diff --git a/api/v1alpha1/api.go b/api/v1alpha1/api.go
index 11305082e7..d7b8113456 100644
--- a/api/v1alpha1/api.go
+++ b/api/v1alpha1/api.go
@@ -414,7 +414,7 @@ type AIServiceBackendSpec struct {
type VersionedAPISchema struct {
// Name is the name of the API schema of the AIGatewayRoute or AIServiceBackend.
//
- // +kubebuilder:validation:Enum=OpenAI;AWSBedrock;AzureOpenAI
+ // +kubebuilder:validation:Enum=OpenAI;AWSBedrock;AzureOpenAI;GCPVertexAI;GCPAnthropic
Name APISchema `json:"name"`
// Version is the version of the API schema.
@@ -450,6 +450,17 @@ const (
//
// https://learn.microsoft.com/en-us/azure/ai-services/openai/reference#api-specs
APISchemaAzureOpenAI APISchema = "AzureOpenAI"
+ // APISchemaGCPVertexAI is the schema followed by Gemini models hosted on GCP's Vertex AI platform.
+ // Note: Using this schema requires a BackendSecurityPolicy to be configured and attached,
+ // as the transformation will use the gcp-region and project-name from the BackendSecurityPolicy.
+ //
+ // https://cloud.google.com/vertex-ai/docs/reference/rest/v1/projects.locations.endpoints/generateContent?hl=en
+ APISchemaGCPVertexAI APISchema = "GCPVertexAI"
+ // APISchemaGCPAnthropic is the schema followed by Anthropic models hosted on GCP's Vertex AI platform.
+ // This is majorly the Anthropic API with some GCP specific parameters as described in below URL.
+ //
+ // https://docs.anthropic.com/en/api/claude-on-vertex-ai
+ APISchemaGCPAnthropic APISchema = "GCPAnthropic"
)
const (
@@ -465,6 +476,7 @@ const (
BackendSecurityPolicyTypeAPIKey BackendSecurityPolicyType = "APIKey"
BackendSecurityPolicyTypeAWSCredentials BackendSecurityPolicyType = "AWSCredentials"
BackendSecurityPolicyTypeAzureCredentials BackendSecurityPolicyType = "AzureCredentials"
+ BackendSecurityPolicyTypeGCPCredentials BackendSecurityPolicyType = "GCPCredentials"
)
// BackendSecurityPolicy specifies configuration for authentication and authorization rules on the traffic
@@ -487,9 +499,9 @@ type BackendSecurityPolicy struct {
// Only one type of BackendSecurityPolicy can be defined.
// +kubebuilder:validation:MaxProperties=2
type BackendSecurityPolicySpec struct {
- // Type specifies the auth mechanism used to access the provider. Currently, only "APIKey", "AWSCredentials", and "AzureCredentials" are supported.
+ // Type specifies the type of the backend security policy.
//
- // +kubebuilder:validation:Enum=APIKey;AWSCredentials;AzureCredentials
+ // +kubebuilder:validation:Enum=APIKey;AWSCredentials;AzureCredentials;GCPCredentials
Type BackendSecurityPolicyType `json:"type"`
// APIKey is a mechanism to access a backend(s). The API key will be injected into the Authorization header.
@@ -506,6 +518,10 @@ type BackendSecurityPolicySpec struct {
//
// +optional
AzureCredentials *BackendSecurityPolicyAzureCredentials `json:"azureCredentials,omitempty"`
+ // GCPCredentials is a mechanism to access a backend(s). GCP specific logic will be applied.
+ //
+ // +optional
+ GCPCredentials *BackendSecurityPolicyGCPCredentials `json:"gcpCredentials,omitempty"`
}
// BackendSecurityPolicyList contains a list of BackendSecurityPolicy
@@ -543,6 +559,72 @@ type BackendSecurityPolicyOIDC struct {
Aud string `json:"aud,omitempty"`
}
+type GCPWorkLoadIdentityFederationConfig struct {
+ // ProjectID is the GCP project ID.
