true
                                          description: |-
                                            Requests describes the minimum amount of compute resources required.
                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                                          type: object
                                      type: object
                                    selector:
                                      description: selector is a label query over
                                        volumes to consider for binding.
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list
                                            of label selector requirements. The requirements
                                            are ANDed.
                                          items:
                                            description: |-
                                              A label selector requirement is a selector that contains values, a key, and an operator that
                                              relates the key and values.
                                            properties:
                                              key:
                                                description: key is the label key
                                                  that the selector applies to.
                                                type: string
                                              operator:
                                                description: |-
                                                  operator represents a key's relationship to a set of values.
                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                                type: string
                                              values:
                                                description: |-
                                                  values is an array of string values. If the operator is In or NotIn,
                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                  the values array must be empty. This array is replaced during a strategic
                                                  merge patch.
                                                items:
                                                  type: string
                                                type: array
                                            required:
                                            - key
                                            - operator
                                            type: object
                                          type: array
                                        matchLabels:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                                          type: object
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    storageClassName:
                                      description: |-
                                        storageClassName is the name of the StorageClass required by the claim.
                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
                                      type: string
                                    volumeAttributesClassName:
                                      description: |-
                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                                        If specified, the CSI driver will create or update the volume with the attributes defined
                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
                                        will be set by the persistentvolume controller if it exists.
                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                        exists.
                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
                                      type: string
                                    volumeMode:
                                      description: |-
                                        volumeMode defines what type of volume is required by the claim.
                                        Value of Filesystem is implied when not included in claim spec.
                                      type: string
                                    volumeName:
                                      description: volumeName is the binding reference
                                        to the PersistentVolume backing this claim.
                                      type: string
                                  type: object
                              required:
                              - spec
                              type: object
                          type: object
                        fc:
                          description: fc represents a Fibre Channel resource that
                            is attached to a kubelet's host machine and then exposed
                            to the pod.
                          properties:
                            fsType:
                              description: |-
                                fsType is the filesystem type to mount.
                                Must be a filesystem type supported by the host operating system.
                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                                TODO: how do we prevent errors in the filesystem from compromising the machine
                              type: string
                            lun:
                              description: 'lun is Optional: FC target lun number'
                              format: int32
                              type: integer
                            readOnly:
                              description: |-
                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                              type: boolean
                            targetWWNs:
                              description: 'targetWWNs is Optional: FC target worldwide
                                names (WWNs)'
                              items:
                                type: string
                              type: array
                            wwids:
                              description: |-
                                wwids Optional: FC volume world wide identifiers (wwids)
                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
                              items:
                                type: string
                              type: array
                          type: object
                        flexVolume:
                          description: |-
                            flexVolume represents a generic volume resource that is
                            provisioned/attached using an exec based plugin.
                          properties:
                            driver:
                              description: driver is the name of the driver to use
                                for this volume.
                              type: string
                            fsType:
                              description: |-
                                fsType is the filesystem type to mount.
                                Must be a filesystem type supported by the host operating system.
                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
                              type: string
                            options:
                              additionalProperties:
                                type: string
                              description: 'options is Optional: this field holds
                                extra command options if any.'
                              type: object
                            readOnly:
                              description: |-
                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                              type: boolean
                            secretRef:
                              description: |-
                                secretRef is Optional: secretRef is reference to the secret object containing
                                sensitive information to pass to the plugin scripts. This may be
                                empty if no secret object is specified. If the secret object
                                contains more than one secret, all secrets are passed to the plugin
                                scripts.
                              properties:
                                name:
                                  description: |-
                                    Name of the referent.
                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                    TODO: Add other useful fields. apiVersion, kind, uid?
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                          required:
                          - driver
                          type: object
                        flocker:
                          description: flocker represents a Flocker volume attached
                            to a kubelet's host machine. This depends on the Flocker
                            control service being running
                          properties:
                            datasetName:
                              description: |-
                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
                                should be considered as deprecated
                              type: string
                            datasetUUID:
                              description: datasetUUID is the UUID of the dataset.
                                This is unique identifier of a Flocker dataset
                              type: string
                          type: object
                        gcePersistentDisk:
                          description: |-
                            gcePersistentDisk represents a GCE Disk resource that is attached to a
                            kubelet's host machine and then exposed to the pod.
                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
                          properties:
                            fsType:
                              description: |-
                                fsType is filesystem type of the volume that you want to mount.
                                Tip: Ensure that the filesystem type is supported by the host operating system.
                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
                                TODO: how do we prevent errors in the filesystem from compromising the machine
                              type: string
                            partition:
                              description: |-
                                partition is the partition in the volume that you want to mount.
                                If omitted, the default is to mount by volume name.
                                Examples: For volume /dev/sda1, you specify the partition as "1".
                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
                              format: int32
                              type: integer
                            pdName:
                              description: |-
                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
                              type: string
                            readOnly:
                              description: |-
                                readOnly here will force the ReadOnly setting in VolumeMounts.
                                Defaults to false.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
                              type: boolean
                          required:
                          - pdName
                          type: object
                        gitRepo:
                          description: |-
                            gitRepo represents a git repository at a particular revision.
                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
                            into the Pod's container.
                          properties:
                            directory:
                              description: |-
                                directory is the target directory name.
                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
                                git repository.  Otherwise, if specified, the volume will contain the git repository in
                                the subdirectory with the given name.
                              type: string
                            repository:
                              description: repository is the URL
                              type: string
                            revision:
                              description: revision is the commit hash for the specified
                                revision.
                              type: string
                          required:
                          - repository
                          type: object
                        glusterfs:
                          description: |-
                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
                          properties:
                            endpoints:
                              description: |-
                                endpoints is the endpoint name that details Glusterfs topology.
                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
                              type: string
                            path:
                              description: |-
                                path is the Glusterfs volume path.
                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
                              type: string
                            readOnly:
                              description: |-
                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
                                Defaults to false.
                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
                              type: boolean
                          required:
                          - endpoints
                          - path
                          type: object
                        hostPath:
                          description: |-
                            hostPath represents a pre-existing file or directory on the host
                            machine that is directly exposed to the container. This is generally
                            used for system agents or other privileged things that are allowed
                            to see the host machine. Most containers will NOT need this.
                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
                            ---
                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
                            mount host directories as read/write.
                          properties:
                            path:
                              description: |-
                                path of the directory on the host.
                                If the path is a symlink, it will follow the link to the real path.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
                              type: string
                            type:
                              description: |-
                                type for HostPath Volume
                                Defaults to ""
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
                              type: string
                          required:
                          - path
                          type: object
                        iscsi:
                          description: |-
                            iscsi represents an ISCSI Disk resource that is attached to a
                            kubelet's host machine and then exposed to the pod.
                            More info: https://examples.k8s.io/volumes/iscsi/README.md
                          properties:
                            chapAuthDiscovery:
                              description: chapAuthDiscovery defines whether support
                                iSCSI Discovery CHAP authentication
                              type: boolean
                            chapAuthSession:
                              description: chapAuthSession defines whether support
                                iSCSI Session CHAP authentication
                              type: boolean
                            fsType:
                              description: |-
                                fsType is the filesystem type of the volume that you want to mount.
                                Tip: Ensure that the filesystem type is supported by the host operating system.
                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
                                TODO: how do we prevent errors in the filesystem from compromising the machine
                              type: string
                            initiatorName:
                              description: |-
                                initiatorName is the custom iSCSI Initiator Name.
                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
                                <target portal>:<volume name> will be created for the connection.
                              type: string
                            iqn:
                              description: iqn is the target iSCSI Qualified Name.
                              type: string
                            iscsiInterface:
                              description: |-
                                iscsiInterface is the interface Name that uses an iSCSI transport.
                                Defaults to 'default' (tcp).
                              type: string
                            lun:
                              description: lun represents iSCSI Target Lun number.
                              format: int32
                              type: integer
                            portals:
                              description: |-
                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
                                is other than default (typically TCP ports 860 and 3260).
                              items:
                                type: string
                              type: array
                            readOnly:
                              description: |-
                                readOnly here will force the ReadOnly setting in VolumeMounts.
                                Defaults to false.
                              type: boolean
                            secretRef:
                              description: secretRef is the CHAP Secret for iSCSI
                                target and initiator authentication
                              properties:
                                name:
                                  description: |-
                                    Name of the referent.
                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                    TODO: Add other useful fields. apiVersion, kind, uid?
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            targetPortal:
                              description: |-
                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
                                is other than default (typically TCP ports 860 and 3260).
                              type: string
                          required:
                          - iqn
                          - lun
                          - targetPortal
                          type: object
                        name:
                          description: |-
                            name of the volume.
                            Must be a DNS_LABEL and unique within the pod.
                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                          type: string
                        nfs:
                          description: |-
                            nfs represents an NFS mount on the host that shares a pod's lifetime
                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
                          properties:
                            path:
                              description: |-
                                path that is exported by the NFS server.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
                              type: string
                            readOnly:
                              description: |-
                                readOnly here will force the NFS export to be mounted with read-only permissions.
                                Defaults to false.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
                              type: boolean
                            server:
                              description: |-
                                server is the hostname or IP address of the NFS server.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
                              type: string
                          required:
                          - path
                          - server
                          type: object
                        persistentVolumeClaim:
                          description: |-
                            persistentVolumeClaimVolumeSource represents a reference to a
                            PersistentVolumeClaim in the same namespace.
                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
                          properties:
                            claimName:
                              description: |-
                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
                              type: string
                            readOnly:
                              description: |-
                                readOnly Will force the ReadOnly setting in VolumeMounts.
                                Default false.
                              type: boolean
                          required:
                          - claimName
                          type: object
                        photonPersistentDisk:
                          description: photonPersistentDisk represents a PhotonController
                            persistent disk attached and mounted on kubelets host
                            machine
                          properties:
                            fsType:
                              description: |-
                                fsType is the filesystem type to mount.
                                Must be a filesystem type supported by the host operating system.
                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                              type: string
                            pdID:
                              description: pdID is the ID that identifies Photon Controller
                                persistent disk
                              type: string
                          required:
                          - pdID
                          type: object
                        portworxVolume:
                          description: portworxVolume represents a portworx volume
                            attached and mounted on kubelets host machine
                          properties:
                            fsType:
                              description: |-
                                fSType represents the filesystem type to mount
                                Must be a filesystem type supported by the host operating system.
                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
                              type: string
                            readOnly:
                              description: |-
                                readOnly defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                              type: boolean
                            volumeID:
                              description: volumeID uniquely identifies a Portworx
                                volume
                              type: string
                          required:
                          - volumeID
                          type: object
                        projected:
                          description: projected items for all in one resources secrets,
                            configmaps, and downward API
                          properties:
                            defaultMode:
                              description: |-
                                defaultMode are the mode bits used to set permissions on created files by default.
                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                Directories within the path are not affected by this setting.
                                This might be in conflict with other options that affect the file
                                mode, like fsGroup, and the result can be other mode bits set.
                              format: int32
                              type: integer
                            sources:
                              description: sources is the list of volume projections
                              items:
                                description: Projection that may be projected along
                                  with other supported volume types
                                properties:
                                  clusterTrustBundle:
                                    description: |-
                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
                                      of ClusterTrustBundle objects in an auto-updating file.
                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
                                      ClusterTrustBundle objects can either be selected by name, or by the
                                      combination of signer name and a label selector.
                                      Kubelet performs aggressive normalization of the PEM contents written
                                      into the pod filesystem.  Esoteric PEM features such as inter-block
                                      comments and block headers are stripped.  Certificates are deduplicated.
                                      The ordering of certificates within the file is arbitrary, and Kubelet
                                      may change the order over time.
                                    properties:
                                      labelSelector:
                                        description: |-
                                          Select all ClusterTrustBundles that match this label selector.  Only has
                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
                                          interpreted as "match nothing".  If set but empty, interpreted as "match
                                          everything".
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      name:
                                        description: |-
                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
                                          with signerName and labelSelector.
                                        type: string
                                      optional:
                                        description: |-
                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
                                          aren't available.  If using name, then the named ClusterTrustBundle is
                                          allowed not to exist.  If using signerName, then the combination of
                                          signerName and labelSelector is allowed to match zero
                                          ClusterTrustBundles.
                                        type: boolean
                                      path:
                                        description: Relative path from the volume
                                          root to write the bundle.
                                        type: string
                                      signerName:
                                        description: |-
                                          Select all ClusterTrustBundles that match this signer name.
                                          Mutually-exclusive with name.  The contents of all selected
                                          ClusterTrustBundles will be unified and deduplicated.
                                        type: string
                                    required:
                                    - path
                                    type: object
                                  configMap:
                                    description: configMap information about the configMap
                                      data to project
                                    properties:
                                      items:
                                        description: |-
                                          items if unspecified, each key-value pair in the Data field of the referenced
                                          ConfigMap will be projected into the volume as a file whose name is the
                                          key and content is the value. If specified, the listed keys will be
                                          projected into the specified paths, and unlisted keys will not be
                                          present. If a key is specified which is not present in the ConfigMap,
                                          the volume setup will error unless it is marked optional. Paths must be
                                          relative and may not contain the '..' path or start with '..'.
                                        items:
                                          description: Maps a string key to a path
                                            within a volume.
                                          properties:
                                            key:
                                              description: key is the key to project.
                                              type: string
                                            mode:
                                              description: |-
                                                mode is Optional: mode bits used to set permissions on this file.
                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                                If not specified, the volume defaultMode will be used.
                                                This might be in conflict with other options that affect the file
                                                mode, like fsGroup, and the result can be other mode bits set.
                                              format: int32
                                              type: integer
                                            path:
                                              description: |-
                                                path is the relative path of the file to map the key to.
                                                May not be an absolute path.
                                                May not contain the path element '..'.
                                                May not start with the string '..'.
                                              type: string
                                          required:
                                          - key
                                          - path
                                          type: object
                                        type: array
                                      name:
                                        description: |-
                                          Name of the referent.
                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                          TODO: Add other useful fields. apiVersion, kind, uid?
                                        type: string
                                      optional:
                                        description: optional specify whether the
                                          ConfigMap or its keys must be defined
                                        type: boolean
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  downwardAPI:
                                    description: downwardAPI information about the
                                      downwardAPI data to project
                                    properties:
                                      items:
                                        description: Items is a list of DownwardAPIVolume
                                          file
                                        items:
                                          description: DownwardAPIVolumeFile represents
                                            information to create the file containing
                                            the pod field
                                          properties:
                                            fieldRef:
                                              description: 'Required: Selects a field
                                                of the pod: only annotations, labels,
                                                name and namespace are supported.'
                                              properties:
                                                apiVersion:
                                                  description: Version of the schema
                                                    the FieldPath is written in terms
                                                    of, defaults to "v1".
                                                  type: string
                                                fieldPath:
                                                  description: Path of the field to
                                                    select in the specified API version.
                                                  type: string
                                              required:
                                              - fieldPath
                                              type: object
                                              x-kubernetes-map-type: atomic
                                            mode:
                                              description: |-
                                                Optional: mode bits used to set permissions on this file, must be an octal value
                                                between 0000 and 0777 or a decimal value between 0 and 511.
                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                                If not specified, the volume defaultMode will be used.
                                                This might be in conflict with other options that affect the file
                                                mode, like fsGroup, and the result can be other mode bits set.
                                              format: int32
                                              type: integer
                                            path:
                                              description: 'Required: Path is  the
                                                relative path name of the file to
                                                be created. Must not be absolute or
                                                contain the ''..'' path. Must be utf-8
                                                encoded. The first item of the relative
                                                path must not start with ''..'''
                                              type: string
                                            resourceFieldRef:
                                              description: |-
                                                Selects a resource of the container: only resources limits and requests
                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
                                              properties:
                                                containerName:
                                                  description: 'Container name: required
                                                    for volumes, optional for env
                                                    vars'
                                                  type: string
                                                divisor:
                                                  anyOf:
                                                  - type: integer
                                                  - type: string
                                                  description: Specifies the output
                                                    format of the exposed resources,
                                                    defaults to "1"
                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                                  x-kubernetes-int-or-string: true
                                                resource:
                                                  description: 'Required: resource
                                                    to select'
                                                  type: string
                                              required:
                                              - resource
                                              type: object
                                              x-kubernetes-map-type: atomic
                                          required:
                                          - path
                                          type: object
                                        type: array
                                    type: object
                                  secret:
                                    description: secret information about the secret
                                      data to project
                                    properties:
                                      items:
                                        description: |-
                                          items if unspecified, each key-value pair in the Data field of the referenced
                                          Secret will be projected into the volume as a file whose name is the
                                          key and content is the value. If specified, the listed keys will be
                                          projected into the specified paths, and unlisted keys will not be
                                          present. If a key is specified which is not present in the Secret,
                                          the volume setup will error unless it is marked optional. Paths must be
                                          relative and may not contain the '..' path or start with '..'.
                                        items:
                                          description: Maps a string key to a path
                                            within a volume.
                                          properties:
                                            key:
                                              description: key is the key to project.
                                              type: string
                                            mode:
                                              description: |-
                                                mode is Optional: mode bits used to set permissions on this file.
                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                                If not specified, the volume defaultMode will be used.
                                                This might be in conflict with other options that affect the file
                                                mode, like fsGroup, and the result can be other mode bits set.
                                              format: int32
                                              type: integer
                                            path:
                                              description: |-
                                                path is the relative path of the file to map the key to.
                                                May not be an absolute path.
                                                May not contain the path element '..'.
                                                May not start with the string '..'.
                                              type: string
                                          required:
                                          - key
                                          - path
                                          type: object
                                        type: array
                                      name:
                                        description: |-
                                          Name of the referent.
                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                          TODO: Add other useful fields. apiVersion, kind, uid?
                                        type: string
                                      optional:
                                        description: optional field specify whether
                                          the Secret or its key must be defined
                                        type: boolean
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  serviceAccountToken:
                                    description: serviceAccountToken is information
                                      about the serviceAccountToken data to project
                                    properties:
                                      audience:
                                        description: |-
                                          audience is the intended audience of the token. A recipient of a token
                                          must identify itself with an identifier specified in the audience of the
                                          token, and otherwise should reject the token. The audience defaults to the
                                          identifier of the apiserver.
                                        type: string
                                      expirationSeconds:
                                        description: |-
                                          expirationSeconds is the requested duration of validity of the service
                                          account token. As the token approaches expiration, the kubelet volume
                                          plugin will proactively rotate the service account token. The kubelet will
                                          start trying to rotate the token if the token is older than 80 percent of
                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
                                          and must be at least 10 minutes.
                                        format: int64
                                        type: integer
                                      path:
                                        description: |-
                                          path is the path relative to the mount point of the file to project the
                                          token into.
                                        type: string
                                    required:
                                    - path
                                    type: object
                                type: object
                              type: array
                          type: object
                        quobyte:
                          description: quobyte represents a Quobyte mount on the host
                            that shares a pod's lifetime
                          properties:
                            group:
                              description: |-
                                group to map volume access to
                                Default is no group
                              type: string
                            readOnly:
                              description: |-
                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
                                Defaults to false.
                              type: boolean
                            registry:
                              description: |-
                                registry represents a single or multiple Quobyte Registry services
                                specified as a string as host:port pair (multiple entries are separated with commas)
                                which acts as the central registry for volumes
                              type: string
                            tenant:
                              description: |-
                                tenant owning the given Quobyte volume in the Backend
                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
                              type: string
                            user:
                              description: |-
                                user to map volume access to
                                Defaults to serivceaccount user
                              type: string
                            volume:
                              description: volume is a string that references an already
                                created Quobyte volume by name.
                              type: string
                          required:
                          - registry
                          - volume
                          type: object
                        rbd:
                          description: |-
                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
                            More info: https://examples.k8s.io/volumes/rbd/README.md
                          properties:
                            fsType:
                              description: |-
                                fsType is the filesystem type of the volume that you want to mount.