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinLength=1
+ ProjectID string `json:"projectID"`
+
+ // WorkloadIdentityProvider is the external auth provider to be used to authenticate against GCP.
+ // https://cloud.google.com/iam/docs/workload-identity-federation?hl=en
+ // Currently only OIDC is supported.
+ //
+ // +kubebuilder:validation:Required
+ WorkloadIdentityProvider GCPWorkloadIdentityProvider `json:"workloadIdentityProvider"`
+
+ // WorkloadIdentityPoolName is the name of the workload identity pool defined in GCP.
+ // https://cloud.google.com/iam/docs/workload-identity-federation?hl=en
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinLength=1
+ WorkloadIdentityPoolName string `json:"workloadIdentityPoolName"`
+
+ // ServiceAccountImpersonation is the service account impersonation configuration.
+ // This is used to impersonate a service account when getting access token.
+ //
+ // +optional
+ ServiceAccountImpersonation *GCPServiceAccountImpersonationConfig `json:"serviceAccountImpersonation,omitempty"`
+}
+
+// GCPWorkloadIdentityProvider specifies the external identity provider to be used to authenticate against GCP.
+// The external identity provider can be AWS, Microsoft, etc but must be pre-registered in the GCP project
+//
+// https://cloud.google.com/iam/docs/workload-identity-federation
+type GCPWorkloadIdentityProvider struct {
+ // Name of the external identity provider as registered on Google Cloud Platform.
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinLength=1
+ Name string `json:"name"`
+
+ // OIDCProvider is the generic OIDCProvider fields.
+ //
+ // +kubebuilder:validation:Required
+ OIDCProvider BackendSecurityPolicyOIDC `json:"OIDCProvider"`
+}
+
+type GCPServiceAccountImpersonationConfig struct {
+ // ServiceAccountName is the name of the service account to impersonate.
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinLength=1
+ ServiceAccountName string `json:"serviceAccountName"`
+ // ServiceAccountProjectName is the project name in which the service account is registered.
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinLength=1
+ ServiceAccountProjectName string `json:"serviceAccountProjectName"`
+}
+
+// BackendSecurityPolicyGCPCredentials contains the supported authentication mechanisms to access GCP.
+type BackendSecurityPolicyGCPCredentials struct {
+ // WorkLoadIdentityFederationConfig is the configuration for the GCP Workload Identity Federation.
+ //
+ // +kubebuilder:validation:Required
+ WorkLoadIdentityFederationConfig GCPWorkLoadIdentityFederationConfig `json:"workLoadIdentityFederationConfig"`
+}
+
// BackendSecurityPolicyAzureCredentials contains the supported authentication mechanisms to access Azure.
// Only one of ClientSecretRef or OIDCExchangeToken must be specified. Credentials will not be generated if
// neither are set.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index a706780d23..b7876b5d54 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -522,6 +522,22 @@ func (in *BackendSecurityPolicyAzureCredentials) DeepCopy() *BackendSecurityPoli
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackendSecurityPolicyGCPCredentials) DeepCopyInto(out *BackendSecurityPolicyGCPCredentials) {
+ *out = *in
+ in.WorkLoadIdentityFederationConfig.DeepCopyInto(&out.WorkLoadIdentityFederationConfig)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendSecurityPolicyGCPCredentials.
+func (in *BackendSecurityPolicyGCPCredentials) DeepCopy() *BackendSecurityPolicyGCPCredentials {
+ if in == nil {
+ return nil
+ }
+ out := new(BackendSecurityPolicyGCPCredentials)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BackendSecurityPolicyList) DeepCopyInto(out *BackendSecurityPolicyList) {
*out = *in
@@ -588,6 +604,11 @@ func (in *BackendSecurityPolicySpec) DeepCopyInto(out *BackendSecurityPolicySpec
*out = new(BackendSecurityPolicyAzureCredentials)
(*in).DeepCopyInto(*out)
}
+ if in.GCPCredentials != nil {
+ in, out := &in.GCPCredentials, &out.GCPCredentials
+ *out = new(BackendSecurityPolicyGCPCredentials)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendSecurityPolicySpec.