                                Tip: Ensure that the filesystem type is supported by the host operating system.
                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
                                TODO: how do we prevent errors in the filesystem from compromising the machine
                              type: string
                            image:
                              description: |-
                                image is the rados image name.
                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                              type: string
                            keyring:
                              description: |-
                                keyring is the path to key ring for RBDUser.
                                Default is /etc/ceph/keyring.
                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                              type: string
                            monitors:
                              description: |-
                                monitors is a collection of Ceph monitors.
                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                              items:
                                type: string
                              type: array
                            pool:
                              description: |-
                                pool is the rados pool name.
                                Default is rbd.
                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                              type: string
                            readOnly:
                              description: |-
                                readOnly here will force the ReadOnly setting in VolumeMounts.
                                Defaults to false.
                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                              type: boolean
                            secretRef:
                              description: |-
                                secretRef is name of the authentication secret for RBDUser. If provided
                                overrides keyring.
                                Default is nil.
                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                              properties:
                                name:
                                  description: |-
                                    Name of the referent.
                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                    TODO: Add other useful fields. apiVersion, kind, uid?
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            user:
                              description: |-
                                user is the rados user name.
                                Default is admin.
                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                              type: string
                          required:
                          - image
                          - monitors
                          type: object
                        scaleIO:
                          description: scaleIO represents a ScaleIO persistent volume
                            attached and mounted on Kubernetes nodes.
                          properties:
                            fsType:
                              description: |-
                                fsType is the filesystem type to mount.
                                Must be a filesystem type supported by the host operating system.
                                Ex. "ext4", "xfs", "ntfs".
                                Default is "xfs".
                              type: string
                            gateway:
                              description: gateway is the host address of the ScaleIO
                                API Gateway.
                              type: string
                            protectionDomain:
                              description: protectionDomain is the name of the ScaleIO
                                Protection Domain for the configured storage.
                              type: string
                            readOnly:
                              description: |-
                                readOnly Defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                              type: boolean
                            secretRef:
                              description: |-
                                secretRef references to the secret for ScaleIO user and other
                                sensitive information. If this is not provided, Login operation will fail.
                              properties:
                                name:
                                  description: |-
                                    Name of the referent.
                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                    TODO: Add other useful fields. apiVersion, kind, uid?
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            sslEnabled:
                              description: sslEnabled Flag enable/disable SSL communication
                                with Gateway, default false
                              type: boolean
                            storageMode:
                              description: |-
                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
                                Default is ThinProvisioned.
                              type: string
                            storagePool:
                              description: storagePool is the ScaleIO Storage Pool
                                associated with the protection domain.
                              type: string
                            system:
                              description: system is the name of the storage system
                                as configured in ScaleIO.
                              type: string
                            volumeName:
                              description: |-
                                volumeName is the name of a volume already created in the ScaleIO system
                                that is associated with this volume source.
                              type: string
                          required:
                          - gateway
                          - secretRef
                          - system
                          type: object
                        secret:
                          description: |-
                            secret represents a secret that should populate this volume.
                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
                          properties:
                            defaultMode:
                              description: |-
                                defaultMode is Optional: mode bits used to set permissions on created files by default.
                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
                                YAML accepts both octal and decimal values, JSON requires decimal values
                                for mode bits. Defaults to 0644.
                                Directories within the path are not affected by this setting.
                                This might be in conflict with other options that affect the file
                                mode, like fsGroup, and the result can be other mode bits set.
                              format: int32
                              type: integer
                            items:
                              description: |-
                                items If unspecified, each key-value pair in the Data field of the referenced
                                Secret will be projected into the volume as a file whose name is the
                                key and content is the value. If specified, the listed keys will be
                                projected into the specified paths, and unlisted keys will not be
                                present. If a key is specified which is not present in the Secret,
                                the volume setup will error unless it is marked optional. Paths must be
                                relative and may not contain the '..' path or start with '..'.
                              items:
                                description: Maps a string key to a path within a
                                  volume.
                                properties:
                                  key:
                                    description: key is the key to project.
                                    type: string
                                  mode:
                                    description: |-
                                      mode is Optional: mode bits used to set permissions on this file.
                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
                                      If not specified, the volume defaultMode will be used.
                                      This might be in conflict with other options that affect the file
                                      mode, like fsGroup, and the result can be other mode bits set.
                                    format: int32
                                    type: integer
                                  path:
                                    description: |-
                                      path is the relative path of the file to map the key to.
                                      May not be an absolute path.
                                      May not contain the path element '..'.
                                      May not start with the string '..'.
                                    type: string
                                required:
                                - key
                                - path
                                type: object
                              type: array
                            optional:
                              description: optional field specify whether the Secret
                                or its keys must be defined
                              type: boolean
                            secretName:
                              description: |-
                                secretName is the name of the secret in the pod's namespace to use.
                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
                              type: string
                          type: object
                        storageos:
                          description: storageOS represents a StorageOS volume attached
                            and mounted on Kubernetes nodes.
                          properties:
                            fsType:
                              description: |-
                                fsType is the filesystem type to mount.
                                Must be a filesystem type supported by the host operating system.
                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                              type: string
                            readOnly:
                              description: |-
                                readOnly defaults to false (read/write). ReadOnly here will force
                                the ReadOnly setting in VolumeMounts.
                              type: boolean
                            secretRef:
                              description: |-
                                secretRef specifies the secret to use for obtaining the StorageOS API
                                credentials.  If not specified, default values will be attempted.
                              properties:
                                name:
                                  description: |-
                                    Name of the referent.
                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                    TODO: Add other useful fields. apiVersion, kind, uid?
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            volumeName:
                              description: |-
                                volumeName is the human-readable name of the StorageOS volume.  Volume
                                names are only unique within a namespace.
                              type: string
                            volumeNamespace:
                              description: |-
                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
                                namespace is specified then the Pod's namespace will be used.  This allows the
                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
                                Set VolumeName to any name to override the default behaviour.
                                Set to "default" if you are not using namespaces within StorageOS.
                                Namespaces that do not pre-exist within StorageOS will be created.
                              type: string
                          type: object
                        vsphereVolume:
                          description: vsphereVolume represents a vSphere volume attached
                            and mounted on kubelets host machine
                          properties:
                            fsType:
                              description: |-
                                fsType is filesystem type to mount.
                                Must be a filesystem type supported by the host operating system.
                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
                              type: string
                            storagePolicyID:
                              description: storagePolicyID is the storage Policy Based
                                Management (SPBM) profile ID associated with the StoragePolicyName.
                              type: string
                            storagePolicyName:
                              description: storagePolicyName is the storage Policy
                                Based Management (SPBM) profile name.
                              type: string
                            volumePath:
                              description: volumePath is the path that identifies
                                vSphere volume vmdk
                              type: string
                          required:
                          - volumePath
                          type: object
                      required:
                      - name
                      type: object
                    type: array
                  logLevel:
                    description: |-
                      LogLevel sets the log level for Envoy.
                      Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off".
                    type: string
                  networkPublishing:
                    description: NetworkPublishing defines how to expose Envoy to
                      a network.
                    properties:
                      externalTrafficPolicy:
                        description: |-
                          ExternalTrafficPolicy describes how nodes distribute service traffic they
                          receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs,
                          and LoadBalancer IPs).
                          If unset, defaults to "Local".
                        type: string
                      ipFamilyPolicy:
                        description: |-
                          IPFamilyPolicy represents the dual-stack-ness requested or required by
                          this Service. If there is no value provided, then this field will be set
                          to SingleStack. Services can be "SingleStack" (a single IP family),
                          "PreferDualStack" (two IP families on dual-stack configured clusters or
                          a single IP family on single-stack clusters), or "RequireDualStack"
                          (two IP families on dual-stack configured clusters, otherwise fail).
                        type: string
                      serviceAnnotations:
                        additionalProperties:
                          type: string
                        description: |-
                          ServiceAnnotations is the annotations to add to
                          the provisioned Envoy service.
                        type: object
                      type:
                        description: |-
                          NetworkPublishingType is the type of publishing strategy to use. Valid values are:
                          * LoadBalancerService
                          In this configuration, network endpoints for Envoy use container networking.
                          A Kubernetes LoadBalancer Service is created to publish Envoy network
                          endpoints.
                          See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
                          * NodePortService
                          Publishes Envoy network endpoints using a Kubernetes NodePort Service.
                          In this configuration, Envoy network endpoints use container networking. A Kubernetes
                          NodePort Service is created to publish the network endpoints.
                          See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
                          NOTE:
                          When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate
                          the Service's node port values, there's no way to auto-allocate them.
                          See: https://github.com/projectcontour/contour/issues/4499
                          * ClusterIPService
                          Publishes Envoy network endpoints using a Kubernetes ClusterIP Service.
                          In this configuration, Envoy network endpoints use container networking. A Kubernetes
                          ClusterIP Service is created to publish the network endpoints.
                          See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
                          If unset, defaults to LoadBalancerService.
                        type: string
                    type: object
                  nodePlacement:
                    description: NodePlacement describes node scheduling configuration
                      of Envoy pods.
                    properties:
                      nodeSelector:
                        additionalProperties:
                          type: string
                        description: |-
                          NodeSelector is the simplest recommended form of node selection constraint
                          and specifies a map of key-value pairs. For the pod to be eligible
                          to run on a node, the node must have each of the indicated key-value pairs
                          as labels (it can have additional labels as well).
                          If unset, the pod(s) will be scheduled to any available node.
                        type: object
                      tolerations:
                        description: |-
                          Tolerations work with taints to ensure that pods are not scheduled
                          onto inappropriate nodes. One or more taints are applied to a node; this
                          marks that the node should not accept any pods that do not tolerate the
                          taints.
                          The default is an empty list.
                          See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
                          for additional details.
                        items:
                          description: |-
                            The pod this Toleration is attached to tolerates any taint that matches
                            the triple <key,value,effect> using the matching operator <operator>.
                          properties:
                            effect:
                              description: |-
                                Effect indicates the taint effect to match. Empty means match all taint effects.
                                When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
                              type: string
                            key:
                              description: |-
                                Key is the taint key that the toleration applies to. Empty means match all taint keys.
                                If the key is empty, operator must be Exists; this combination means to match all values and all keys.
                              type: string
                            operator:
                              description: |-
                                Operator represents a key's relationship to the value.
                                Valid operators are Exists and Equal. Defaults to Equal.
                                Exists is equivalent to wildcard for value, so that a pod can
                                tolerate all taints of a particular category.
                              type: string
                            tolerationSeconds:
                              description: |-
                                TolerationSeconds represents the period of time the toleration (which must be
                                of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
                                it is not set, which means tolerate the taint forever (do not evict). Zero and
                                negative values will be treated as 0 (evict immediately) by the system.
                              format: int64
                              type: integer
                            value:
                              description: |-
                                Value is the taint value the toleration matches to.
                                If the operator is Exists, the value should be empty, otherwise just a regular string.
                              type: string
                          type: object
                        type: array
                    type: object
                  overloadMaxHeapSize:
                    description: |-
                      OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager.
                      When the value is greater than 0, the overload manager is enabled,
                      and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation,
                      When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests.
                      More info: https://projectcontour.io/docs/main/config/overload-manager/
                    format: int64
                    type: integer
                  podAnnotations:
                    additionalProperties:
                      type: string
                    description: |-
                      PodAnnotations defines annotations to add to the Envoy pods.
                      the annotations for Prometheus will be appended or overwritten with predefined value.
                    type: object
                  replicas:
                    description: |-
                      Deprecated: Use `DeploymentSettings.Replicas` instead.
                      Replicas is the desired number of Envoy replicas. If WorkloadType
                      is not "Deployment", this field is ignored. Otherwise, if unset,
                      defaults to 2.
                      if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`.
                    format: int32
                    minimum: 0
                    type: integer
                  resources:
                    description: |-
                      Compute Resources required by envoy container.
                      Cannot be updated.
                      More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                    properties:
                      claims:
                        description: |-
                          Claims lists the names of resources, defined in spec.resourceClaims,
                          that are used by this container.
                          This is an alpha field and requires enabling the
                          DynamicResourceAllocation feature gate.
                          This field is immutable. It can only be set for containers.
                        items:
                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                          properties:
                            name:
                              description: |-
                                Name must match the name of one entry in pod.spec.resourceClaims of
                                the Pod where this field is used. It makes that resource available
                                inside a container.
                              type: string
                          required:
                          - name
                          type: object
                        type: array
                        x-kubernetes-list-map-keys:
                        - name
                        x-kubernetes-list-type: map
                      limits:
                        additionalProperties:
                          anyOf:
                          - type: integer
                          - type: string
                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                          x-kubernetes-int-or-string: true
                        description: |-
                          Limits describes the maximum amount of compute resources allowed.
                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                        type: object
                      requests:
                        additionalProperties:
                          anyOf:
                          - type: integer
                          - type: string
                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                          x-kubernetes-int-or-string: true
                        description: |-
                          Requests describes the minimum amount of compute resources required.
                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                        type: object
                    type: object
                  workloadType:
                    description: |-
                      WorkloadType is the type of workload to install Envoy
                      as. Choices are DaemonSet and Deployment. If unset, defaults
                      to DaemonSet.
                    type: string
                type: object
              resourceLabels:
                additionalProperties:
                  type: string
                description: |-
                  ResourceLabels is a set of labels to add to the provisioned Contour resources.
                  Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be
                  removed in a future release.
                type: object
              runtimeSettings:
                description: |-
                  RuntimeSettings is a ContourConfiguration spec to be used when
                  provisioning a Contour instance that will influence aspects of
                  the Contour instance's runtime behavior.
                properties:
                  debug:
                    description: |-
                      Debug contains parameters to enable debug logging
                      and debug interfaces inside Contour.
                    properties:
                      address:
                        description: |-
                          Defines the Contour debug address interface.
                          Contour's default is "127.0.0.1".
                        type: string
                      port:
                        description: |-
                          Defines the Contour debug address port.
                          Contour's default is 6060.
                        type: integer
                    type: object
                  enableExternalNameService:
                    description: |-
                      EnableExternalNameService allows processing of ExternalNameServices
                      Contour's default is false for security reasons.
                    type: boolean
                  envoy:
                    description: |-
                      Envoy contains parameters for Envoy as well
                      as how to optionally configure a managed Envoy fleet.
                    properties:
                      clientCertificate:
                        description: |-
                          ClientCertificate defines the namespace/name of the Kubernetes
                          secret containing the client certificate and private key
                          to be used when establishing TLS connection to upstream
                          cluster.
                        properties:
                          name:
                            type: string
                          namespace:
                            type: string
                        required:
                        - name
                        - namespace
                        type: object
                      cluster:
                        description: |-
                          Cluster holds various configurable Envoy cluster values that can
                          be set in the config file.
                        properties:
                          circuitBreakers:
                            description: |-
                              GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
                              If defined, this will be used as the default for all services.
                            properties:
                              maxConnections:
                                description: The maximum number of connections that
                                  a single Envoy instance allows to the Kubernetes
                                  Service; defaults to 1024.
                                format: int32
                                type: integer
                              maxPendingRequests:
                                description: The maximum number of pending requests
                                  that a single Envoy instance allows to the Kubernetes
                                  Service; defaults to 1024.
                                format: int32
                                type: integer
                              maxRequests:
                                description: The maximum parallel requests a single
                                  Envoy instance allows to the Kubernetes Service;
                                  defaults to 1024
                                format: int32
                                type: integer
                              maxRetries:
                                description: The maximum number of parallel retries
                                  a single Envoy instance allows to the Kubernetes
                                  Service; defaults to 3.
                                format: int32
                                type: integer
                            type: object
                          dnsLookupFamily:
                            description: |-
                              DNSLookupFamily defines how external names are looked up
                              When configured as V4, the DNS resolver will only perform a lookup
                              for addresses in the IPv4 family. If V6 is configured, the DNS resolver
                              will only perform a lookup for addresses in the IPv6 family.
                              If AUTO is configured, the DNS resolver will first perform a lookup
                              for addresses in the IPv6 family and fallback to a lookup for addresses
                              in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for
                              both IPv4 and IPv6 families, and return all resolved addresses.
                              When this is used, Happy Eyeballs will be enabled for upstream connections.
                              Refer to Happy Eyeballs Support for more information.
                              Note: This only applies to externalName clusters.
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
                              for more information.
                              Values: `auto` (default), `v4`, `v6`, `all`.
                              Other values will produce an error.
                            type: string
                          maxRequestsPerConnection:
                            description: |-
                              Defines the maximum requests for upstream connections. If not specified, there is no limit.
                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
                              for more information.
                            format: int32
                            minimum: 1
                            type: integer
                          per-connection-buffer-limit-bytes:
                            description: |-
                              Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.
                              If unspecified, an implementation defined default is applied (1MiB).
                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
                              for more information.
                            format: int32
                            minimum: 1
                            type: integer
                          upstreamTLS:
                            description: UpstreamTLS contains the TLS policy parameters
                              for upstream connections
                            properties:
                              cipherSuites:
                                description: |-
                                  CipherSuites defines the TLS ciphers to be supported by Envoy TLS
                                  listeners when negotiating TLS 1.2. Ciphers are validated against the
                                  set that Envoy supports by default. This parameter should only be used
                                  by advanced users. Note that these will be ignored when TLS 1.3 is in
                                  use.
                                  This field is optional; when it is undefined, a Contour-managed ciphersuite list
                                  will be used, which may be updated to keep it secure.
                                  Contour's default list is:
                                    - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
                                    - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
                                    - "ECDHE-ECDSA-AES256-GCM-SHA384"
                                    - "ECDHE-RSA-AES256-GCM-SHA384"
                                  Ciphers provided are validated against the following list:
                                    - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
                                    - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
                                    - "ECDHE-ECDSA-AES128-GCM-SHA256"
                                    - "ECDHE-RSA-AES128-GCM-SHA256"
                                    - "ECDHE-ECDSA-AES128-SHA"
                                    - "ECDHE-RSA-AES128-SHA"
                                    - "AES128-GCM-SHA256"
                                    - "AES128-SHA"
                                    - "ECDHE-ECDSA-AES256-GCM-SHA384"
                                    - "ECDHE-RSA-AES256-GCM-SHA384"
                                    - "ECDHE-ECDSA-AES256-SHA"
                                    - "ECDHE-RSA-AES256-SHA"
                                    - "AES256-GCM-SHA384"
                                    - "AES256-SHA"
                                  Contour recommends leaving this undefined unless you are sure you must.
                                  See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
                                  Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
                                items:
                                  type: string
                                type: array
                              maximumProtocolVersion:
                                description: |-
                                  MaximumProtocolVersion is the maximum TLS version this vhost should
                                  negotiate.
                                  Values: `1.2`, `1.3`(default).
                                  Other values will produce an error.
                                type: string
                              minimumProtocolVersion:
                                description: |-
                                  MinimumProtocolVersion is the minimum TLS version this vhost should
                                  negotiate.
                                  Values: `1.2` (default), `1.3`.
                                  Other values will produce an error.
                                type: string
                            type: object
                        type: object
                      defaultHTTPVersions:
                        description: |-
                          DefaultHTTPVersions defines the default set of HTTPS
                          versions the proxy should accept. HTTP versions are
                          strings of the form "HTTP/xx". Supported versions are
                          "HTTP/1.1" and "HTTP/2".
                          Values: `HTTP/1.1`, `HTTP/2` (default: both).
                          Other values will produce an error.
                        items:
                          description: HTTPVersionType is the name of a supported
                            HTTP version.
                          type: string
                        type: array
                      health:
                        description: |-
                          Health defines the endpoint Envoy uses to serve health checks.
                          Contour's default is { address: "0.0.0.0", port: 8002 }.
                        properties:
                          address:
                            description: Defines the health address interface.
                            minLength: 1
                            type: string
                          port:
                            description: Defines the health port.
                            type: integer
                        type: object
                      http:
                        description: |-
                          Defines the HTTP Listener for Envoy.
                          Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }.
                        properties:
                          accessLog:
                            description: AccessLog defines where Envoy logs are outputted
                              for this listener.
                            type: string
                          address:
                            description: Defines an Envoy Listener Address.
                            minLength: 1
                            type: string
                          port:
                            description: Defines an Envoy listener Port.
                            type: integer
                        type: object
                      https:
                        description: |-
                          Defines the HTTPS Listener for Envoy.
                          Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }.
                        properties:
                          accessLog:
                            description: AccessLog defines where Envoy logs are outputted
                              for this listener.
                            type: string
                          address:
                            description: Defines an Envoy Listener Address.
                            minLength: 1
                            type: string
                          port:
                            description: Defines an Envoy listener Port.
                            type: integer
                        type: object
                      listener:
                        description: Listener hold various configurable Envoy listener
                          values.
                        properties:
                          connectionBalancer:
                            description: |-
                              ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
                              for more information.
                              Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
                              Other values will produce an error.
                            type: string
                          disableAllowChunkedLength:
                            description: |-
                              DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to
                              strip the "Content-Length" header if "Transfer-Encoding: chunked" is
                              also set. This is an emergency off-switch to revert back to Envoy's
                              default behavior in case of failures. Please file an issue if failures
                              are encountered.
                              See: https://github.com/projectcontour/contour/issues/3221
                              Contour's default is false.
                            type: boolean
                          disableMergeSlashes:
                            description: |-
                              DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option
                              which strips duplicate slashes from request URL paths.
                              Contour's default is false.
                            type: boolean
                          httpMaxConcurrentStreams:
                            description: |-
                              Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
                              SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
                              for a peer on a single HTTP/2 connection. It is recommended to not set this lower
                              than 100 but this field can be used to bound resource usage by HTTP/2 connections
                              and mitigate attacks like CVE-2023-44487. The default value when this is not set is
                              unlimited.
                            format: int32
                            minimum: 1
                            type: integer
                          maxConnectionsPerListener:
                            description: |-
                              Defines the limit on number of active connections to a listener. The limit is applied
                              per listener. The default value when this is not set is unlimited.
                            format: int32
                            minimum: 1
                            type: integer
                          maxRequestsPerConnection:
                            description: |-
                              Defines the maximum requests for downstream connections. If not specified, there is no limit.
                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
                              for more information.
                            format: int32
                            minimum: 1
                            type: integer
                          maxRequestsPerIOCycle:
                            description: |-
                              Defines the limit on number of HTTP requests that Envoy will process from a single
                              connection in a single I/O cycle. Requests over this limit are processed in subsequent
                              I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
                              detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
                              value when this is not set is no limit.
                            format: int32
                            minimum: 1
                            type: integer
                          per-connection-buffer-limit-bytes:
                            description: |-
                              Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.
                              If unspecified, an implementation defined default is applied (1MiB).
                              see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
                              for more information.
                            format: int32
                            minimum: 1
                            type: integer
                          serverHeaderTransformation:
                            description: |-
                              Defines the action to be applied to the Server header on the response path.
                              When configured as overwrite, overwrites any Server header with "envoy".
                              When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
                              When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
                              Values: `overwrite` (default), `append_if_absent`, `pass_through`
                              Other values will produce an error.
                              Contour's default is overwrite.
                            type: string
                          socketOptions:
                            description: |-
                              SocketOptions defines configurable socket options for the listeners.
                              Single set of options are applied to all listeners.
                            properties:
                              tos:
                                description: |-
                                  Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
                                  Single value is applied to all listeners.
                                  If listeners are bound to IPv6-only addresses, setting this option will cause an error.
                                format: int32
                                maximum: 255
                                minimum: 0
                                type: integer
                              trafficClass:
                                description: |-
                                  Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
                                  Single value is applied to all listeners.
                                  If listeners are bound to IPv4-only addresses, setting this option will cause an error.
                                format: int32
                                maximum: 255
                                minimum: 0
                                type: integer
                            type: object
                          tls:
                            description: TLS holds various configurable Envoy TLS
                              listener values.
                            properties:
                              cipherSuites:
                                description: |-
                                  CipherSuites defines the TLS ciphers to be supported by Envoy TLS
                                  listeners when negotiating TLS 1.2. Ciphers are validated against the
                                  set that Envoy supports by default. This parameter should only be used
                                  by advanced users. Note that these will be ignored when TLS 1.3 is in
                                  use.
                                  This field is optional; when it is undefined, a Contour-managed ciphersuite list
                                  will be used, which may be updated to keep it secure.
                                  Contour's default list is:
                                    - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
                                    - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
                                    - "ECDHE-ECDSA-AES256-GCM-SHA384"
                                    - "ECDHE-RSA-AES256-GCM-SHA384"
                                  Ciphers provided are validated against the following list:
                                    - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
                                    - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
                                    - "ECDHE-ECDSA-AES128-GCM-SHA256"
                                    - "ECDHE-RSA-AES128-GCM-SHA256"
                                    - "ECDHE-ECDSA-AES128-SHA"
                                    - "ECDHE-RSA-AES128-SHA"
                                    - "AES128-GCM-SHA256"
                                    - "AES128-SHA"
                                    - "ECDHE-ECDSA-AES256-GCM-SHA384"
                                    - "ECDHE-RSA-AES256-GCM-SHA384"
                                    - "ECDHE-ECDSA-AES256-SHA"
                                    - "ECDHE-RSA-AES256-SHA"
                                    - "AES256-GCM-SHA384"
                                    - "AES256-SHA"
                                  Contour recommends leaving this undefined unless you are sure you must.
                                  See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
                                  Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
                                items:
                                  type: string
                                type: array
                              maximumProtocolVersion:
                                description: |-
                                  MaximumProtocolVersion is the maximum TLS version this vhost should
                                  negotiate.
                                  Values: `1.2`, `1.3`(default).
                                  Other values will produce an error.
                                type: string
                              minimumProtocolVersion:
                                description: |-
                                  MinimumProtocolVersion is the minimum TLS version this vhost should
                                  negotiate.
                                  Values: `1.2` (default), `1.3`.
                                  Other values will produce an error.
                                type: string
                            type: object
                          useProxyProtocol:
                            description: |-
                              Use PROXY protocol for all listeners.
                              Contour's default is false.
                            type: boolean
                        type: object
                      logging:
                        description: Logging defines how Envoy's logs can be configured.
                        properties:
                          accessLogFormat:
                            description: |-
                              AccessLogFormat sets the global access log format.
                              Values: `envoy` (default), `json`.
                              Other values will produce an error.
                            type: string
                          accessLogFormatString:
                            description: |-
                              AccessLogFormatString sets the access log format when format is set to `envoy`.
                              When empty, Envoy's default format is used.
                            type: string
                          accessLogJSONFields:
                            description: |-
                              AccessLogJSONFields sets the fields that JSON logging will
                              output when AccessLogFormat is json.
                            items:
                              type: string
                            type: array
                          accessLogLevel:
                            description: |-
                              AccessLogLevel sets the verbosity level of the access log.
                              Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.
                              Other values will produce an error.
                            type: string
                        type: object
                      metrics:
                        description: |-
                          Metrics defines the endpoint Envoy uses to serve metrics.
                          Contour's default is { address: "0.0.0.0", port: 8002 }.
                        properties:
                          address:
                            description: Defines the metrics address interface.
                            maxLength: 253
                            minLength: 1
                            type: string
                          port:
                            description: Defines the metrics port.
                            type: integer
                          tls:
                            description: |-
                              TLS holds TLS file config details.
                              Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
                            properties:
                              caFile:
                                description: CA filename.
                                type: string
                              certFile:
                                description: Client certificate filename.
                                type: string
                              keyFile:
                                description: Client key filename.
                                type: string
                            type: object
                        type: object
                      network:
                        description: Network holds various configurable Envoy network
                          values.
                        properties:
                          adminPort:
                            description: |-
                              Configure the port used to access the Envoy Admin interface.
                              If configured to port "0" then the admin interface is disabled.
                              Contour's default is 9001.
                            type: integer
                          numTrustedHops:
                            description: |-
                              XffNumTrustedHops defines the number of additional ingress proxy hops from the
                              right side of the x-forwarded-for HTTP header to trust when determining the origin
                              client’s IP address.
                              See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
                              for more information.
                              Contour's default is 0.
                            format: int32
                            type: integer
                        type: object
                      service:
                        description: |-
                          Service holds Envoy service parameters for setting Ingress status.
                          Contour's default is { namespace: "projectcontour", name: "envoy" }.
                        properties:
                          name:
                            type: string
                          namespace:
                            type: string
                        required:
                        - name
                        - namespace
                        type: object
                      timeouts:
                        description: |-
                          Timeouts holds various configurable timeouts that can
                          be set in the config file.
                        properties:
                          connectTimeout:
                            description: |-
                              ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
                              If not set, a default value of 2 seconds will be used.
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
                              for more information.
                            type: string
                          connectionIdleTimeout:
                            description: |-
                              ConnectionIdleTimeout defines how long the proxy should wait while there are
                              no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating
                              an HTTP connection. Set to "infinity" to disable the timeout entirely.
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
                              for more information.
                            type: string
                          connectionShutdownGracePeriod:
                            description: |-
                              ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an
                              initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.
                              During this grace period, the proxy will continue to respond to new streams. After the final
                              GOAWAY frame has been sent, the proxy will refuse new streams.
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
                              for more information.
                            type: string
                          delayedCloseTimeout:
                            description: |-
                              DelayedCloseTimeout defines how long envoy will wait, once connection
                              close processing has been initiated, for the downstream peer to close
                              the connection before Envoy closes the socket associated with the connection.
                              Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0'
                              in Envoy. Leaving it unset will result in the Envoy default value being used.
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
                              for more information.
                            type: string
                          maxConnectionDuration:
                            description: |-
                              MaxConnectionDuration defines the maximum period of time after an HTTP connection
                              has been established from the client to the proxy before it is closed by the proxy,
                              regardless of whether there has been activity or not. Omit or set to "infinity" for
                              no max duration.
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
                              for more information.
                            type: string
                          requestTimeout:
                            description: |-
                              RequestTimeout sets the client request timeout globally for Contour. Note that
                              this is a timeout for the entire request, not an idle timeout. Omit or set to
                              "infinity" to disable the timeout entirely.
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
                              for more information.
                            type: string
                          streamIdleTimeout:
                            description: |-
                              StreamIdleTimeout defines how long the proxy should wait while there is no
                              request activity (for HTTP/1.1) or stream activity (for HTTP/2) before
                              terminating the HTTP request or stream. Set to "infinity" to disable the
                              timeout entirely.
                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
                              for more information.
                            type: string
                        type: object
                    type: object
                  featureFlags:
                    description: |-
                      FeatureFlags defines toggle to enable new contour features.
                      Available toggles are:
                      useEndpointSlices - configures contour to fetch endpoint data
                      from k8s endpoint slices. defaults to false and reading endpoint
                      data from the k8s endpoints.
                    items:
                      type: string
                    type: array
                  gateway:
                    description: |-
                      Gateway contains parameters for the gateway-api Gateway that Contour
                      is configured to serve traffic.
                    properties:
                      gatewayRef:
                        description: |-
                          GatewayRef defines the specific Gateway that this Contour
                          instance corresponds to.
                        properties:
                          name:
                            type: string
                          namespace:
                            type: string
                        required:
                        - name
                        - namespace
                        type: object
                    required:
                    - gatewayRef
                    type: object
                  globalExtAuth:
                    description: |-
                      GlobalExternalAuthorization allows envoys external authorization filter
                      to be enabled for all virtual hosts.
                    properties:
                      authPolicy:
                        description: |-
                          AuthPolicy sets a default authorization policy for client requests.
                          This policy will be used unless overridden by individual routes.
                        properties:
                          context:
                            additionalProperties:
                              type: string
                            description: |-
                              Context is a set of key/value pairs that are sent to the
                              authentication server in the check request. If a context
                              is provided at an enclosing scope, the entries are merged
                              such that the inner scope overrides matching keys from the
                              outer scope.
                            type: object
                          disabled:
                            description: |-
                              When true, this field disables client request authentication
                              for the scope of the policy.
                            type: boolean
                        type: object
                      extensionRef:
                        description: ExtensionServiceRef specifies the extension resource
                          that will authorize client requests.
                        properties:
                          apiVersion:
                            description: |-
                              API version of the referent.
                              If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
                            minLength: 1
                            type: string
                          name:
                            description: |-
                              Name of the referent.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            minLength: 1
                            type: string
                          namespace:
                            description: |-
                              Namespace of the referent.
                              If this field is not specifies, the namespace of the resource that targets the referent will be used.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                            minLength: 1
                            type: string
                        type: object
                      failOpen:
                        description: |-
                          If FailOpen is true, the client request is forwarded to the upstream service
                          even if the authorization server fails to respond. This field should not be
                          set in most cases. It is intended for use only while migrating applications
                          from internal authorization to Contour external authorization.
                        type: boolean
                      responseTimeout:
                        description: |-
                          ResponseTimeout configures maximum time to wait for a check response from the authorization server.
                          Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
                          Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
                          The string "infinity" is also a valid input and specifies no timeout.
                        pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                        type: string
                      withRequestBody:
                        description: WithRequestBody specifies configuration for sending
                          the client request's body to authorization server.
                        properties:
                          allowPartialMessage:
                            description: If AllowPartialMessage is true, then Envoy
                              will buffer the body until MaxRequestBytes are reached.
                            type: boolean
                          maxRequestBytes:
                            default: 1024
                            description: MaxRequestBytes sets the maximum size of
                              message body ExtAuthz filter will hold in-memory.
                            format: int32
                            minimum: 1
                            type: integer
                          packAsBytes:
                            description: If PackAsBytes is true, the body sent to
                              Authorization Server is in raw bytes.
                            type: boolean
                        type: object
                    type: object
                  health:
                    description: |-
                      Health defines the endpoints Contour uses to serve health checks.
                      Contour's default is { address: "0.0.0.0", port: 8000 }.
                    properties:
                      address:
                        description: Defines the health address interface.
                        minLength: 1
                        type: string
                      port:
                        description: Defines the health port.
                        type: integer
                    type: object
                  httpproxy:
                    description: HTTPProxy defines parameters on HTTPProxy.
                    properties:
                      disablePermitInsecure:
                        description: |-
                          DisablePermitInsecure disables the use of the
                          permitInsecure field in HTTPProxy.
                          Contour's default is false.
                        type: boolean
                      fallbackCertificate:
                        description: |-
                          FallbackCertificate defines the namespace/name of the Kubernetes secret to
                          use as fallback when a non-SNI request is received.
                        properties:
                          name:
                            type: string
                          namespace:
                            type: string
                        required:
                        - name
                        - namespace
                        type: object
                      rootNamespaces:
                        description: Restrict Contour to searching these namespaces
                          for root ingress routes.
                        items:
                          type: string
                        type: array
                    type: object
                  ingress:
                    description: Ingress contains parameters for ingress options.
                    properties:
                      classNames:
                        description: Ingress Class Names Contour should use.
                        items:
                          type: string
                        type: array
                      statusAddress:
                        description: Address to set in Ingress object status.
                        type: string
                    type: object
                  metrics:
                    description: |-
                      Metrics defines the endpoint Contour uses to serve metrics.
                      Contour's default is { address: "0.0.0.0", port: 8000 }.
                    properties:
                      address:
                        description: Defines the metrics address interface.
                        maxLength: 253
                        minLength: 1
                        type: string
                      port:
                        description: Defines the metrics port.
                        type: integer
                      tls:
                        description: |-
                          TLS holds TLS file config details.
                          Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
                        properties:
                          caFile:
                            description: CA filename.
                            type: string
                          certFile:
                            description: Client certificate filename.
                            type: string
                          keyFile:
                            description: Client key filename.
                            type: string
                        type: object
                    type: object
                  policy:
                    description: Policy specifies default policy applied if not overridden
                      by the user
                    properties:
                      applyToIngress:
                        description: |-
                          ApplyToIngress determines if the Policies will apply to ingress objects
                          Contour's default is false.
                        type: boolean
                      requestHeaders:
                        description: RequestHeadersPolicy defines the request headers
                          set/removed on all routes
                        properties:
                          remove:
                            items:
                              type: string
                            type: array
                          set:
                            additionalProperties:
                              type: string
                            type: object
                        type: object
                      responseHeaders:
                        description: ResponseHeadersPolicy defines the response headers
                          set/removed on all routes
                        properties:
                          remove:
                            items:
                              type: string
                            type: array
                          set:
                            additionalProperties:
                              type: string
                            type: object
                        type: object
                    type: object
                  rateLimitService:
                    description: |-
                      RateLimitService optionally holds properties of the Rate Limit Service
                      to be used for global rate limiting.
                    properties:
                      defaultGlobalRateLimitPolicy:
                        description: |-
                          DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.
                          HTTPProxy can overwrite this configuration.
                        properties:
                          descriptors:
                            description: |-
                              Descriptors defines the list of descriptors that will
                              be generated and sent to the rate limit service. Each
                              descriptor contains 1+ key-value pair entries.
                            items:
                              description: RateLimitDescriptor defines a list of key-value
                                pair generators.
                              properties:
                                entries:
                                  description: Entries is the list of key-value pair
                                    generators.
                                  items:
                                    description: |-
                                      RateLimitDescriptorEntry is a key-value pair generator. Exactly
                                      one field on this struct must be non-nil.
                                    properties:
                                      genericKey:
                                        description: GenericKey defines a descriptor
                                          entry with a static key and value.
                                        properties:
                                          key:
                                            description: |-
                                              Key defines the key of the descriptor entry. If not set, the
                                              key is set to "generic_key".
                                            type: string
                                          value:
                                            description: Value defines the value of
                                              the descriptor entry.
                                            minLength: 1
                                            type: string
                                        type: object
                                      remoteAddress:
                                        description: |-
                                          RemoteAddress defines a descriptor entry with a key of "remote_address"
                                          and a value equal to the client's IP address (from x-forwarded-for).
                                        type: object
                                      requestHeader:
                                        description: |-
                                          RequestHeader defines a descriptor entry that's populated only if
                                          a given header is present on the request. The descriptor key is static,
                                          and the descriptor value is equal to the value of the header.
                                        properties:
                                          descriptorKey:
                                            description: DescriptorKey defines the
                                              key to use on the descriptor entry.
                                            minLength: 1
                                            type: string
                                          headerName:
                                            description: HeaderName defines the name
                                              of the header to look for on the request.
                                            minLength: 1
                                            type: string
                                        type: object
                                      requestHeaderValueMatch:
                                        description: |-
                                          RequestHeaderValueMatch defines a descriptor entry that's populated
                                          if the request's headers match a set of 1+ match criteria. The
                                          descriptor key is "header_match", and the descriptor value is static.
                                        properties:
                                          expectMatch:
                                            default: true
                                            description: |-
                                              ExpectMatch defines whether the request must positively match the match
                                              criteria in order to generate a descriptor entry (i.e. true), or not
                                              match the match criteria in order to generate a descriptor entry (i.e. false).
                                              The default is true.
                                            type: boolean
                                          headers:
                                            description: |-
                                              Headers is a list of 1+ match criteria to apply against the request
                                              to determine whether to populate the descriptor entry or not.
                                            items:
                                              description: |-
                                                HeaderMatchCondition specifies how to conditionally match against HTTP
                                                headers. The Name field is required, only one of Present, NotPresent,
                                                Contains, NotContains, Exact, NotExact and Regex can be set.