@@ -622,6 +643,58 @@ func (in *BackendSecurityPolicyStatus) DeepCopy() *BackendSecurityPolicyStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPServiceAccountImpersonationConfig) DeepCopyInto(out *GCPServiceAccountImpersonationConfig) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPServiceAccountImpersonationConfig.
+func (in *GCPServiceAccountImpersonationConfig) DeepCopy() *GCPServiceAccountImpersonationConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(GCPServiceAccountImpersonationConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPWorkLoadIdentityFederationConfig) DeepCopyInto(out *GCPWorkLoadIdentityFederationConfig) {
+ *out = *in
+ in.WorkloadIdentityProvider.DeepCopyInto(&out.WorkloadIdentityProvider)
+ if in.ServiceAccountImpersonation != nil {
+ in, out := &in.ServiceAccountImpersonation, &out.ServiceAccountImpersonation
+ *out = new(GCPServiceAccountImpersonationConfig)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPWorkLoadIdentityFederationConfig.
+func (in *GCPWorkLoadIdentityFederationConfig) DeepCopy() *GCPWorkLoadIdentityFederationConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(GCPWorkLoadIdentityFederationConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPWorkloadIdentityProvider) DeepCopyInto(out *GCPWorkloadIdentityProvider) {
+ *out = *in
+ in.OIDCProvider.DeepCopyInto(&out.OIDCProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPWorkloadIdentityProvider.
+func (in *GCPWorkloadIdentityProvider) DeepCopy() *GCPWorkloadIdentityProvider {
+ if in == nil {
+ return nil
+ }
+ out := new(GCPWorkloadIdentityProvider)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LLMRequestCost) DeepCopyInto(out *LLMRequestCost) {
*out = *in
diff --git a/examples/basic/basic.yaml b/examples/basic/basic.yaml
index d4c38bbd7a..15de6949c7 100644
--- a/examples/basic/basic.yaml
+++ b/examples/basic/basic.yaml
@@ -91,6 +91,24 @@ spec:
kind: BackendSecurityPolicy
group: aigateway.envoyproxy.io
---
+# GCP Example
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: AIServiceBackend
+metadata:
+ name: envoy-ai-gateway-basic-gcp
+ namespace: default
+spec:
+ schema:
+ name: GCPVertexAI
+ backendRef:
+ name: envoy-ai-gateway-basic-gcp
+ kind: Backend
+ group: gateway.envoyproxy.io
+ backendSecurityPolicyRef:
+ name: envoy-ai-gateway-basic-gcp-credentials
+ kind: BackendSecurityPolicy
+ group: aigateway.envoyproxy.io
+---
apiVersion: aigateway.envoyproxy.io/v1alpha1
kind: AIServiceBackend
metadata:
@@ -148,6 +166,28 @@ spec:
secretRef:
name: envoy-ai-gateway-basic-aws-credentials
---
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: BackendSecurityPolicy
+metadata:
+ name: envoy-ai-gateway-basic-gcp-credentials
+ namespace: default
+spec:
+ type: GCPCredentials
+ gcpCredentials:
+ workLoadIdentityFederationConfig:
+ projectID: GCP_PROJECT_ID # Replace with your GCP project ID
+ workloadIdentityPoolName: GCP_WORKLOAD_IDENTITY_POOL # Replace with your workload identity pool name
+ workloadIdentityProvider:
+ name: GCP_IDENTITY_PROVIDER_NAME # Replace with the identity provider configured with GCP
+ OIDCProvider:
+ oidc:
+ provider:
+ issuer: GCP_OIDC_PROVIDER_ISSUER # Replace with your OIDC provider issuer
+ clientID: GCP_OIDC_CLIENT_ID # Replace with your OIDC client ID
+ clientSecret:
+ name: envoy-ai-gateway-basic-gcp-client-secret
+ namespace: default
+---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
@@ -172,6 +212,17 @@ spec:
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
+metadata:
+ name: envoy-ai-gateway-basic-gcp
+ namespace: default
+spec:
+ endpoints:
+ - fqdn:
+ hostname: us-central1-aiplatform.googleapis.com
+ port: 443
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
metadata:
name: envoy-ai-gateway-basic-azure
namespace: default
@@ -211,6 +262,20 @@ spec:
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
+metadata:
+ name: envoy-ai-gateway-basic-gcp-tls
+ namespace: default
+spec:
+ targetRefs:
+ - group: 'gateway.envoyproxy.io'
+ kind: Backend
+ name: envoy-ai-gateway-basic-gcp
+ validation:
+ wellKnownCACertificates: "System"
+ hostname: us-central1-aiplatform.googleapis.com
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
metadata:
name: envoy-ai-gateway-basic-azure-tls
namespace: default
@@ -254,6 +319,14 @@ stringData:
aws_access_key_id = AWS_ACCESS_KEY_ID
aws_secret_access_key = AWS_SECRET_ACCESS_KEY
---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: envoy-ai-gateway-basic-gcp-client-secret
+ namespace: default
+stringData:
+ client-secret: "GCP_OIDC_CLIENT_SECRET" # Replace with your OIDC client secret
+---
apiVersion: aigateway.envoyproxy.io/v1alpha1
kind: AIServiceBackend
metadata:
diff --git a/filterapi/filterconfig.go b/filterapi/filterconfig.go
index 114c11fbcc..00dec6e31f 100644
--- a/filterapi/filterconfig.go
+++ b/filterapi/filterconfig.go
@@ -202,6 +202,8 @@ type BackendAuth struct {
AWSAuth *AWSAuth `json:"aws,omitempty"`
// AzureAuth specifies the location of Azure access token file.
AzureAuth *AzureAuth `json:"azure,omitempty"`
+ // GCPAuth specifies the location of GCP credential file.
+ GCPAuth *GCPAuth `json:"gcp,omitempty"`
}
// AWSAuth defines the credentials needed to access AWS.
@@ -224,6 +226,16 @@ type AzureAuth struct {
AccessToken string `json:"accessToken"`
}
+// GCPAuth defines the file containing GCP credential that will be mounted to the external proc.
+type GCPAuth struct {
+ // AccessToken is the access token as a literal string.
+ AccessToken string `json:"accessToken"`
+ // Region is the GCP region to use for the request.
+ Region string `json:"region"`
+ // ProjectName is the GCP project name to use for the request.
+ ProjectName string `json:"projectName"`
+}
+
// UnmarshalConfigYaml reads the file at the given path and unmarshals it into a Config struct.
func UnmarshalConfigYaml(path string) (*Config, error) {
raw, err := os.ReadFile(path)
diff --git a/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_aigatewayroutes.yaml b/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_aigatewayroutes.yaml
index e7de985da7..da4f11c904 100644
--- a/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_aigatewayroutes.yaml
+++ b/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_aigatewayroutes.yaml
@@ -505,6 +505,8 @@ spec:
- OpenAI
- AWSBedrock
- AzureOpenAI
+ - GCPVertexAI
+ - GCPAnthropic
type: string
version:
description: |-
diff --git a/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_aiservicebackends.yaml b/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_aiservicebackends.yaml
index 66538e95ea..c9a4772287 100644
--- a/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_aiservicebackends.yaml
+++ b/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_aiservicebackends.yaml
@@ -177,6 +177,8 @@ spec:
- OpenAI
- AWSBedrock
- AzureOpenAI
+ - GCPVertexAI
+ - GCPAnthropic
type: string
version:
description: |-
diff --git a/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_backendsecuritypolicies.yaml b/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_backendsecuritypolicies.yaml
index e62141a1b1..23a3a74688 100644
--- a/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_backendsecuritypolicies.yaml
+++ b/manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_backendsecuritypolicies.yaml
@@ -2465,14 +2465,1218 @@ spec:
be specified
rule: (has(self.clientSecretRef) && !has(self.oidcExchangeToken))
|| (!has(self.clientSecretRef) && has(self.oidcExchangeToken))
+ gcpCredentials:
+ description: GCPCredentials is a mechanism to access a backend(s).