                                                For negative matching rules only (e.g. NotContains or NotExact) you can set
                                                TreatMissingAsEmpty.
                                                IgnoreCase has no effect for Regex.
                                              properties:
                                                contains:
                                                  description: |-
                                                    Contains specifies a substring that must be present in
                                                    the header value.
                                                  type: string
                                                exact:
                                                  description: Exact specifies a string
                                                    that the header value must be
                                                    equal to.
                                                  type: string
                                                ignoreCase:
                                                  description: |-
                                                    IgnoreCase specifies that string matching should be case insensitive.
                                                    Note that this has no effect on the Regex parameter.
                                                  type: boolean
                                                name:
                                                  description: |-
                                                    Name is the name of the header to match against. Name is required.
                                                    Header names are case insensitive.
                                                  type: string
                                                notcontains:
                                                  description: |-
                                                    NotContains specifies a substring that must not be present
                                                    in the header value.
                                                  type: string
                                                notexact:
                                                  description: |-
                                                    NoExact specifies a string that the header value must not be
                                                    equal to. The condition is true if the header has any other value.
                                                  type: string
                                                notpresent:
                                                  description: |-
                                                    NotPresent specifies that condition is true when the named header
                                                    is not present. Note that setting NotPresent to false does not
                                                    make the condition true if the named header is present.
                                                  type: boolean
                                                present:
                                                  description: |-
                                                    Present specifies that condition is true when the named header
                                                    is present, regardless of its value. Note that setting Present
                                                    to false does not make the condition true if the named header
                                                    is absent.
                                                  type: boolean
                                                regex:
                                                  description: |-
                                                    Regex specifies a regular expression pattern that must match the header
                                                    value.
                                                  type: string
                                                treatMissingAsEmpty:
                                                  description: |-
                                                    TreatMissingAsEmpty specifies if the header match rule specified header
                                                    does not exist, this header value will be treated as empty. Defaults to false.
                                                    Unlike the underlying Envoy implementation this is **only** supported for
                                                    negative matches (e.g. NotContains, NotExact).
                                                  type: boolean
                                              required:
                                              - name
                                              type: object
                                            minItems: 1
                                            type: array
                                          value:
                                            description: Value defines the value of
                                              the descriptor entry.
                                            minLength: 1
                                            type: string
                                        type: object
                                    type: object
                                  minItems: 1
                                  type: array
                              type: object
                            minItems: 1
                            type: array
                          disabled:
                            description: |-
                              Disabled configures the HTTPProxy to not use
                              the default global rate limit policy defined by the Contour configuration.
                            type: boolean
                        type: object
                      domain:
                        description: Domain is passed to the Rate Limit Service.
                        type: string
                      enableResourceExhaustedCode:
                        description: |-
                          EnableResourceExhaustedCode enables translating error code 429 to
                          grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
                        type: boolean
                      enableXRateLimitHeaders:
                        description: |-
                          EnableXRateLimitHeaders defines whether to include the X-RateLimit
                          headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset
                          (as defined by the IETF Internet-Draft linked below), on responses
                          to clients when the Rate Limit Service is consulted for a request.
                          ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
                        type: boolean
                      extensionService:
                        description: ExtensionService identifies the extension service
                          defining the RLS.
                        properties:
                          name:
                            type: string
                          namespace:
                            type: string
                        required:
                        - name
                        - namespace
                        type: object
                      failOpen:
                        description: |-
                          FailOpen defines whether to allow requests to proceed when the
                          Rate Limit Service fails to respond with a valid rate limit
                          decision within the timeout defined on the extension service.
                        type: boolean
                    required:
                    - extensionService
                    type: object
                  tracing:
                    description: Tracing defines properties for exporting trace data
                      to OpenTelemetry.
                    properties:
                      customTags:
                        description: CustomTags defines a list of custom tags with
                          unique tag name.
                        items:
                          description: |-
                            CustomTag defines custom tags with unique tag name
                            to create tags for the active span.
                          properties:
                            literal:
                              description: |-
                                Literal is a static custom tag value.
                                Precisely one of Literal, RequestHeaderName must be set.
                              type: string
                            requestHeaderName:
                              description: |-
                                RequestHeaderName indicates which request header
                                the label value is obtained from.
                                Precisely one of Literal, RequestHeaderName must be set.
                              type: string
                            tagName:
                              description: TagName is the unique name of the custom
                                tag.
                              type: string
                          required:
                          - tagName
                          type: object
                        type: array
                      extensionService:
                        description: ExtensionService identifies the extension service
                          defining the otel-collector.
                        properties:
                          name:
                            type: string
                          namespace:
                            type: string
                        required:
                        - name
                        - namespace
                        type: object
                      includePodDetail:
                        description: |-
                          IncludePodDetail defines a flag.
                          If it is true, contour will add the pod name and namespace to the span of the trace.
                          the default is true.
                          Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.
                        type: boolean
                      maxPathTagLength:
                        description: |-
                          MaxPathTagLength defines maximum length of the request path
                          to extract and include in the HttpUrl tag.
                          contour's default is 256.
                        format: int32
                        type: integer
                      overallSampling:
                        description: |-
                          OverallSampling defines the sampling rate of trace data.
                          contour's default is 100.
                        type: string
                      serviceName:
                        description: |-
                          ServiceName defines the name for the service.
                          contour's default is contour.
                        type: string
                    required:
                    - extensionService
                    type: object
                  xdsServer:
                    description: XDSServer contains parameters for the xDS server.
                    properties:
                      address:
                        description: |-
                          Defines the xDS gRPC API address which Contour will serve.
                          Contour's default is "0.0.0.0".
                        minLength: 1
                        type: string
                      port:
                        description: |-
                          Defines the xDS gRPC API port which Contour will serve.
                          Contour's default is 8001.
                        type: integer
                      tls:
                        description: |-
                          TLS holds TLS file config details.
                          Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }.
                        properties:
                          caFile:
                            description: CA filename.
                            type: string
                          certFile:
                            description: Client certificate filename.
                            type: string
                          insecure:
                            description: Allow serving the xDS gRPC API without TLS.
                            type: boolean
                          keyFile:
                            description: Client key filename.
                            type: string
                        type: object
                      type:
                        description: |-
                          Defines the XDSServer to use for `contour serve`.
                          Values: `contour` (default), `envoy`.
                          Other values will produce an error.
                        type: string
                    type: object
                type: object
            type: object
          status:
            description: ContourDeploymentStatus defines the observed state of a ContourDeployment
              resource.
            properties:
              conditions:
                description: Conditions describe the current conditions of the ContourDeployment
                  resource.
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: extensionservices.projectcontour.io
spec:
  preserveUnknownFields: false
  group: projectcontour.io
  names:
    kind: ExtensionService
    listKind: ExtensionServiceList
    plural: extensionservices
    shortNames:
    - extensionservice
    - extensionservices
    singular: extensionservice
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: |-
          ExtensionService is the schema for the Contour extension services API.
          An ExtensionService resource binds a network service to the Contour
          API so that Contour API features can be implemented by collaborating
          components.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: ExtensionServiceSpec defines the desired state of an ExtensionService
              resource.
            properties:
              loadBalancerPolicy:
                description: |-
                  The policy for load balancing GRPC service requests. Note that the
                  `Cookie` and `RequestHash` load balancing strategies cannot be used
                  here.
                properties:
                  requestHashPolicies:
                    description: |-
                      RequestHashPolicies contains a list of hash policies to apply when the
                      `RequestHash` load balancing strategy is chosen. If an element of the
                      supplied list of hash policies is invalid, it will be ignored. If the
                      list of hash policies is empty after validation, the load balancing
                      strategy will fall back to the default `RoundRobin`.
                    items:
                      description: |-
                        RequestHashPolicy contains configuration for an individual hash policy
                        on a request attribute.
                      properties:
                        hashSourceIP:
                          description: |-
                            HashSourceIP should be set to true when request source IP hash based
                            load balancing is desired. It must be the only hash option field set,
                            otherwise this request hash policy object will be ignored.
                          type: boolean
                        headerHashOptions:
                          description: |-
                            HeaderHashOptions should be set when request header hash based load
                            balancing is desired. It must be the only hash option field set,
                            otherwise this request hash policy object will be ignored.
                          properties:
                            headerName:
                              description: |-
                                HeaderName is the name of the HTTP request header that will be used to
                                calculate the hash key. If the header specified is not present on a
                                request, no hash will be produced.
                              minLength: 1
                              type: string
                          type: object
                        queryParameterHashOptions:
                          description: |-
                            QueryParameterHashOptions should be set when request query parameter hash based load
                            balancing is desired. It must be the only hash option field set,
                            otherwise this request hash policy object will be ignored.
                          properties:
                            parameterName:
                              description: |-
                                ParameterName is the name of the HTTP request query parameter that will be used to
                                calculate the hash key. If the query parameter specified is not present on a
                                request, no hash will be produced.
                              minLength: 1
                              type: string
                          type: object
                        terminal:
                          description: |-
                            Terminal is a flag that allows for short-circuiting computing of a hash
                            for a given request. If set to true, and the request attribute specified
                            in the attribute hash options is present, no further hash policies will
                            be used to calculate a hash for the request.
                          type: boolean
                      type: object
                    type: array
                  strategy:
                    description: |-
                      Strategy specifies the policy used to balance requests
                      across the pool of backend pods. Valid policy names are
                      `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
                      and `RequestHash`. If an unknown strategy name is specified
                      or no policy is supplied, the default `RoundRobin` policy
                      is used.
                    type: string
                type: object
              protocol:
                description: |-
                  Protocol may be used to specify (or override) the protocol used to reach this Service.
                  Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.
                enum:
                - h2
                - h2c
                type: string
              protocolVersion:
                description: |-
                  This field sets the version of the GRPC protocol that Envoy uses to
                  send requests to the extension service. Since Contour always uses the
                  v3 Envoy API, this is currently fixed at "v3". However, other
                  protocol options will be available in future.
                enum:
                - v3
                type: string
              services:
                description: |-
                  Services specifies the set of Kubernetes Service resources that
                  receive GRPC extension API requests.
                  If no weights are specified for any of the entries in
                  this array, traffic will be spread evenly across all the
                  services.
                  Otherwise, traffic is balanced proportionally to the
                  Weight field in each entry.
                items:
                  description: |-
                    ExtensionServiceTarget defines an Kubernetes Service to target with
                    extension service traffic.
                  properties:
                    name:
                      description: |-
                        Name is the name of Kubernetes service that will accept service
                        traffic.
                      type: string
                    port:
                      description: Port (defined as Integer) to proxy traffic to since
                        a service can have multiple defined.
                      exclusiveMaximum: true
                      maximum: 65536
                      minimum: 1
                      type: integer
                    weight:
                      description: Weight defines proportion of traffic to balance
                        to the Kubernetes Service.
                      format: int32
                      type: integer
                  required:
                  - name
                  - port
                  type: object
                minItems: 1
                type: array
              timeoutPolicy:
                description: The timeout policy for requests to the services.
                properties:
                  idle:
                    description: |-
                      Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
                      Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.
                      If not specified, there is no per-route idle timeout, though a connection manager-wide
                      stream_idle_timeout default of 5m still applies.
                    pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                    type: string
                  idleConnection:
                    description: |-
                      Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.
                      If not supplied, Envoy's default value of 1h applies.
                    pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                    type: string
                  response:
                    description: |-
                      Timeout for receiving a response from the server after processing a request from client.
                      If not supplied, Envoy's default value of 15s applies.
                    pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                    type: string
                type: object
              validation:
                description: UpstreamValidation defines how to verify the backend
                  service's certificate
                properties:
                  caSecret:
                    description: |-
                      Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
                      The secret must contain key named ca.crt.
                      The name can be optionally prefixed with namespace "namespace/name".
                      When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
                      Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
                    maxLength: 317
                    minLength: 1
                    type: string
                  subjectName:
                    description: |-
                      Key which is expected to be present in the 'subjectAltName' of the presented certificate.
                      Deprecated: migrate to using the plural field subjectNames.
                    maxLength: 250
                    minLength: 1
                    type: string
                  subjectNames:
                    description: |-
                      List of keys, of which at least one is expected to be present in the 'subjectAltName of the
                      presented certificate.
                    items:
                      type: string
                    maxItems: 8
                    minItems: 1
                    type: array
                required:
                - caSecret
                - subjectName
                type: object
                x-kubernetes-validations:
                - message: subjectNames[0] must equal subjectName if set
                  rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName
                    : true'
            required:
            - services
            type: object
          status:
            description: |-
              ExtensionServiceStatus defines the observed state of an
              ExtensionService resource.
            properties:
              conditions:
                description: |-
                  Conditions contains the current status of the ExtensionService resource.
                  Contour will update a single condition, `Valid`, that is in normal-true polarity.
                  Contour will not modify any other Conditions set in this block,
                  in case some other controller wants to add a Condition.
                items:
                  description: |-
                    DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
                    fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
                    of the condition.
                    `errors` holds information about sub-conditions which are fatal to that condition and render its state False.
                    `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
                    Remember that Conditions have a type, a status, and a reason.
                    The type is the type of the condition, the most important one in this CRD set is `Valid`.
                    `Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
                    In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
                    `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
                    slice in this case.
                    `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
                    The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
                    slice if `status` is `false`.
                    For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
                    When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
                    When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
                    In either case, there may be entries in the `warnings` slice.
                    Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
                    (if there is one and only one entry in total across both the `errors` and `warnings` slices), or
                    `MultipleReasons` if there is more than one entry.
                  properties:
                    errors:
                      description: |-
                        Errors contains a slice of relevant error subconditions for this object.
                        Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
                        An empty slice here indicates no errors.
                      items:
                        description: |-
                          SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
                          It contains a subset of the Condition fields.
                          It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
                          that is, they should be of the form "ErrorPresent: true".
                          The expected lifecycle for these errors is that they should only be present when the error or warning is,
                          and should be removed when they are not relevant.
                        properties:
                          message:
                            description: |-
                              Message is a human readable message indicating details about the transition.
                              This may be an empty string.
                            maxLength: 32768
                            type: string
                          reason:
                            description: |-
                              Reason contains a programmatic identifier indicating the reason for the condition's last transition.
                              Producers of specific condition types may define expected values and meanings for this field,
                              and whether the values are considered a guaranteed API.
                              The value should be a CamelCase string.
                              This field may not be empty.
                            maxLength: 1024
                            minLength: 1
                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                            type: string
                          status:
                            description: Status of the condition, one of True, False,
                              Unknown.
                            enum:
                            - "True"
                            - "False"
                            - Unknown
                            type: string
                          type:
                            description: |-
                              Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
                              This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                            maxLength: 316
                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                            type: string
                        required:
                        - message
                        - reason
                        - status
                        - type
                        type: object
                      type: array
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                    warnings:
                      description: |-
                        Warnings contains a slice of relevant warning subconditions for this object.
                        Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
                        An empty slice here indicates no warnings.
                      items:
                        description: |-
                          SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
                          It contains a subset of the Condition fields.
                          It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
                          that is, they should be of the form "ErrorPresent: true".
                          The expected lifecycle for these errors is that they should only be present when the error or warning is,
                          and should be removed when they are not relevant.
                        properties:
                          message:
                            description: |-
                              Message is a human readable message indicating details about the transition.
                              This may be an empty string.
                            maxLength: 32768
                            type: string
                          reason:
                            description: |-
                              Reason contains a programmatic identifier indicating the reason for the condition's last transition.
                              Producers of specific condition types may define expected values and meanings for this field,
                              and whether the values are considered a guaranteed API.
                              The value should be a CamelCase string.
                              This field may not be empty.
                            maxLength: 1024
                            minLength: 1
                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                            type: string
                          status:
                            description: Status of the condition, one of True, False,
                              Unknown.
                            enum:
                            - "True"
                            - "False"
                            - Unknown
                            type: string
                          type:
                            description: |-
                              Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
                              This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                            maxLength: 316
                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                            type: string
                        required:
                        - message
                        - reason
                        - status
                        - type
                        type: object
                      type: array
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: httpproxies.projectcontour.io
spec:
  preserveUnknownFields: false
  group: projectcontour.io
  names:
    kind: HTTPProxy
    listKind: HTTPProxyList
    plural: httpproxies
    shortNames:
    - proxy
    - proxies
    singular: httpproxy
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Fully qualified domain name
      jsonPath: .spec.virtualhost.fqdn
      name: FQDN
      type: string
    - description: Secret with TLS credentials
      jsonPath: .spec.virtualhost.tls.secretName
      name: TLS Secret
      type: string
    - description: The current status of the HTTPProxy
      jsonPath: .status.currentStatus
      name: Status
      type: string
    - description: Description of the current status
      jsonPath: .status.description
      name: Status Description
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: HTTPProxy is an Ingress CRD specification.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: HTTPProxySpec defines the spec of the CRD.
            properties:
              includes:
                description: |-
                  Includes allow for specific routing configuration to be included from another HTTPProxy,
                  possibly in another namespace.
                items:
                  description: Include describes a set of policies that can be applied
                    to an HTTPProxy in a namespace.
                  properties:
                    conditions:
                      description: |-
                        Conditions are a set of rules that are applied to included HTTPProxies.
                        In effect, they are added onto the Conditions of included HTTPProxy Route
                        structs.
                        When applied, they are merged using AND, with one exception:
                        There can be only one Prefix MatchCondition per Conditions slice.
                        More than one Prefix, or contradictory Conditions, will make the
                        include invalid. Exact and Regex match conditions are not allowed
                        on includes.
                      items:
                        description: |-
                          MatchCondition are a general holder for matching rules for HTTPProxies.
                          One of Prefix, Exact, Regex, Header or QueryParameter must be provided.
                        properties:
                          exact:
                            description: |-
                              Exact defines a exact match for a request.
                              This field is not allowed in include match conditions.
                            type: string
                          header:
                            description: Header specifies the header condition to
                              match.
                            properties:
                              contains:
                                description: |-
                                  Contains specifies a substring that must be present in
                                  the header value.
                                type: string
                              exact:
                                description: Exact specifies a string that the header
                                  value must be equal to.
                                type: string
                              ignoreCase:
                                description: |-
                                  IgnoreCase specifies that string matching should be case insensitive.
                                  Note that this has no effect on the Regex parameter.
                                type: boolean
                              name:
                                description: |-
                                  Name is the name of the header to match against. Name is required.
                                  Header names are case insensitive.
                                type: string
                              notcontains:
                                description: |-
                                  NotContains specifies a substring that must not be present
                                  in the header value.
                                type: string
                              notexact:
                                description: |-
                                  NoExact specifies a string that the header value must not be
                                  equal to. The condition is true if the header has any other value.
                                type: string
                              notpresent:
                                description: |-
                                  NotPresent specifies that condition is true when the named header
                                  is not present. Note that setting NotPresent to false does not
                                  make the condition true if the named header is present.
                                type: boolean
                              present:
                                description: |-
                                  Present specifies that condition is true when the named header
                                  is present, regardless of its value. Note that setting Present
                                  to false does not make the condition true if the named header
                                  is absent.
                                type: boolean
                              regex:
                                description: |-
                                  Regex specifies a regular expression pattern that must match the header
                                  value.
                                type: string
                              treatMissingAsEmpty:
                                description: |-
                                  TreatMissingAsEmpty specifies if the header match rule specified header
                                  does not exist, this header value will be treated as empty. Defaults to false.
                                  Unlike the underlying Envoy implementation this is **only** supported for
                                  negative matches (e.g. NotContains, NotExact).
                                type: boolean
                            required:
                            - name
                            type: object
                          prefix:
                            description: Prefix defines a prefix match for a request.
                            type: string
                          queryParameter:
                            description: QueryParameter specifies the query parameter
                              condition to match.
                            properties:
                              contains:
                                description: |-
                                  Contains specifies a substring that must be present in
                                  the query parameter value.