+ GCP specific logic will be applied.
+ properties:
+ workLoadIdentityFederationConfig:
+ description: WorkLoadIdentityFederationConfig is the configuration
+ for the GCP Workload Identity Federation.
+ properties:
+ projectID:
+ description: ProjectID is the GCP project ID.
+ minLength: 1
+ type: string
+ serviceAccountImpersonation:
+ description: |-
+ ServiceAccountImpersonation is the service account impersonation configuration.
+ This is used to impersonate a service account when getting access token.
+ properties:
+ serviceAccountName:
+ description: ServiceAccountName is the name of the service
+ account to impersonate.
+ minLength: 1
+ type: string
+ serviceAccountProjectName:
+ description: ServiceAccountProjectName is the project
+ name in which the service account is registered.
+ minLength: 1
+ type: string
+ required:
+ - serviceAccountName
+ - serviceAccountProjectName
+ type: object
+ workloadIdentityPoolName:
+ description: |-
+ WorkloadIdentityPoolName is the name of the workload identity pool defined in GCP.
+ https://cloud.google.com/iam/docs/workload-identity-federation?hl=en
+ minLength: 1
+ type: string
+ workloadIdentityProvider:
+ description: |-
+ WorkloadIdentityProvider is the external auth provider to be used to authenticate against GCP.
+ https://cloud.google.com/iam/docs/workload-identity-federation?hl=en
+ Currently only OIDC is supported.
+ properties:
+ OIDCProvider:
+ description: OIDCProvider is the generic OIDCProvider
+ fields.
+ properties:
+ aud:
+ description: Aud defines the audience that this ID
+ Token is intended for.
+ type: string
+ grantType:
+ description: GrantType is the method application gets
+ access token.
+ type: string
+ oidc:
+ description: OIDC is used to obtain oidc tokens via
+ an SSO server which will be used to exchange for
+ provider credentials.
+ properties:
+ clientID:
+ description: |-
+ The client ID to be used in the OIDC
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ minLength: 1
+ type: string
+ clientSecret:
+ description: |-
+ The Kubernetes secret which contains the OIDC client secret to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+
+ This is an Opaque secret. The client secret should be stored in the key
+ "client-secret".
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent.
+ For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ cookieDomain:
+ description: |-
+ The optional domain to set the access and ID token cookies on.
+ If not set, the cookies will default to the host of the request, not including the subdomains.
+ If set, the cookies will be set on the specified domain and all subdomains.
+ This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
+ type: string
+ cookieNames:
+ description: |-
+ The optional cookie name overrides to be used for Bearer and IdToken cookies in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, uses a randomly generated suffix
+ properties:
+ accessToken:
+ description: |-
+ The name of the cookie used to store the AccessToken in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, defaults to "AccessToken-(randomly generated uid)"
+ type: string
+ idToken:
+ description: |-
+ The name of the cookie used to store the IdToken in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, defaults to "IdToken-(randomly generated uid)"
+ type: string
+ type: object
+ defaultRefreshTokenTTL:
+ description: |-
+ DefaultRefreshTokenTTL is the default lifetime of the refresh token.
+ This field is only used when the exp (expiration time) claim is omitted in
+ the refresh token or the refresh token is not JWT.
+
+ If not specified, defaults to 604800s (one week).
+ Note: this field is only applicable when the "refreshToken" field is set to true.
+ type: string
+ defaultTokenTTL:
+ description: |-
+ DefaultTokenTTL is the default lifetime of the id token and access token.
+ Please note that Envoy will always use the expiry time from the response
+ of the authorization server if it is provided. This field is only used when
+ the expiry time is not provided by the authorization.
+
+ If not specified, defaults to 0. In this case, the "expires_in" field in
+ the authorization response must be set by the authorization server, or the
+ OAuth flow will fail.