                                type: string
                              exact:
                                description: Exact specifies a string that the query
                                  parameter value must be equal to.
                                type: string
                              ignoreCase:
                                description: |-
                                  IgnoreCase specifies that string matching should be case insensitive.
                                  Note that this has no effect on the Regex parameter.
                                type: boolean
                              name:
                                description: |-
                                  Name is the name of the query parameter to match against. Name is required.
                                  Query parameter names are case insensitive.
                                type: string
                              prefix:
                                description: Prefix defines a prefix match for the
                                  query parameter value.
                                type: string
                              present:
                                description: |-
                                  Present specifies that condition is true when the named query parameter
                                  is present, regardless of its value. Note that setting Present
                                  to false does not make the condition true if the named query parameter
                                  is absent.
                                type: boolean
                              regex:
                                description: |-
                                  Regex specifies a regular expression pattern that must match the query
                                  parameter value.
                                type: string
                              suffix:
                                description: Suffix defines a suffix match for a query
                                  parameter value.
                                type: string
                            required:
                            - name
                            type: object
                          regex:
                            description: |-
                              Regex defines a regex match for a request.
                              This field is not allowed in include match conditions.
                            type: string
                        type: object
                      type: array
                    name:
                      description: Name of the HTTPProxy
                      type: string
                    namespace:
                      description: Namespace of the HTTPProxy to include. Defaults
                        to the current namespace if not supplied.
                      type: string
                  required:
                  - name
                  type: object
                type: array
              ingressClassName:
                description: |-
                  IngressClassName optionally specifies the ingress class to use for this
                  HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class`
                  annotation. For backwards compatibility, when that annotation is set, it
                  is given precedence over this field.
                type: string
              routes:
                description: Routes are the ingress routes. If TCPProxy is present,
                  Routes is ignored.
                items:
                  description: Route contains the set of routes for a virtual host.
                  properties:
                    authPolicy:
                      description: |-
                        AuthPolicy updates the authorization policy that was set
                        on the root HTTPProxy object for client requests that
                        match this route.
                      properties:
                        context:
                          additionalProperties:
                            type: string
                          description: |-
                            Context is a set of key/value pairs that are sent to the
                            authentication server in the check request. If a context
                            is provided at an enclosing scope, the entries are merged
                            such that the inner scope overrides matching keys from the
                            outer scope.
                          type: object
                        disabled:
                          description: |-
                            When true, this field disables client request authentication
                            for the scope of the policy.
                          type: boolean
                      type: object
                    conditions:
                      description: |-
                        Conditions are a set of rules that are applied to a Route.
                        When applied, they are merged using AND, with one exception:
                        There can be only one Prefix, Exact or Regex MatchCondition
                        per Conditions slice. More than one of these condition types,
                        or contradictory Conditions, will make the route invalid.
                      items:
                        description: |-
                          MatchCondition are a general holder for matching rules for HTTPProxies.
                          One of Prefix, Exact, Regex, Header or QueryParameter must be provided.
                        properties:
                          exact:
                            description: |-
                              Exact defines a exact match for a request.
                              This field is not allowed in include match conditions.
                            type: string
                          header:
                            description: Header specifies the header condition to
                              match.
                            properties:
                              contains:
                                description: |-
                                  Contains specifies a substring that must be present in
                                  the header value.
                                type: string
                              exact:
                                description: Exact specifies a string that the header
                                  value must be equal to.
                                type: string
                              ignoreCase:
                                description: |-
                                  IgnoreCase specifies that string matching should be case insensitive.
                                  Note that this has no effect on the Regex parameter.
                                type: boolean
                              name:
                                description: |-
                                  Name is the name of the header to match against. Name is required.
                                  Header names are case insensitive.
                                type: string
                              notcontains:
                                description: |-
                                  NotContains specifies a substring that must not be present
                                  in the header value.
                                type: string
                              notexact:
                                description: |-
                                  NoExact specifies a string that the header value must not be
                                  equal to. The condition is true if the header has any other value.
                                type: string
                              notpresent:
                                description: |-
                                  NotPresent specifies that condition is true when the named header
                                  is not present. Note that setting NotPresent to false does not
                                  make the condition true if the named header is present.
                                type: boolean
                              present:
                                description: |-
                                  Present specifies that condition is true when the named header
                                  is present, regardless of its value. Note that setting Present
                                  to false does not make the condition true if the named header
                                  is absent.
                                type: boolean
                              regex:
                                description: |-
                                  Regex specifies a regular expression pattern that must match the header
                                  value.
                                type: string
                              treatMissingAsEmpty:
                                description: |-
                                  TreatMissingAsEmpty specifies if the header match rule specified header
                                  does not exist, this header value will be treated as empty. Defaults to false.
                                  Unlike the underlying Envoy implementation this is **only** supported for
                                  negative matches (e.g. NotContains, NotExact).
                                type: boolean
                            required:
                            - name
                            type: object
                          prefix:
                            description: Prefix defines a prefix match for a request.
                            type: string
                          queryParameter:
                            description: QueryParameter specifies the query parameter
                              condition to match.
                            properties:
                              contains:
                                description: |-
                                  Contains specifies a substring that must be present in
                                  the query parameter value.
                                type: string
                              exact:
                                description: Exact specifies a string that the query
                                  parameter value must be equal to.
                                type: string
                              ignoreCase:
                                description: |-
                                  IgnoreCase specifies that string matching should be case insensitive.
                                  Note that this has no effect on the Regex parameter.
                                type: boolean
                              name:
                                description: |-
                                  Name is the name of the query parameter to match against. Name is required.
                                  Query parameter names are case insensitive.
                                type: string
                              prefix:
                                description: Prefix defines a prefix match for the
                                  query parameter value.
                                type: string
                              present:
                                description: |-
                                  Present specifies that condition is true when the named query parameter
                                  is present, regardless of its value. Note that setting Present
                                  to false does not make the condition true if the named query parameter
                                  is absent.
                                type: boolean
                              regex:
                                description: |-
                                  Regex specifies a regular expression pattern that must match the query
                                  parameter value.
                                type: string
                              suffix:
                                description: Suffix defines a suffix match for a query
                                  parameter value.
                                type: string
                            required:
                            - name
                            type: object
                          regex:
                            description: |-
                              Regex defines a regex match for a request.
                              This field is not allowed in include match conditions.
                            type: string
                        type: object
                      type: array
                    cookieRewritePolicies:
                      description: |-
                        The policies for rewriting Set-Cookie header attributes. Note that
                        rewritten cookie names must be unique in this list. Order rewrite
                        policies are specified in does not matter.
                      items:
                        properties:
                          domainRewrite:
                            description: |-
                              DomainRewrite enables rewriting the Set-Cookie Domain element.
                              If not set, Domain will not be rewritten.
                            properties:
                              value:
                                description: |-
                                  Value is the value to rewrite the Domain attribute to.
                                  For now this is required.
                                maxLength: 4096
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                            required:
                            - value
                            type: object
                          name:
                            description: Name is the name of the cookie for which
                              attributes will be rewritten.
                            maxLength: 4096
                            minLength: 1
                            pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
                            type: string
                          pathRewrite:
                            description: |-
                              PathRewrite enables rewriting the Set-Cookie Path element.
                              If not set, Path will not be rewritten.
                            properties:
                              value:
                                description: |-
                                  Value is the value to rewrite the Path attribute to.
                                  For now this is required.
                                maxLength: 4096
                                minLength: 1
                                pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
                                type: string
                            required:
                            - value
                            type: object
                          sameSite:
                            description: |-
                              SameSite enables rewriting the Set-Cookie SameSite element.
                              If not set, SameSite attribute will not be rewritten.
                            enum:
                            - Strict
                            - Lax
                            - None
                            type: string
                          secure:
                            description: |-
                              Secure enables rewriting the Set-Cookie Secure element.
                              If not set, Secure attribute will not be rewritten.
                            type: boolean
                        required:
                        - name
                        type: object
                      type: array
                    directResponsePolicy:
                      description: DirectResponsePolicy returns an arbitrary HTTP
                        response directly.
                      properties:
                        body:
                          description: |-
                            Body is the content of the response body.
                            If this setting is omitted, no body is included in the generated response.
                            Note: Body is not recommended to set too long
                            otherwise it can have significant resource usage impacts.
                          type: string
                        statusCode:
                          description: StatusCode is the HTTP response status to be
                            returned.
                          maximum: 599
                          minimum: 200
                          type: integer
                      required:
                      - statusCode
                      type: object
                    enableWebsockets:
                      description: Enables websocket support for the route.
                      type: boolean
                    healthCheckPolicy:
                      description: The health check policy for this route.
                      properties:
                        expectedStatuses:
                          description: |-
                            The ranges of HTTP response statuses considered healthy. Follow half-open
                            semantics, i.e. for each range the start is inclusive and the end is exclusive.
                            Must be within the range [100,600). If not specified, only a 200 response status
                            is considered healthy.
                          items:
                            properties:
                              end:
                                description: The end (exclusive) of a range of HTTP
                                  status codes.
                                format: int64
                                maximum: 600
                                minimum: 101
                                type: integer
                              start:
                                description: The start (inclusive) of a range of HTTP
                                  status codes.
                                format: int64
                                maximum: 599
                                minimum: 100
                                type: integer
                            required:
                            - end
                            - start
                            type: object
                          type: array
                        healthyThresholdCount:
                          description: The number of healthy health checks required
                            before a host is marked healthy
                          format: int64
                          minimum: 0
                          type: integer
                        host:
                          description: |-
                            The value of the host header in the HTTP health check request.
                            If left empty (default value), the name "contour-envoy-healthcheck"
                            will be used.
                          type: string
                        intervalSeconds:
                          description: The interval (seconds) between health checks
                          format: int64
                          type: integer
                        path:
                          description: HTTP endpoint used to perform health checks
                            on upstream service
                          type: string
                        timeoutSeconds:
                          description: The time to wait (seconds) for a health check
                            response
                          format: int64
                          type: integer
                        unhealthyThresholdCount:
                          description: The number of unhealthy health checks required
                            before a host is marked unhealthy
                          format: int64
                          minimum: 0
                          type: integer
                      required:
                      - path
                      type: object
                    internalRedirectPolicy:
                      description: The policy to define when to handle redirects responses
                        internally.
                      properties:
                        allowCrossSchemeRedirect:
                          default: Never
                          description: |-
                            AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme
                            than the value of x-forwarded-proto.
                            SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream
                            scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme
                            is HTTP, only HTTP redirect targets are allowed.
                          enum:
                          - Always
                          - Never
                          - SafeOnly
                          type: string
                        denyRepeatedRouteRedirect:
                          description: |-
                            If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has
                            been followed by a previous redirect from the current route.
                          type: boolean
                        maxInternalRedirects:
                          description: |-
                            MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal
                            redirects that a downstream request has encountered is lower than this value.
                          format: int32
                          type: integer
                        redirectResponseCodes:
                          description: |-
                            RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect.
                            Only 301, 302, 303, 307 and 308 are valid values.
                          items:
                            description: RedirectResponseCode is a uint32 type alias
                              with validation to ensure that the value is valid.
                            enum:
                            - 301
                            - 302
                            - 303
                            - 307
                            - 308
                            format: int32
                            type: integer
                          type: array
                      type: object
                    ipAllowPolicy:
                      description: |-
                        IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching
                        requests should be allowed. All other requests will be denied.
                        Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
                        The rules defined here override any rules set on the root HTTPProxy.
                      items:
                        properties:
                          cidr:
                            description: |-
                              CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
                              a bare IP address (without a mask) to filter on exactly one address.
                            type: string
                          source:
                            description: |-
                              Source indicates how to determine the ip address to filter on, and can be
                              one of two values:
                               - `Remote` filters on the ip address of the client, accounting for PROXY and
                                 X-Forwarded-For as needed.
                               - `Peer` filters on the ip of the network request, ignoring PROXY and
                                 X-Forwarded-For.
                            enum:
                            - Peer
                            - Remote
                            type: string
                        required:
                        - cidr
                        - source
                        type: object
                      type: array
                    ipDenyPolicy:
                      description: |-
                        IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching
                        requests should be denied. All other requests will be allowed.
                        Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
                        The rules defined here override any rules set on the root HTTPProxy.
                      items:
                        properties:
                          cidr:
                            description: |-
                              CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
                              a bare IP address (without a mask) to filter on exactly one address.
                            type: string
                          source:
                            description: |-
                              Source indicates how to determine the ip address to filter on, and can be
                              one of two values:
                               - `Remote` filters on the ip address of the client, accounting for PROXY and
                                 X-Forwarded-For as needed.
                               - `Peer` filters on the ip of the network request, ignoring PROXY and
                                 X-Forwarded-For.
                            enum:
                            - Peer
                            - Remote
                            type: string
                        required:
                        - cidr
                        - source
                        type: object
                      type: array
                    jwtVerificationPolicy:
                      description: The policy for verifying JWTs for requests to this
                        route.
                      properties:
                        disabled:
                          description: |-
                            Disabled defines whether to disable all JWT verification for this
                            route. This can be used to opt specific routes out of the default
                            JWT provider for the HTTPProxy. At most one of this field or the
                            "require" field can be specified.
                          type: boolean
                        require:
                          description: |-
                            Require names a specific JWT provider (defined in the virtual host)
                            to require for the route. If specified, this field overrides the
                            default provider if one exists. If this field is not specified,
                            the default provider will be required if one exists. At most one of
                            this field or the "disabled" field can be specified.
                          type: string
                      type: object
                    loadBalancerPolicy:
                      description: The load balancing policy for this route.
                      properties:
                        requestHashPolicies:
                          description: |-
                            RequestHashPolicies contains a list of hash policies to apply when the
                            `RequestHash` load balancing strategy is chosen. If an element of the
                            supplied list of hash policies is invalid, it will be ignored. If the
                            list of hash policies is empty after validation, the load balancing
                            strategy will fall back to the default `RoundRobin`.
                          items:
                            description: |-
                              RequestHashPolicy contains configuration for an individual hash policy
                              on a request attribute.
                            properties:
                              hashSourceIP:
                                description: |-
                                  HashSourceIP should be set to true when request source IP hash based
                                  load balancing is desired. It must be the only hash option field set,
                                  otherwise this request hash policy object will be ignored.
                                type: boolean
                              headerHashOptions:
                                description: |-
                                  HeaderHashOptions should be set when request header hash based load
                                  balancing is desired. It must be the only hash option field set,
                                  otherwise this request hash policy object will be ignored.
                                properties:
                                  headerName:
                                    description: |-
                                      HeaderName is the name of the HTTP request header that will be used to
                                      calculate the hash key. If the header specified is not present on a
                                      request, no hash will be produced.
                                    minLength: 1
                                    type: string
                                type: object
                              queryParameterHashOptions:
                                description: |-
                                  QueryParameterHashOptions should be set when request query parameter hash based load
                                  balancing is desired. It must be the only hash option field set,
                                  otherwise this request hash policy object will be ignored.
                                properties:
                                  parameterName:
                                    description: |-
                                      ParameterName is the name of the HTTP request query parameter that will be used to
                                      calculate the hash key. If the query parameter specified is not present on a
                                      request, no hash will be produced.
                                    minLength: 1
                                    type: string
                                type: object
                              terminal:
                                description: |-
                                  Terminal is a flag that allows for short-circuiting computing of a hash
                                  for a given request. If set to true, and the request attribute specified
                                  in the attribute hash options is present, no further hash policies will
                                  be used to calculate a hash for the request.
                                type: boolean
                            type: object
                          type: array
                        strategy:
                          description: |-
                            Strategy specifies the policy used to balance requests
                            across the pool of backend pods. Valid policy names are
                            `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
                            and `RequestHash`. If an unknown strategy name is specified
                            or no policy is supplied, the default `RoundRobin` policy
                            is used.
                          type: string
                      type: object
                    pathRewritePolicy:
                      description: |-
                        The policy for rewriting the path of the request URL
                        after the request has been routed to a Service.
                      properties:
                        replacePrefix:
                          description: ReplacePrefix describes how the path prefix
                            should be replaced.
                          items:
                            description: ReplacePrefix describes a path prefix replacement.
                            properties:
                              prefix:
                                description: |-
                                  Prefix specifies the URL path prefix to be replaced.
                                  If Prefix is specified, it must exactly match the MatchCondition
                                  prefix that is rendered by the chain of including HTTPProxies
                                  and only that path prefix will be replaced by Replacement.
                                  This allows HTTPProxies that are included through multiple
                                  roots to only replace specific path prefixes, leaving others
                                  unmodified.
                                  If Prefix is not specified, all routing prefixes rendered
                                  by the include chain will be replaced.
                                minLength: 1
                                type: string
                              replacement:
                                description: |-
                                  Replacement is the string that the routing path prefix
                                  will be replaced with. This must not be empty.
                                minLength: 1
                                type: string
                            required:
                            - replacement
                            type: object
                          type: array
                      type: object
                    permitInsecure:
                      description: |-
                        Allow this path to respond to insecure requests over HTTP which are normally
                        not permitted when a `virtualhost.tls` block is present.
                      type: boolean
                    rateLimitPolicy:
                      description: The policy for rate limiting on the route.
                      properties:
                        global:
                          description: |-
                            Global defines global rate limiting parameters, i.e. parameters
                            defining descriptors that are sent to an external rate limit
                            service (RLS) for a rate limit decision on each request.
                          properties:
                            descriptors:
                              description: |-
                                Descriptors defines the list of descriptors that will
                                be generated and sent to the rate limit service. Each
                                descriptor contains 1+ key-value pair entries.
                              items:
                                description: RateLimitDescriptor defines a list of
                                  key-value pair generators.
                                properties:
                                  entries:
                                    description: Entries is the list of key-value
                                      pair generators.
                                    items:
                                      description: |-
                                        RateLimitDescriptorEntry is a key-value pair generator. Exactly
                                        one field on this struct must be non-nil.
                                      properties:
                                        genericKey:
                                          description: GenericKey defines a descriptor
                                            entry with a static key and value.
                                          properties:
                                            key:
                                              description: |-
                                                Key defines the key of the descriptor entry. If not set, the
                                                key is set to "generic_key".
                                              type: string
                                            value:
                                              description: Value defines the value
                                                of the descriptor entry.
                                              minLength: 1
                                              type: string
                                          type: object
                                        remoteAddress:
                                          description: |-
                                            RemoteAddress defines a descriptor entry with a key of "remote_address"
                                            and a value equal to the client's IP address (from x-forwarded-for).
                                          type: object
                                        requestHeader:
                                          description: |-
                                            RequestHeader defines a descriptor entry that's populated only if
                                            a given header is present on the request. The descriptor key is static,
                                            and the descriptor value is equal to the value of the header.
                                          properties:
                                            descriptorKey:
                                              description: DescriptorKey defines the
                                                key to use on the descriptor entry.
                                              minLength: 1
                                              type: string
                                            headerName:
                                              description: HeaderName defines the
                                                name of the header to look for on
                                                the request.
                                              minLength: 1
                                              type: string
                                          type: object
                                        requestHeaderValueMatch:
                                          description: |-
                                            RequestHeaderValueMatch defines a descriptor entry that's populated
                                            if the request's headers match a set of 1+ match criteria. The
                                            descriptor key is "header_match", and the descriptor value is static.
                                          properties:
                                            expectMatch:
                                              default: true
                                              description: |-
                                                ExpectMatch defines whether the request must positively match the match
                                                criteria in order to generate a descriptor entry (i.e. true), or not
                                                match the match criteria in order to generate a descriptor entry (i.e. false).
                                                The default is true.
                                              type: boolean
                                            headers:
                                              description: |-
                                                Headers is a list of 1+ match criteria to apply against the request
                                                to determine whether to populate the descriptor entry or not.