+ type: string
+ forwardAccessToken:
+ description: |-
+ ForwardAccessToken indicates whether the Envoy should forward the access token
+ via the Authorization header Bearer scheme to the upstream.
+ If not specified, defaults to false.
+ type: boolean
+ logoutPath:
+ description: |-
+ The path to log a user out, clearing their credential cookies.
+
+ If not specified, uses a default logout path "/logout"
+ type: string
+ provider:
+ description: The OIDC Provider configuration.
+ properties:
+ authorizationEndpoint:
+ description: |-
+ The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+ If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+ type: string
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the
+ referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of
+ connections that Envoy will establish
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of
+ parallel requests that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of
+ parallel retries that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of
+ pending requests that Envoy will
+ queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit
+ Breakers that will apply per-endpoint
+ for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures
+ the maximum number of connections
+ that Envoy will establish per-endpoint
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend
+ connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution
+ settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway
+ to perform active health checking on
+ backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold
+ defines the number of healthy
+ health checks required before
+ a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse
+ defines a list of HTTP expected
+ responses to match.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus
+ defines the http status
+ code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines
+ the HTTP path that will
+ be requested during health
+ checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between active health
+ checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines
+ the expected response payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ send:
+ description: Send defines
+ the request payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the
+ time to wait for a health check
+ response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the
+ type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold
+ defines the number of unhealthy
+ health checks required before
+ a backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type
+ is HTTP, http field needs to be
+ set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type
+ is TCP, tcp field needs to be
+ set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only
+ be set if the Health Checker type
+ is GRPC.
+ rule: 'has(self.grpc) ? self.type
+ == ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check
+ configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime
+ defines the base duration for
+ which a host will be ejected
+ on consecutive failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors
+ sets the number of consecutive
+ 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors
+ sets the number of consecutive
+ gateway errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between passive health
+ checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent
+ sets the maximum percentage
+ of hosts in a cluster that can
+ be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors
+ between external and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration
+ for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures
+ the cookie hash policy when
+ the consistent hash type is
+ set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes
+ to set for the generated
+ cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures
+ the header hash policy when
+ the consistent hash type is
+ set to Header.
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for
+ consistent hashing, must be
+ prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type
+ is header, the header field must
+ be set.
+ rule: 'self.type == ''Header'' ?
+ has(self.header) : !has(self.header)'
+ - message: If consistent hash type
+ is cookie, the cookie field must
+ be set.
+ rule: 'self.type == ''Cookie'' ?
+ has(self.cookie) : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash''
+ ? has(self.consistentHash) : !has(self.consistentHash)'
+ - message: Currently SlowStart is only
+ supported for RoundRobin and LeastRequest
+ load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the
+ Proxy Protocol when communicating with
+ the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number
+ of retries to be attempted. Defaults
+ to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry
+ policy to be applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval
+ is the base interval between
+ retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout
+ per retry attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines
+ the http status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies
+ the retry trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies
+ the conditions that trigger
+ retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the
+ backend connections.
+ properties:
+ http:
+ description: Timeout settings for
+ HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is
+ the time until which entire
+ response is received from the
+ upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for
+ TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ issuer:
+ description: |-
+ The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
+ Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
+ be https, a host component, and optionally, port and path components and
+ no query or fragment components.
+ minLength: 1
+ type: string
+ tokenEndpoint:
+ description: |-
+ The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+ If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+ type: string
+ required:
+ - issuer
+ type: object
+ x-kubernetes-validations:
+ - message: BackendRefs must be used, backendRef
+ is not supported.
+ rule: '!has(self.backendRef)'
+ - message: Retry timeout is not supported.
+ rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)?
+ !has(self.backendSettings.retry.perRetry.timeout):true):true):true
+ - message: HTTPStatusCodes is not supported.
+ rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)?
+ !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true
+ redirectURL:
+ description: |-
+ The redirect URL to be used in the OIDC
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
+ type: string
+ refreshToken:
+ description: |-
+ RefreshToken indicates whether the Envoy should automatically refresh the
+ id token and access token when they expire.