                                              items:
                                                description: |-
                                                  HeaderMatchCondition specifies how to conditionally match against HTTP
                                                  headers. The Name field is required, only one of Present, NotPresent,
                                                  Contains, NotContains, Exact, NotExact and Regex can be set.
                                                  For negative matching rules only (e.g. NotContains or NotExact) you can set
                                                  TreatMissingAsEmpty.
                                                  IgnoreCase has no effect for Regex.
                                                properties:
                                                  contains:
                                                    description: |-
                                                      Contains specifies a substring that must be present in
                                                      the header value.
                                                    type: string
                                                  exact:
                                                    description: Exact specifies a
                                                      string that the header value
                                                      must be equal to.
                                                    type: string
                                                  ignoreCase:
                                                    description: |-
                                                      IgnoreCase specifies that string matching should be case insensitive.
                                                      Note that this has no effect on the Regex parameter.
                                                    type: boolean
                                                  name:
                                                    description: |-
                                                      Name is the name of the header to match against. Name is required.
                                                      Header names are case insensitive.
                                                    type: string
                                                  notcontains:
                                                    description: |-
                                                      NotContains specifies a substring that must not be present
                                                      in the header value.
                                                    type: string
                                                  notexact:
                                                    description: |-
                                                      NoExact specifies a string that the header value must not be
                                                      equal to. The condition is true if the header has any other value.
                                                    type: string
                                                  notpresent:
                                                    description: |-
                                                      NotPresent specifies that condition is true when the named header
                                                      is not present. Note that setting NotPresent to false does not
                                                      make the condition true if the named header is present.
                                                    type: boolean
                                                  present:
                                                    description: |-
                                                      Present specifies that condition is true when the named header
                                                      is present, regardless of its value. Note that setting Present
                                                      to false does not make the condition true if the named header
                                                      is absent.
                                                    type: boolean
                                                  regex:
                                                    description: |-
                                                      Regex specifies a regular expression pattern that must match the header
                                                      value.
                                                    type: string
                                                  treatMissingAsEmpty:
                                                    description: |-
                                                      TreatMissingAsEmpty specifies if the header match rule specified header
                                                      does not exist, this header value will be treated as empty. Defaults to false.
                                                      Unlike the underlying Envoy implementation this is **only** supported for
                                                      negative matches (e.g. NotContains, NotExact).
                                                    type: boolean
                                                required:
                                                - name
                                                type: object
                                              minItems: 1
                                              type: array
                                            value:
                                              description: Value defines the value
                                                of the descriptor entry.
                                              minLength: 1
                                              type: string
                                          type: object
                                      type: object
                                    minItems: 1
                                    type: array
                                type: object
                              minItems: 1
                              type: array
                            disabled:
                              description: |-
                                Disabled configures the HTTPProxy to not use
                                the default global rate limit policy defined by the Contour configuration.
                              type: boolean
                          type: object
                        local:
                          description: |-
                            Local defines local rate limiting parameters, i.e. parameters
                            for rate limiting that occurs within each Envoy pod as requests
                            are handled.
                          properties:
                            burst:
                              description: |-
                                Burst defines the number of requests above the requests per
                                unit that should be allowed within a short period of time.
                              format: int32
                              type: integer
                            requests:
                              description: |-
                                Requests defines how many requests per unit of time should
                                be allowed before rate limiting occurs.
                              format: int32
                              minimum: 1
                              type: integer
                            responseHeadersToAdd:
                              description: |-
                                ResponseHeadersToAdd is an optional list of response headers to
                                set when a request is rate-limited.
                              items:
                                description: HeaderValue represents a header name/value
                                  pair
                                properties:
                                  name:
                                    description: Name represents a key of a header
                                    minLength: 1
                                    type: string
                                  value:
                                    description: Value represents the value of a header
                                      specified by a key
                                    minLength: 1
                                    type: string
                                required:
                                - name
                                - value
                                type: object
                              type: array
                            responseStatusCode:
                              description: |-
                                ResponseStatusCode is the HTTP status code to use for responses
                                to rate-limited requests. Codes must be in the 400-599 range
                                (inclusive). If not specified, the Envoy default of 429 (Too
                                Many Requests) is used.
                              format: int32
                              maximum: 599
                              minimum: 400
                              type: integer
                            unit:
                              description: |-
                                Unit defines the period of time within which requests
                                over the limit will be rate limited. Valid values are
                                "second", "minute" and "hour".
                              enum:
                              - second
                              - minute
                              - hour
                              type: string
                          required:
                          - requests
                          - unit
                          type: object
                      type: object
                    requestHeadersPolicy:
                      description: |-
                        The policy for managing request headers during proxying.
                        You may dynamically rewrite the Host header to be forwarded
                        upstream to the content of a request header using
                        the below format "%REQ(X-Header-Name)%". If the value of the header
                        is empty, it is ignored.
                        *NOTE: Pay attention to the potential security implications of using this option.
                        Provided header must come from trusted source.
                        **NOTE: The header rewrite is only done while forwarding and has no bearing
                        on the routing decision.
                      properties:
                        remove:
                          description: Remove specifies a list of HTTP header names
                            to remove.
                          items:
                            type: string
                          type: array
                        set:
                          description: |-
                            Set specifies a list of HTTP header values that will be set in the HTTP header.
                            If the header does not exist it will be added, otherwise it will be overwritten with the new value.
                          items:
                            description: HeaderValue represents a header name/value
                              pair
                            properties:
                              name:
                                description: Name represents a key of a header
                                minLength: 1
                                type: string
                              value:
                                description: Value represents the value of a header
                                  specified by a key
                                minLength: 1
                                type: string
                            required:
                            - name
                            - value
                            type: object
                          type: array
                      type: object
                    requestRedirectPolicy:
                      description: RequestRedirectPolicy defines an HTTP redirection.
                      properties:
                        hostname:
                          description: |-
                            Hostname is the precise hostname to be used in the value of the `Location`
                            header in the response.
                            When empty, the hostname of the request is used.
                            No wildcards are allowed.
                          maxLength: 253
                          minLength: 1
                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                          type: string
                        path:
                          description: |-
                            Path allows for redirection to a different path from the
                            original on the request. The path must start with a
                            leading slash.
                            Note: Only one of Path or Prefix can be defined.
                          pattern: ^\/.*$
                          type: string
                        port:
                          description: |-
                            Port is the port to be used in the value of the `Location`
                            header in the response.
                            When empty, port (if specified) of the request is used.
                          format: int32
                          maximum: 65535
                          minimum: 1
                          type: integer
                        prefix:
                          description: |-
                            Prefix defines the value to swap the matched prefix or path with.
                            The prefix must start with a leading slash.
                            Note: Only one of Path or Prefix can be defined.
                          pattern: ^\/.*$
                          type: string
                        scheme:
                          description: |-
                            Scheme is the scheme to be used in the value of the `Location`
                            header in the response.
                            When empty, the scheme of the request is used.
                          enum:
                          - http
                          - https
                          type: string
                        statusCode:
                          default: 302
                          description: StatusCode is the HTTP status code to be used
                            in response.
                          enum:
                          - 301
                          - 302
                          type: integer
                      type: object
                    responseHeadersPolicy:
                      description: |-
                        The policy for managing response headers during proxying.
                        Rewriting the 'Host' header is not supported.
                      properties:
                        remove:
                          description: Remove specifies a list of HTTP header names
                            to remove.
                          items:
                            type: string
                          type: array
                        set:
                          description: |-
                            Set specifies a list of HTTP header values that will be set in the HTTP header.
                            If the header does not exist it will be added, otherwise it will be overwritten with the new value.
                          items:
                            description: HeaderValue represents a header name/value
                              pair
                            properties:
                              name:
                                description: Name represents a key of a header
                                minLength: 1
                                type: string
                              value:
                                description: Value represents the value of a header
                                  specified by a key
                                minLength: 1
                                type: string
                            required:
                            - name
                            - value
                            type: object
                          type: array
                      type: object
                    retryPolicy:
                      description: The retry policy for this route.
                      properties:
                        count:
                          default: 1
                          description: |-
                            NumRetries is maximum allowed number of retries.
                            If set to -1, then retries are disabled.
                            If set to 0 or not supplied, the value is set
                            to the Envoy default of 1.
                          format: int64
                          minimum: -1
                          type: integer
                        perTryTimeout:
                          description: |-
                            PerTryTimeout specifies the timeout per retry attempt.
                            Ignored if NumRetries is not supplied.
                          pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                          type: string
                        retriableStatusCodes:
                          description: |-
                            RetriableStatusCodes specifies the HTTP status codes that should be retried.
                            This field is only respected when you include `retriable-status-codes` in the `RetryOn` field.
                          items:
                            format: int32
                            type: integer
                          type: array
                        retryOn:
                          description: |-
                            RetryOn specifies the conditions on which to retry a request.
                            Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on):
                            - `5xx`
                            - `gateway-error`
                            - `reset`
                            - `connect-failure`
                            - `retriable-4xx`
                            - `refused-stream`
                            - `retriable-status-codes`
                            - `retriable-headers`
                            Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on):
                            - `cancelled`
                            - `deadline-exceeded`
                            - `internal`
                            - `resource-exhausted`
                            - `unavailable`
                          items:
                            description: RetryOn is a string type alias with validation
                              to ensure that the value is valid.
                            enum:
                            - 5xx
                            - gateway-error
                            - reset
                            - connect-failure
                            - retriable-4xx
                            - refused-stream
                            - retriable-status-codes
                            - retriable-headers
                            - cancelled
                            - deadline-exceeded
                            - internal
                            - resource-exhausted
                            - unavailable
                            type: string
                          type: array
                      type: object
                    services:
                      description: Services are the services to proxy traffic.
                      items:
                        description: Service defines an Kubernetes Service to proxy
                          traffic.
                        properties:
                          cookieRewritePolicies:
                            description: The policies for rewriting Set-Cookie header
                              attributes.
                            items:
                              properties:
                                domainRewrite:
                                  description: |-
                                    DomainRewrite enables rewriting the Set-Cookie Domain element.
                                    If not set, Domain will not be rewritten.
                                  properties:
                                    value:
                                      description: |-
                                        Value is the value to rewrite the Domain attribute to.
                                        For now this is required.
                                      maxLength: 4096
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                  required:
                                  - value
                                  type: object
                                name:
                                  description: Name is the name of the cookie for
                                    which attributes will be rewritten.
                                  maxLength: 4096
                                  minLength: 1
                                  pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
                                  type: string
                                pathRewrite:
                                  description: |-
                                    PathRewrite enables rewriting the Set-Cookie Path element.
                                    If not set, Path will not be rewritten.
                                  properties:
                                    value:
                                      description: |-
                                        Value is the value to rewrite the Path attribute to.
                                        For now this is required.
                                      maxLength: 4096
                                      minLength: 1
                                      pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
                                      type: string
                                  required:
                                  - value
                                  type: object
                                sameSite:
                                  description: |-
                                    SameSite enables rewriting the Set-Cookie SameSite element.
                                    If not set, SameSite attribute will not be rewritten.
                                  enum:
                                  - Strict
                                  - Lax
                                  - None
                                  type: string
                                secure:
                                  description: |-
                                    Secure enables rewriting the Set-Cookie Secure element.
                                    If not set, Secure attribute will not be rewritten.
                                  type: boolean
                              required:
                              - name
                              type: object
                            type: array
                          healthPort:
                            description: |-
                              HealthPort is the port for this service healthcheck.
                              If not specified, Port is used for service healthchecks.
                            maximum: 65535
                            minimum: 1
                            type: integer
                          mirror:
                            description: |-
                              If Mirror is true the Service will receive a read only mirror of the traffic for this route.
                              If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight
                              field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring.
                              NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This
                              occurs since we cannot distinguish omitted fields from those explicitly set to their default
                              values
                            type: boolean
                          name:
                            description: |-
                              Name is the name of Kubernetes service to proxy traffic.
                              Names defined here will be used to look up corresponding endpoints which contain the ips to route.
                            type: string
                          port:
                            description: Port (defined as Integer) to proxy traffic
                              to since a service can have multiple defined.
                            exclusiveMaximum: true
                            maximum: 65536
                            minimum: 1
                            type: integer
                          protocol:
                            description: |-
                              Protocol may be used to specify (or override) the protocol used to reach this Service.
                              Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
                            enum:
                            - h2
                            - h2c
                            - tls
                            type: string
                          requestHeadersPolicy:
                            description: The policy for managing request headers during
                              proxying.
                            properties:
                              remove:
                                description: Remove specifies a list of HTTP header
                                  names to remove.
                                items:
                                  type: string
                                type: array
                              set:
                                description: |-
                                  Set specifies a list of HTTP header values that will be set in the HTTP header.
                                  If the header does not exist it will be added, otherwise it will be overwritten with the new value.
                                items:
                                  description: HeaderValue represents a header name/value
                                    pair
                                  properties:
                                    name:
                                      description: Name represents a key of a header
                                      minLength: 1
                                      type: string
                                    value:
                                      description: Value represents the value of a
                                        header specified by a key
                                      minLength: 1
                                      type: string
                                  required:
                                  - name
                                  - value
                                  type: object
                                type: array
                            type: object
                          responseHeadersPolicy:
                            description: |-
                              The policy for managing response headers during proxying.
                              Rewriting the 'Host' header is not supported.
                            properties:
                              remove:
                                description: Remove specifies a list of HTTP header
                                  names to remove.
                                items:
                                  type: string
                                type: array
                              set:
                                description: |-
                                  Set specifies a list of HTTP header values that will be set in the HTTP header.
                                  If the header does not exist it will be added, otherwise it will be overwritten with the new value.
                                items:
                                  description: HeaderValue represents a header name/value
                                    pair
                                  properties:
                                    name:
                                      description: Name represents a key of a header
                                      minLength: 1
                                      type: string
                                    value:
                                      description: Value represents the value of a
                                        header specified by a key
                                      minLength: 1
                                      type: string
                                  required:
                                  - name
                                  - value
                                  type: object
                                type: array
                            type: object
                          slowStartPolicy:
                            description: Slow start will gradually increase amount
                              of traffic to a newly added endpoint.
                            properties:
                              aggression:
                                default: "1.0"
                                description: |-
                                  The speed of traffic increase over the slow start window.
                                  Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic.
                                  When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.
                                  The value of aggression parameter should be greater than 0.0.
                                  More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start
                                pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$
                                type: string
                              minWeightPercent:
                                default: 10
                                description: |-
                                  The minimum or starting percentage of traffic to send to new endpoints.
                                  A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window.
                                  If not specified, the default is 10%.
                                format: int32
                                maximum: 100
                                minimum: 0
                                type: integer
                              window:
                                description: |-
                                  The duration of slow start window.
                                  Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
                                  Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
                                pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
                                type: string
                            required:
                            - window
                            type: object
                          validation:
                            description: UpstreamValidation defines how to verify
                              the backend service's certificate
                            properties:
                              caSecret:
                                description: |-
                                  Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
                                  The secret must contain key named ca.crt.
                                  The name can be optionally prefixed with namespace "namespace/name".
                                  When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
                                  Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
                                maxLength: 317
                                minLength: 1
                                type: string
                              subjectName:
                                description: |-
                                  Key which is expected to be present in the 'subjectAltName' of the presented certificate.
                                  Deprecated: migrate to using the plural field subjectNames.
                                maxLength: 250
                                minLength: 1
                                type: string
                              subjectNames:
                                description: |-
                                  List of keys, of which at least one is expected to be present in the 'subjectAltName of the
                                  presented certificate.
                                items:
                                  type: string
                                maxItems: 8
                                minItems: 1
                                type: array
                            required:
                            - caSecret
                            - subjectName
                            type: object
                            x-kubernetes-validations:
                            - message: subjectNames[0] must equal subjectName if set
                              rule: 'has(self.subjectNames) ? self.subjectNames[0]
                                == self.subjectName : true'
                          weight:
                            description: Weight defines percentage of traffic to balance
                              traffic
                            format: int64
                            minimum: 0
                            type: integer
                        required:
                        - name
                        - port
                        type: object
                      type: array
                    timeoutPolicy:
                      description: The timeout policy for this route.
                      properties:
                        idle:
                          description: |-
                            Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
                            Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.
                            If not specified, there is no per-route idle timeout, though a connection manager-wide
                            stream_idle_timeout default of 5m still applies.
                          pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                          type: string
                        idleConnection:
                          description: |-
                            Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.
                            If not supplied, Envoy's default value of 1h applies.
                          pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                          type: string
                        response:
                          description: |-
                            Timeout for receiving a response from the server after processing a request from client.
                            If not supplied, Envoy's default value of 15s applies.
                          pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                          type: string
                      type: object
                  type: object
                type: array
              tcpproxy:
                description: TCPProxy holds TCP proxy information.
                properties:
                  healthCheckPolicy:
                    description: The health check policy for this tcp proxy
                    properties:
                      healthyThresholdCount:
                        description: The number of healthy health checks required
                          before a host is marked healthy
                        format: int32
                        type: integer
                      intervalSeconds:
                        description: The interval (seconds) between health checks
                        format: int64
                        type: integer
                      timeoutSeconds:
                        description: The time to wait (seconds) for a health check
                          response
                        format: int64
                        type: integer
                      unhealthyThresholdCount:
                        description: The number of unhealthy health checks required
                          before a host is marked unhealthy
                        format: int32
                        type: integer
                    type: object
                  include:
                    description: Include specifies that this tcpproxy should be delegated
                      to another HTTPProxy.
                    properties:
                      name:
                        description: Name of the child HTTPProxy
                        type: string
                      namespace:
                        description: Namespace of the HTTPProxy to include. Defaults
                          to the current namespace if not supplied.
                        type: string
                    required:
                    - name
                    type: object
                  includes:
                    description: |-
                      IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.
                      Exists due to a mistake when developing HTTPProxy and the field was marked plural
                      when it should have been singular. This field should stay to not break backwards compatibility to v1 users.
                    properties:
                      name:
                        description: Name of the child HTTPProxy
                        type: string
                      namespace:
                        description: Namespace of the HTTPProxy to include. Defaults
                          to the current namespace if not supplied.
                        type: string
                    required:
                    - name
                    type: object
                  loadBalancerPolicy:
                    description: |-
                      The load balancing policy for the backend services. Note that the
                      `Cookie` and `RequestHash` load balancing strategies cannot be used
                      here.
                    properties:
                      requestHashPolicies:
                        description: |-
                          RequestHashPolicies contains a list of hash policies to apply when the
                          `RequestHash` load balancing strategy is chosen. If an element of the
                          supplied list of hash policies is invalid, it will be ignored. If the
                          list of hash policies is empty after validation, the load balancing
                          strategy will fall back to the default `RoundRobin`.
                        items:
                          description: |-
                            RequestHashPolicy contains configuration for an individual hash policy
                            on a request attribute.
                          properties:
                            hashSourceIP:
                              description: |-
                                HashSourceIP should be set to true when request source IP hash based
                                load balancing is desired. It must be the only hash option field set,
                                otherwise this request hash policy object will be ignored.
                              type: boolean
                            headerHashOptions:
                              description: |-
                                HeaderHashOptions should be set when request header hash based load
                                balancing is desired. It must be the only hash option field set,
                                otherwise this request hash policy object will be ignored.
                              properties:
                                headerName:
                                  description: |-
                                    HeaderName is the name of the HTTP request header that will be used to
                                    calculate the hash key. If the header specified is not present on a
                                    request, no hash will be produced.
                                  minLength: 1
                                  type: string
                              type: object
                            queryParameterHashOptions:
                              description: |-
                                QueryParameterHashOptions should be set when request query parameter hash based load
                                balancing is desired. It must be the only hash option field set,
                                otherwise this request hash policy object will be ignored.
                              properties:
                                parameterName:
                                  description: |-
                                    ParameterName is the name of the HTTP request query parameter that will be used to
                                    calculate the hash key. If the query parameter specified is not present on a
                                    request, no hash will be produced.
                                  minLength: 1
                                  type: string
                              type: object
                            terminal:
                              description: |-
                                Terminal is a flag that allows for short-circuiting computing of a hash
                                for a given request. If set to true, and the request attribute specified
                                in the attribute hash options is present, no further hash policies will
                                be used to calculate a hash for the request.
                              type: boolean
                          type: object
                        type: array
                      strategy:
                        description: |-
                          Strategy specifies the policy used to balance requests
                          across the pool of backend pods. Valid policy names are
                          `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
                          and `RequestHash`. If an unknown strategy name is specified
                          or no policy is supplied, the default `RoundRobin` policy
                          is used.
                        type: string
                    type: object
                  services:
                    description: Services are the services to proxy traffic
                    items:
                      description: Service defines an Kubernetes Service to proxy
                        traffic.
                      properties:
                        cookieRewritePolicies:
                          description: The policies for rewriting Set-Cookie header
                            attributes.
                          items:
                            properties:
                              domainRewrite:
                                description: |-
                                  DomainRewrite enables rewriting the Set-Cookie Domain element.
                                  If not set, Domain will not be rewritten.
                                properties:
                                  value:
                                    description: |-
                                      Value is the value to rewrite the Domain attribute to.
                                      For now this is required.
                                    maxLength: 4096
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                required:
                                - value
                                type: object
                              name:
                                description: Name is the name of the cookie for which
                                  attributes will be rewritten.
                                maxLength: 4096
                                minLength: 1
                                pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
                                type: string
                              pathRewrite:
                                description: |-
                                  PathRewrite enables rewriting the Set-Cookie Path element.
                                  If not set, Path will not be rewritten.
                                properties:
                                  value:
                                    description: |-
                                      Value is the value to rewrite the Path attribute to.
                                      For now this is required.
                                    maxLength: 4096
                                    minLength: 1
                                    pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
                                    type: string
                                required:
                                - value
                                type: object
                              sameSite:
                                description: |-
                                  SameSite enables rewriting the Set-Cookie SameSite element.
                                  If not set, SameSite attribute will not be rewritten.
                                enum:
                                - Strict
                                - Lax
                                - None
                                type: string
                              secure:
                                description: |-
                                  Secure enables rewriting the Set-Cookie Secure element.
                                  If not set, Secure attribute will not be rewritten.
                                type: boolean
                            required:
                            - name
                            type: object
                          type: array
                        healthPort:
                          description: |-
                            HealthPort is the port for this service healthcheck.
                            If not specified, Port is used for service healthchecks.
                          maximum: 65535
                          minimum: 1
                          type: integer
                        mirror:
                          description: |-
                            If Mirror is true the Service will receive a read only mirror of the traffic for this route.
                            If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight
                            field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring.
                            NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This
                            occurs since we cannot distinguish omitted fields from those explicitly set to their default
                            values
                          type: boolean
                        name:
                          description: |-
                            Name is the name of Kubernetes service to proxy traffic.
                            Names defined here will be used to look up corresponding endpoints which contain the ips to route.
                          type: string
                        port:
                          description: Port (defined as Integer) to proxy traffic
                            to since a service can have multiple defined.
                          exclusiveMaximum: true
                          maximum: 65536
                          minimum: 1
                          type: integer
                        protocol:
                          description: |-
                            Protocol may be used to specify (or override) the protocol used to reach this Service.
                            Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
                          enum:
                          - h2
                          - h2c
                          - tls
                          type: string
                        requestHeadersPolicy:
                          description: The policy for managing request headers during
                            proxying.
                          properties:
                            remove:
                              description: Remove specifies a list of HTTP header
                                names to remove.
                              items:
                                type: string
                              type: array
                            set:
                              description: |-
                                Set specifies a list of HTTP header values that will be set in the HTTP header.
                                If the header does not exist it will be added, otherwise it will be overwritten with the new value.
                              items:
                                description: HeaderValue represents a header name/value
                                  pair
                                properties:
                                  name:
                                    description: Name represents a key of a header
                                    minLength: 1
                                    type: string
                                  value:
                                    description: Value represents the value of a header
                                      specified by a key
                                    minLength: 1
                                    type: string
                                required:
                                - name
                                - value
                                type: object
                              type: array
                          type: object
                        responseHeadersPolicy:
                          description: |-
                            The policy for managing response headers during proxying.
                            Rewriting the 'Host' header is not supported.
                          properties:
                            remove:
                              description: Remove specifies a list of HTTP header
                                names to remove.
                              items:
                                type: string
                              type: array
                            set:
                              description: |-
                                Set specifies a list of HTTP header values that will be set in the HTTP header.
                                If the header does not exist it will be added, otherwise it will be overwritten with the new value.
                              items:
                                description: HeaderValue represents a header name/value
                                  pair
                                properties:
                                  name:
                                    description: Name represents a key of a header
                                    minLength: 1
                                    type: string
                                  value:
                                    description: Value represents the value of a header
                                      specified by a key
                                    minLength: 1
                                    type: string
                                required:
                                - name
                                - value
                                type: object
                              type: array
                          type: object
                        slowStartPolicy:
                          description: Slow start will gradually increase amount of
                            traffic to a newly added endpoint.
                          properties:
                            aggression:
                              default: "1.0"
                              description: |-
                                The speed of traffic increase over the slow start window.
                                Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic.
                                When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.
                                The value of aggression parameter should be greater than 0.0.
                                More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start
                              pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$
                              type: string
                            minWeightPercent:
                              default: 10
                              description: |-
                                The minimum or starting percentage of traffic to send to new endpoints.
                                A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window.
                                If not specified, the default is 10%.
                              format: int32
                              maximum: 100
                              minimum: 0
                              type: integer
                            window:
                              description: |-
                                The duration of slow start window.
                                Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
                                Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
                              pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
                              type: string
                          required:
                          - window
                          type: object
                        validation:
                          description: UpstreamValidation defines how to verify the
                            backend service's certificate
                          properties:
                            caSecret:
                              description: |-
                                Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
                                The secret must contain key named ca.crt.
                                The name can be optionally prefixed with namespace "namespace/name".
                                When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
                                Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
                              maxLength: 317
                              minLength: 1
                              type: string
                            subjectName:
                              description: |-
                                Key which is expected to be present in the 'subjectAltName' of the presented certificate.
                                Deprecated: migrate to using the plural field subjectNames.
                              maxLength: 250
                              minLength: 1
                              type: string
                            subjectNames:
                              description: |-
                                List of keys, of which at least one is expected to be present in the 'subjectAltName of the
                                presented certificate.
                              items:
                                type: string
                              maxItems: 8
                              minItems: 1
                              type: array
                          required:
                          - caSecret
                          - subjectName
                          type: object
                          x-kubernetes-validations:
                          - message: subjectNames[0] must equal subjectName if set
                            rule: 'has(self.subjectNames) ? self.subjectNames[0] ==
                              self.subjectName : true'
                        weight:
                          description: Weight defines percentage of traffic to balance
                            traffic
                          format: int64
                          minimum: 0
                          type: integer
                      required:
                      - name
                      - port
                      type: object
                    type: array
                type: object
              virtualhost:
                description: |-
                  Virtualhost appears at most once. If it is present, the object is considered
                  to be a "root" HTTPProxy.
                properties:
                  authorization:
                    description: |-
                      This field configures an extension service to perform
                      authorization for this virtual host. Authorization can
                      only be configured on virtual hosts that have TLS enabled.
                      If the TLS configuration requires client certificate
                      validation, the client certificate is always included in the
                      authentication check request.
                    properties:
                      authPolicy:
                        description: |-
                          AuthPolicy sets a default authorization policy for client requests.
                          This policy will be used unless overridden by individual routes.
                        properties:
                          context:
                            additionalProperties:
                              type: string
                            description: |-
                              Context is a set of key/value pairs that are sent to the
                              authentication server in the check request. If a context
                              is provided at an enclosing scope, the entries are merged
                              such that the inner scope overrides matching keys from the
                              outer scope.
                            type: object
                          disabled:
                            description: |-
                              When true, this field disables client request authentication
                              for the scope of the policy.
                            type: boolean
                        type: object
                      extensionRef:
                        description: ExtensionServiceRef specifies the extension resource
                          that will authorize client requests.
                        properties:
                          apiVersion:
                            description: |-
                              API version of the referent.
                              If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
                            minLength: 1
                            type: string
                          name:
                            description: |-
                              Name of the referent.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            minLength: 1
                            type: string
                          namespace:
                            description: |-
                              Namespace of the referent.
                              If this field is not specifies, the namespace of the resource that targets the referent will be used.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                            minLength: 1
                            type: string
                        type: object
                      failOpen:
                        description: |-
                          If FailOpen is true, the client request is forwarded to the upstream service
                          even if the authorization server fails to respond. This field should not be
                          set in most cases. It is intended for use only while migrating applications
                          from internal authorization to Contour external authorization.
                        type: boolean
                      responseTimeout:
                        description: |-
                          ResponseTimeout configures maximum time to wait for a check response from the authorization server.
                          Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
                          Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
                          The string "infinity" is also a valid input and specifies no timeout.
                        pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
                        type: string
                      withRequestBody:
                        description: WithRequestBody specifies configuration for sending
                          the client request's body to authorization server.
                        properties:
                          allowPartialMessage:
                            description: If AllowPartialMessage is true, then Envoy
                              will buffer the body until MaxRequestBytes are reached.
                            type: boolean
                          maxRequestBytes:
                            default: 1024
                            description: MaxRequestBytes sets the maximum size of
                              message body ExtAuthz filter will hold in-memory.
                            format: int32
                            minimum: 1
                            type: integer
                          packAsBytes:
                            description: If PackAsBytes is true, the body sent to
                              Authorization Server is in raw bytes.
                            type: boolean
                        type: object
                    type: object
                  corsPolicy:
                    description: Specifies the cross-origin policy to apply to the
                      VirtualHost.
                    properties:
                      allowCredentials:
                        description: Specifies whether the resource allows credentials.
                        type: boolean
                      allowHeaders:
                        description: AllowHeaders specifies the content for the *access-control-allow-headers*
                          header.
                        items:
                          description: CORSHeaderValue specifies the value of the
                            string headers returned by a cross-domain request.
                          pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
                          type: string
                        minItems: 1
                        type: array
                      allowMethods:
                        description: AllowMethods specifies the content for the *access-control-allow-methods*
                          header.
                        items:
                          description: CORSHeaderValue specifies the value of the
                            string headers returned by a cross-domain request.
                          pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
                          type: string
                        minItems: 1
                        type: array
                      allowOrigin:
                        description: |-
                          AllowOrigin specifies the origins that will be allowed to do CORS requests.
                          Allowed values include "*" which signifies any origin is allowed, an exact
                          origin of the form "scheme://host[:port]" (where port is optional), or a valid
                          regex pattern.
                          Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com)
                          will be rejected or produce unexpected matches when applied as a regex.
                        items:
                          type: string
                        minItems: 1
                        type: array
                      allowPrivateNetwork:
                        description: |-
                          AllowPrivateNetwork specifies whether to allow private network requests.
                          See https://developer.chrome.com/blog/private-network-access-preflight.
                        type: boolean
                      exposeHeaders:
                        description: ExposeHeaders Specifies the content for the *access-control-expose-headers*
                          header.
                        items:
                          description: CORSHeaderValue specifies the value of the
                            string headers returned by a cross-domain request.
                          pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
                          type: string
                        minItems: 1
                        type: array
                      maxAge:
                        description: |-
                          MaxAge indicates for how long the results of a preflight request can be cached.
                          MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
                          Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
                          Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS
                          check for all cross-origin requests.
                        pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$
                        type: string
                    required:
                    - allowMethods
                    - allowOrigin
                    type: object
                  fqdn:
                    description: |-
                      The fully qualified domain name of the root of the ingress tree
                      all leaves of the DAG rooted at this object relate to the fqdn.
                    pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                    type: string
                  ipAllowPolicy:
                    description: |-
                      IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching
                      requests should be allowed. All other requests will be denied.
                      Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
                      The rules defined here may be overridden in a Route.
                    items:
                      properties:
                        cidr:
                          description: |-
                            CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
                            a bare IP address (without a mask) to filter on exactly one address.
                          type: string
                        source:
                          description: |-
                            Source indicates how to determine the ip address to filter on, and can be
                            one of two values:
                             - `Remote` filters on the ip address of the client, accounting for PROXY and
                               X-Forwarded-For as needed.
                             - `Peer` filters on the ip of the network request, ignoring PROXY and
                               X-Forwarded-For.
                          enum:
                          - Peer
                          - Remote
                          type: string
                      required:
                      - cidr
                      - source
                      type: object
                    type: array
                  ipDenyPolicy:
                    description: |-
                      IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching
                      requests should be denied. All other requests will be allowed.
                      Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
                      The rules defined here may be overridden in a Route.
                    items:
                      properties:
                        cidr:
                          description: |-
                            CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
                            a bare IP address (without a mask) to filter on exactly one address.
                          type: string
                        source:
                          description: |-
                            Source indicates how to determine the ip address to filter on, and can be
                            one of two values:
                             - `Remote` filters on the ip address of the client, accounting for PROXY and
                               X-Forwarded-For as needed.
                             - `Peer` filters on the ip of the network request, ignoring PROXY and
                               X-Forwarded-For.
                          enum:
                          - Peer
                          - Remote
                          type: string
                      required:
                      - cidr
                      - source
                      type: object
                    type: array
                  jwtProviders:
                    description: Providers to use for verifying JSON Web Tokens (JWTs)
                      on the virtual host.
                    items:
                      description: JWTProvider defines how to verify JWTs on requests.
                      properties:
                        audiences:
                          description: |-
                            Audiences that JWTs are allowed to have in the "aud" field.
                            If not provided, JWT audiences are not checked.
                          items:
                            type: string
                          type: array
                        default:
                          description: |-
                            Whether the provider should apply to all
                            routes in the HTTPProxy/its includes by
                            default. At most one provider can be marked
                            as the default. If no provider is marked
                            as the default, individual routes must explicitly
                            identify the provider they require.
                          type: boolean
                        forwardJWT:
                          description: |-
                            Whether the JWT should be forwarded to the backend
                            service after successful verification. By default,
                            the JWT is not forwarded.
                          type: boolean
                        issuer:
                          description: |-
                            Issuer that JWTs are required to have in the "iss" field.
                            If not provided, JWT issuers are not checked.
                          type: string
                        name:
                          description: Unique name for the provider.
                          minLength: 1
                          type: string
                        remoteJWKS:
                          description: Remote JWKS to use for verifying JWT signatures.
                          properties:
                            cacheDuration:
                              description: |-
                                How long to cache the JWKS locally. If not specified,
                                Envoy's default of 5m applies.
                              pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
                              type: string
                            dnsLookupFamily:
                              description: |-
                                The DNS IP address resolution policy for the JWKS URI.
                                When configured as "v4", the DNS resolver will only perform a lookup
                                for addresses in the IPv4 family. If "v6" is configured, the DNS resolver
                                will only perform a lookup for addresses in the IPv6 family.
                                If "all" is configured, the DNS resolver
                                will perform a lookup for addresses in both the IPv4 and IPv6 family.
                                If "auto" is configured, the DNS resolver will first perform a lookup
                                for addresses in the IPv6 family and fallback to a lookup for addresses
                                in the IPv4 family. If not specified, the Contour-wide setting defined
                                in the config file or ContourConfiguration applies (defaults to "auto").
                                See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
                                for more information.
                              enum:
                              - auto
                              - v4
                              - v6
                              type: string
                            timeout:
                              description: |-
                                How long to wait for a response from the URI.
                                If not specified, a default of 1s applies.
                              pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
                              type: string
                            uri:
                              description: The URI for the JWKS.
                              minLength: 1
                              type: string
                            validation:
                              description: UpstreamValidation defines how to verify
                                the JWKS's TLS certificate.
                              properties:
                                caSecret:
                                  description: |-
                                    Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
                                    The secret must contain key named ca.crt.
                                    The name can be optionally prefixed with namespace "namespace/name".
                                    When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
                                    Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
                                  maxLength: 317
                                  minLength: 1
                                  type: string
                                subjectName:
                                  description: |-
                                    Key which is expected to be present in the 'subjectAltName' of the presented certificate.
                                    Deprecated: migrate to using the plural field subjectNames.
                                  maxLength: 250
                                  minLength: 1
                                  type: string
                                subjectNames:
                                  description: |-
                                    List of keys, of which at least one is expected to be present in the 'subjectAltName of the
                                    presented certificate.
                                  items:
                                    type: string
                                  maxItems: 8
                                  minItems: 1
                                  type: array
                              required:
                              - caSecret
                              - subjectName
                              type: object
                              x-kubernetes-validations:
                              - message: subjectNames[0] must equal subjectName if
                                  set
                                rule: 'has(self.subjectNames) ? self.subjectNames[0]
                                  == self.subjectName : true'
                          required:
                          - uri
                          type: object
                      required:
                      - name
                      - remoteJWKS
                      type: object
                    type: array
                  rateLimitPolicy:
                    description: The policy for rate limiting on the virtual host.
                    properties:
                      global:
                        description: |-
                          Global defines global rate limiting parameters, i.e. parameters
                          defining descriptors that are sent to an external rate limit
                          service (RLS) for a rate limit decision on each request.
                        properties:
                          descriptors:
                            description: |-
                              Descriptors defines the list of descriptors that will
                              be generated and sent to the rate limit service. Each
                              descriptor contains 1+ key-value pair entries.
                            items:
                              description: RateLimitDescriptor defines a list of key-value
                                pair generators.
                              properties:
                                entries:
                                  description: Entries is the list of key-value pair
                                    generators.
                                  items:
                                    description: |-
                                      RateLimitDescriptorEntry is a key-value pair generator. Exactly
                                      one field on this struct must be non-nil.
                                    properties:
                                      genericKey:
                                        description: GenericKey defines a descriptor
                                          entry with a static key and value.
                                        properties:
                                          key:
                                            description: |-
                                              Key defines the key of the descriptor entry. If not set, the
                                              key is set to "generic_key".
                                            type: string
                                          value:
                                            description: Value defines the value of
                                              the descriptor entry.
                                            minLength: 1
                                            type: string
                                        type: object
                                      remoteAddress:
                                        description: |-
                                          RemoteAddress defines a descriptor entry with a key of "remote_address"
                                          and a value equal to the client's IP address (from x-forwarded-for).
                                        type: object
                                      requestHeader:
                                        description: |-
                                          RequestHeader defines a descriptor entry that's populated only if
                                          a given header is present on the request. The descriptor key is static,
                                          and the descriptor value is equal to the value of the header.
                                        properties:
                                          descriptorKey:
                                            description: DescriptorKey defines the
                                              key to use on the descriptor entry.
                                            minLength: 1
                                            type: string
                                          headerName:
                                            description: HeaderName defines the name
                                              of the header to look for on the request.
                                            minLength: 1
                                            type: string
                                        type: object
                                      requestHeaderValueMatch:
                                        description: |-
                                          RequestHeaderValueMatch defines a descriptor entry that's populated
                                          if the request's headers match a set of 1+ match criteria. The
                                          descriptor key is "header_match", and the descriptor value is static.
                                        properties:
                                          expectMatch:
                                            default: true
                                            description: |-
                                              ExpectMatch defines whether the request must positively match the match
                                              criteria in order to generate a descriptor entry (i.e. true), or not
                                              match the match criteria in order to generate a descriptor entry (i.e. false).
                                              The default is true.
                                            type: boolean
                                          headers:
                                            description: |-
                                              Headers is a list of 1+ match criteria to apply against the request
                                              to determine whether to populate the descriptor entry or not.
                                            items:
                                              description: |-
                                                HeaderMatchCondition specifies how to conditionally match against HTTP
                                                headers. The Name field is required, only one of Present, NotPresent,
                                                Contains, NotContains, Exact, NotExact and Regex can be set.
                                                For negative matching rules only (e.g. NotContains or NotExact) you can set
                                                TreatMissingAsEmpty.
                                                IgnoreCase has no effect for Regex.
                                              properties:
                                                contains:
                                                  description: |-
                                                    Contains specifies a substring that must be present in
                                                    the header value.
                                                  type: string
                                                exact:
                                                  description: Exact specifies a string
                                                    that the header value must be
                                                    equal to.
                                                  type: string
                                                ignoreCase:
                                                  description: |-
                                                    IgnoreCase specifies that string matching should be case insensitive.
                                                    Note that this has no effect on the Regex parameter.
                                                  type: boolean
                                                name:
                                                  description: |-
                                                    Name is the name of the header to match against. Name is required.
                                                    Header names are case insensitive.
                                                  type: string
                                                notcontains:
                                                  description: |-
                                                    NotContains specifies a substring that must not be present
                                                    in the header value.
                                                  type: string
                                                notexact:
                                                  description: |-
                                                    NoExact specifies a string that the header value must not be
                                                    equal to. The condition is true if the header has any other value.
                                                  type: string
                                                notpresent:
                                                  description: |-
                                                    NotPresent specifies that condition is true when the named header
                                                    is not present. Note that setting NotPresent to false does not
                                                    make the condition true if the named header is present.
                                                  type: boolean
                                                present:
                                                  description: |-
                                                    Present specifies that condition is true when the named header
                                                    is present, regardless of its value. Note that setting Present
                                                    to false does not make the condition true if the named header
                                                    is absent.
                                                  type: boolean
                                                regex:
                                                  description: |-
                                                    Regex specifies a regular expression pattern that must match the header
                                                    value.
                                                  type: string
                                                treatMissingAsEmpty:
                                                  description: |-
                                                    TreatMissingAsEmpty specifies if the header match rule specified header
                                                    does not exist, this header value will be treated as empty. Defaults to false.
                                                    Unlike the underlying Envoy implementation this is **only** supported for
                                                    negative matches (e.g. NotContains, NotExact).
                                                  type: boolean
                                              required:
                                              - name
                                              type: object
                                            minItems: 1
                                            type: array
                                          value:
                                            description: Value defines the value of
                                              the descriptor entry.
                                            minLength: 1
                                            type: string
                                        type: object
                                    type: object
                                  minItems: 1
                                  type: array
                              type: object
                            minItems: 1
                            type: array
                          disabled:
                            description: |-
                              Disabled configures the HTTPProxy to not use
                              the default global rate limit policy defined by the Contour configuration.
                            type: boolean
                        type: object
                      local:
                        description: |-
                          Local defines local rate limiting parameters, i.e. parameters
                          for rate limiting that occurs within each Envoy pod as requests
                          are handled.
                        properties:
                          burst:
                            description: |-
                              Burst defines the number of requests above the requests per
                              unit that should be allowed within a short period of time.
                            format: int32
                            type: integer
                          requests:
                            description: |-
                              Requests defines how many requests per unit of time should
                              be allowed before rate limiting occurs.
                            format: int32
                            minimum: 1
                            type: integer
                          responseHeadersToAdd:
                            description: |-
                              ResponseHeadersToAdd is an optional list of response headers to
                              set when a request is rate-limited.
                            items:
                              description: HeaderValue represents a header name/value
                                pair
                              properties:
                                name:
                                  description: Name represents a key of a header
                                  minLength: 1
                                  type: string
                                value:
                                  description: Value represents the value of a header
                                    specified by a key
                                  minLength: 1
                                  type: string
                              required:
                              - name
                              - value
                              type: object
                            type: array
                          responseStatusCode:
                            description: |-
                              ResponseStatusCode is the HTTP status code to use for responses
                              to rate-limited requests. Codes must be in the 400-599 range
                              (inclusive). If not specified, the Envoy default of 429 (Too
                              Many Requests) is used.
                            format: int32
                            maximum: 599
                            minimum: 400
                            type: integer
                          unit:
                            description: |-
                              Unit defines the period of time within which requests
                              over the limit will be rate limited. Valid values are
                              "second", "minute" and "hour".
                            enum:
                            - second
                            - minute
                            - hour
                            type: string
                        required:
                        - requests
                        - unit
                        type: object
                    type: object
                  tls:
                    description: |-
                      If present the fields describes TLS properties of the virtual
                      host. The SNI names that will be matched on are described in fqdn,
                      the tls.secretName secret must contain a certificate that itself
                      contains a name that matches the FQDN.
                    properties:
                      clientValidation:
                        description: |-
                          ClientValidation defines how to verify the client certificate
                          when an external client establishes a TLS connection to Envoy.
                          This setting:
                          1. Enables TLS client certificate validation.
                          2. Specifies how the client certificate will be validated (i.e.
                             validation required or skipped).
                          Note: Setting client certificate validation to be skipped should
                          be only used in conjunction with an external authorization server that
                          performs client validation as Contour will ensure client certificates
                          are passed along.
                        properties:
                          caSecret:
                            description: |-
                              Name of a Kubernetes secret that contains a CA certificate bundle.
                              The secret must contain key named ca.crt.
                              The client certificate must validate against the certificates in the bundle.
                              If specified and SkipClientCertValidation is true, client certificates will
                              be required on requests.
                              The name can be optionally prefixed with namespace "namespace/name".
                              When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
                            minLength: 1
                            type: string
                          crlOnlyVerifyLeafCert:
                            description: |-
                              If this option is set to true, only the certificate at the end of the
                              certificate chain will be subject to validation by CRL.
                            type: boolean
                          crlSecret:
                            description: |-
                              Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs.
                              The secret must contain key named crl.pem.
                              This field will be used to verify that a client certificate has not been revoked.
                              CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true.
                              Large CRL lists are not supported since individual secrets are limited to 1MiB in size.
                              The name can be optionally prefixed with namespace "namespace/name".
                              When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
                            minLength: 1
                            type: string
                          forwardClientCertificate:
                            description: |-
                              ForwardClientCertificate adds the selected data from the passed client TLS certificate
                              to the x-forwarded-client-cert header.
                            properties:
                              cert:
                                description: Client cert in URL encoded PEM format.
                                type: boolean
                              chain:
                                description: Client cert chain (including the leaf
                                  cert) in URL encoded PEM format.
                                type: boolean
                              dns:
                                description: DNS type Subject Alternative Names of
                                  the client cert.
                                type: boolean
                              subject:
                                description: Subject of the client cert.
                                type: boolean
                              uri:
                                description: URI type Subject Alternative Name of
                                  the client cert.
                                type: boolean
                            type: object
                          optionalClientCertificate:
                            description: |-
                              OptionalClientCertificate when set to true will request a client certificate
                              but allow the connection to continue if the client does not provide one.
                              If a client certificate is sent, it will be verified according to the
                              other properties, which includes disabling validation if
                              SkipClientCertValidation is set. Defaults to false.
                            type: boolean
                          skipClientCertValidation:
                            description: |-
                              SkipClientCertValidation disables downstream client certificate
                              validation. Defaults to false. This field is intended to be used in
                              conjunction with external authorization in order to enable the external
                              authorization server to validate client certificates. When this field
                              is set to true, client certificates are requested but not verified by
                              Envoy. If CACertificate is specified, client certificates are required on
                              requests, but not verified. If external authorization is in use, they are
                              presented to the external authorization server.
                            type: boolean
                        type: object
                      enableFallbackCertificate:
                        description: |-
                          EnableFallbackCertificate defines if the vhost should allow a default certificate to
                          be applied which handles all requests which don't match the SNI defined in this vhost.
                        type: boolean
                      maximumProtocolVersion:
                        description: |-
                          MaximumProtocolVersion is the maximum TLS version this vhost should
                          negotiate. Valid options are `1.2` and `1.3` (default). Any other value
                          defaults to TLS 1.3.
                        type: string
                      minimumProtocolVersion:
                        description: |-
                          MinimumProtocolVersion is the minimum TLS version this vhost should
                          negotiate. Valid options are `1.2` (default) and `1.3`. Any other value
                          defaults to TLS 1.2.
                        type: string
                      passthrough:
                        description: |-
                          Passthrough defines whether the encrypted TLS handshake will be
                          passed through to the backing cluster. Either Passthrough or
                          SecretName must be specified, but not both.
                        type: boolean
                      secretName:
                        description: |-
                          SecretName is the name of a TLS secret.
                          Either SecretName or Passthrough must be specified, but not both.
                          If specified, the named secret must contain a matching certificate
                          for the virtual host's FQDN.
                          The name can be optionally prefixed with namespace "namespace/name".
                          When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
                        type: string
                    type: object
                required:
                - fqdn
                type: object
            type: object
          status:
            default:
              currentStatus: NotReconciled
              description: Waiting for controller
            description: Status is a container for computed information about the
              HTTPProxy.
            properties:
              conditions:
                description: |-
                  Conditions contains information about the current status of the HTTPProxy,
                  in an upstream-friendly container.
                  Contour will update a single condition, `Valid`, that is in normal-true polarity.
                  That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,
                  and vice versa.
                  Contour will leave untouched any other Conditions set in this block,
                  in case some other controller wants to add a Condition.
                  If you are another controller owner and wish to add a condition, you *should*
                  namespace your condition with a label, like `controller.domain.com/ConditionName`.
                items:
                  description: |-
                    DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
                    fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
                    of the condition.
                    `errors` holds information about sub-conditions which are fatal to that condition and render its state False.
                    `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
                    Remember that Conditions have a type, a status, and a reason.
                    The type is the type of the condition, the most important one in this CRD set is `Valid`.
                    `Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
                    In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
                    `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
                    slice in this case.
                    `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
                    The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
                    slice if `status` is `false`.
                    For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
                    When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
                    When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
                    In either case, there may be entries in the `warnings` slice.
                    Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
                    (if there is one and only one entry in total across both the `errors` and `warnings` slices), or
                    `MultipleReasons` if there is more than one entry.
                  properties:
                    errors:
                      description: |-
                        Errors contains a slice of relevant error subconditions for this object.
                        Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
                        An empty slice here indicates no errors.
                      items:
                        description: |-
                          SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
                          It contains a subset of the Condition fields.
                          It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
                          that is, they should be of the form "ErrorPresent: true".
                          The expected lifecycle for these errors is that they should only be present when the error or warning is,
                          and should be removed when they are not relevant.
                        properties:
                          message:
                            description: |-
                              Message is a human readable message indicating details about the transition.
                              This may be an empty string.
                            maxLength: 32768
                            type: string
                          reason:
                            description: |-
                              Reason contains a programmatic identifier indicating the reason for the condition's last transition.
                              Producers of specific condition types may define expected values and meanings for this field,
                              and whether the values are considered a guaranteed API.
                              The value should be a CamelCase string.
                              This field may not be empty.
                            maxLength: 1024
                            minLength: 1
                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                            type: string
                          status:
                            description: Status of the condition, one of True, False,
                              Unknown.
                            enum:
                            - "True"
                            - "False"
                            - Unknown
                            type: string
                          type:
                            description: |-
                              Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
                              This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                            maxLength: 316
                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                            type: string
                        required:
                        - message
                        - reason
                        - status
                        - type
                        type: object
                      type: array
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                    warnings:
                      description: |-
                        Warnings contains a slice of relevant warning subconditions for this object.
                        Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
                        An empty slice here indicates no warnings.
                      items:
                        description: |-
                          SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
                          It contains a subset of the Condition fields.
                          It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
                          that is, they should be of the form "ErrorPresent: true".
                          The expected lifecycle for these errors is that they should only be present when the error or warning is,
                          and should be removed when they are not relevant.
                        properties:
                          message:
                            description: |-
                              Message is a human readable message indicating details about the transition.
                              This may be an empty string.
                            maxLength: 32768
                            type: string
                          reason:
                            description: |-
                              Reason contains a programmatic identifier indicating the reason for the condition's last transition.
                              Producers of specific condition types may define expected values and meanings for this field,
                              and whether the values are considered a guaranteed API.
                              The value should be a CamelCase string.
                              This field may not be empty.
                            maxLength: 1024
                            minLength: 1
                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                            type: string
                          status:
                            description: Status of the condition, one of True, False,
                              Unknown.
                            enum:
                            - "True"
                            - "False"
                            - Unknown
                            type: string
                          type:
                            description: |-
                              Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
                              This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                            maxLength: 316
                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                            type: string
                        required:
                        - message
                        - reason
                        - status
                        - type
                        type: object
                      type: array
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
              currentStatus:
                type: string
              description:
                type: string
              loadBalancer:
                description: LoadBalancer contains the current status of the load
                  balancer.
                properties:
                  ingress:
                    description: |-
                      Ingress is a list containing ingress points for the load-balancer.
                      Traffic intended for the service should be sent to these ingress points.
                    items:
                      description: |-
                        LoadBalancerIngress represents the status of a load-balancer ingress point:
                        traffic intended for the service should be sent to an ingress point.
                      properties:
                        hostname:
                          description: |-
                            Hostname is set for load-balancer ingress points that are DNS based
                            (typically AWS load-balancers)
                          type: string
                        ip:
                          description: |-
                            IP is set for load-balancer ingress points that are IP based
                            (typically GCE or OpenStack load-balancers)
                          type: string
                        ipMode:
                          description: |-
                            IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.
                            Setting this to "VIP" indicates that traffic is delivered to the node with
                            the destination set to the load-balancer's IP and port.
                            Setting this to "Proxy" indicates that traffic is delivered to the node or pod with
                            the destination set to the node's IP and node port or the pod's IP and port.
                            Service implementations may use this information to adjust traffic routing.
                          type: string
                        ports:
                          description: |-
                            Ports is a list of records of service ports
                            If used, every port defined in the service should have an entry in it
                          items:
                            properties:
                              error:
                                description: |-
                                  Error is to record the problem with the service port
                                  The format of the error shall comply with the following rules:
                                  - built-in error values shall be specified in this file and those shall use
                                    CamelCase names
                                  - cloud provider specific error values must have names that comply with the
                                    format foo.example.com/CamelCase.
                                  ---
                                  The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                                maxLength: 316
                                pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                                type: string
                              port:
                                description: Port is the port number of the service
                                  port of which status is recorded here
                                format: int32
                                type: integer
                              protocol:
                                default: TCP
                                description: |-
                                  Protocol is the protocol of the service port of which status is recorded here
                                  The supported values are: "TCP", "UDP", "SCTP"
                                type: string
                            required:
                            - port
                            - protocol
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                      type: object
                    type: array
                type: object
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: tlscertificatedelegations.projectcontour.io
spec:
  preserveUnknownFields: false
  group: projectcontour.io
  names:
    kind: TLSCertificateDelegation
    listKind: TLSCertificateDelegationList
    plural: tlscertificatedelegations
    shortNames:
    - tlscerts
    singular: tlscertificatedelegation
  scope: Namespaced
  versions:
  - name: v1
    schema:
      openAPIV3Schema:
        description: |-
          TLSCertificateDelegation is an TLS Certificate Delegation CRD specification.
          See design/tls-certificate-delegation.md for details.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: TLSCertificateDelegationSpec defines the spec of the CRD
            properties:
              delegations:
                items:
                  description: |-
                    CertificateDelegation maps the authority to reference a secret
                    in the current namespace to a set of namespaces.
                  properties:
                    secretName:
                      description: required, the name of a secret in the current namespace.
                      type: string
                    targetNamespaces:
                      description: |-
                        required, the namespaces the authority to reference the
                        secret will be delegated to.
                        If TargetNamespaces is nil or empty, the CertificateDelegation'
                        is ignored. If the TargetNamespace list contains the character, "*"
                        the secret will be delegated to all namespaces.
                      items:
                        type: string
                      type: array
                  required:
                  - secretName
                  - targetNamespaces
                  type: object
                type: array
            required:
            - delegations
            type: object
          status:
            description: |-
              TLSCertificateDelegationStatus allows for the status of the delegation
              to be presented to the user.
            properties:
              conditions:
                description: |-
                  Conditions contains information about the current status of the HTTPProxy,
                  in an upstream-friendly container.
                  Contour will update a single condition, `Valid`, that is in normal-true polarity.
                  That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,
                  and vice versa.
                  Contour will leave untouched any other Conditions set in this block,
                  in case some other controller wants to add a Condition.
                  If you are another controller owner and wish to add a condition, you *should*
                  namespace your condition with a label, like `controller.domain.com\ConditionName`.
                items:
                  description: |-
                    DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
                    fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
                    of the condition.
                    `errors` holds information about sub-conditions which are fatal to that condition and render its state False.
                    `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
                    Remember that Conditions have a type, a status, and a reason.
                    The type is the type of the condition, the most important one in this CRD set is `Valid`.
                    `Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
                    In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
                    `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
                    slice in this case.
                    `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
                    The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
                    slice if `status` is `false`.
                    For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
                    When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
                    When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
                    In either case, there may be entries in the `warnings` slice.
                    Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
                    (if there is one and only one entry in total across both the `errors` and `warnings` slices), or
                    `MultipleReasons` if there is more than one entry.
                  properties:
                    errors:
                      description: |-
                        Errors contains a slice of relevant error subconditions for this object.
                        Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
                        An empty slice here indicates no errors.
                      items:
                        description: |-
                          SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
                          It contains a subset of the Condition fields.
                          It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
                          that is, they should be of the form "ErrorPresent: true".
                          The expected lifecycle for these errors is that they should only be present when the error or warning is,
                          and should be removed when they are not relevant.
                        properties:
                          message:
                            description: |-
                              Message is a human readable message indicating details about the transition.
                              This may be an empty string.
                            maxLength: 32768
                            type: string
                          reason:
                            description: |-
                              Reason contains a programmatic identifier indicating the reason for the condition's last transition.
                              Producers of specific condition types may define expected values and meanings for this field,
                              and whether the values are considered a guaranteed API.
                              The value should be a CamelCase string.
                              This field may not be empty.
                            maxLength: 1024
                            minLength: 1
                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                            type: string
                          status:
                            description: Status of the condition, one of True, False,
                              Unknown.
                            enum:
                            - "True"
                            - "False"
                            - Unknown
                            type: string
                          type:
                            description: |-
                              Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
                              This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                            maxLength: 316
                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                            type: string
                        required:
                        - message
                        - reason
                        - status
                        - type
                        type: object
                      type: array
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                    warnings:
                      description: |-
                        Warnings contains a slice of relevant warning subconditions for this object.
                        Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
                        An empty slice here indicates no warnings.
                      items:
                        description: |-
                          SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
                          It contains a subset of the Condition fields.
                          It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
                          that is, they should be of the form "ErrorPresent: true".
                          The expected lifecycle for these errors is that they should only be present when the error or warning is,
                          and should be removed when they are not relevant.
                        properties:
                          message:
                            description: |-
                              Message is a human readable message indicating details about the transition.
                              This may be an empty string.
                            maxLength: 32768
                            type: string
                          reason:
                            description: |-
                              Reason contains a programmatic identifier indicating the reason for the condition's last transition.
                              Producers of specific condition types may define expected values and meanings for this field,
                              and whether the values are considered a guaranteed API.
                              The value should be a CamelCase string.
                              This field may not be empty.
                            maxLength: 1024
                            minLength: 1
                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                            type: string
                          status:
                            description: Status of the condition, one of True, False,
                              Unknown.
                            enum:
                            - "True"
                            - "False"
                            - Unknown
                            type: string
                          type:
                            description: |-
                              Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
                              This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                            maxLength: 316
                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                            type: string
                        required:
                        - message
                        - reason
                        - status
                        - type
                        type: object
                      type: array
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}