+ When set to true, the Envoy will use the refresh token to get a new id token
+ and access token when they expire.
+
+ If not specified, defaults to false.
+ type: boolean
+ resources:
+ description: |-
+ The OIDC resources to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ items:
+ type: string
+ type: array
+ scopes:
+ description: |-
+ The OIDC scopes to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ The "openid" scope is always added to the list of scopes if not already
+ specified.
+ items:
+ type: string
+ type: array
+ required:
+ - clientID
+ - clientSecret
+ - provider
+ type: object
+ required:
+ - oidc
+ type: object
+ name:
+ description: Name of the external identity provider as
+ registered on Google Cloud Platform.
+ minLength: 1
+ type: string
+ required:
+ - OIDCProvider
+ - name
+ type: object
+ required:
+ - projectID
+ - workloadIdentityPoolName
+ - workloadIdentityProvider
+ type: object
+ required:
+ - workLoadIdentityFederationConfig
+ type: object
type:
- description: Type specifies the auth mechanism used to access the
- provider. Currently, only "APIKey", "AWSCredentials", and "AzureCredentials"
- are supported.
+ description: Type specifies the type of the backend security policy.
enum:
- APIKey
- AWSCredentials
- AzureCredentials
+ - GCPCredentials
type: string
required:
- type
diff --git a/site/docs/api/api.mdx b/site/docs/api/api.mdx
index f9c0c1bbb8..218867b742 100644
--- a/site/docs/api/api.mdx
+++ b/site/docs/api/api.mdx
@@ -311,10 +311,14 @@ BackendSecurityPolicyList contains a list of BackendSecurityPolicy
- [BackendSecurityPolicyAPIKey](#backendsecuritypolicyapikey)
- [BackendSecurityPolicyAWSCredentials](#backendsecuritypolicyawscredentials)
- [BackendSecurityPolicyAzureCredentials](#backendsecuritypolicyazurecredentials)
+- [BackendSecurityPolicyGCPCredentials](#backendsecuritypolicygcpcredentials)
- [BackendSecurityPolicyOIDC](#backendsecuritypolicyoidc)
- [BackendSecurityPolicySpec](#backendsecuritypolicyspec)
- [BackendSecurityPolicyStatus](#backendsecuritypolicystatus)
- [BackendSecurityPolicyType](#backendsecuritypolicytype)
+- [GCPServiceAccountImpersonationConfig](#gcpserviceaccountimpersonationconfig)
+- [GCPWorkLoadIdentityFederationConfig](#gcpworkloadidentityfederationconfig)
+- [GCPWorkloadIdentityProvider](#gcpworkloadidentityprovider)
- [LLMRequestCost](#llmrequestcost)
- [LLMRequestCostType](#llmrequestcosttype)
- [VersionedAPISchema](#versionedapischema)
@@ -635,6 +639,16 @@ APISchema defines the API schema.
type="enum"
required="false"
description="APISchemaAzureOpenAI APISchemaAzure is the Azure OpenAI schema.
https://learn.microsoft.com/en-us/azure/ai-services/openai/reference#api-specs
"
+/>
#### AWSCredentialsFile
@@ -825,6 +839,27 @@ neither are set.
/>
+#### BackendSecurityPolicyGCPCredentials
+
+
+
+**Appears in:**
+- [BackendSecurityPolicySpec](#backendsecuritypolicyspec)
+
+BackendSecurityPolicyGCPCredentials contains the supported authentication mechanisms to access GCP.
+
+##### Fields
+
+
+
+
+
+
#### BackendSecurityPolicyOIDC
@@ -832,6 +867,7 @@ neither are set.
**Appears in:**
- [AWSOIDCExchangeToken](#awsoidcexchangetoken)
- [AzureOIDCExchangeToken](#azureoidcexchangetoken)
+- [GCPWorkloadIdentityProvider](#gcpworkloadidentityprovider)
BackendSecurityPolicyOIDC specifies OIDC related fields.
@@ -877,7 +913,7 @@ Only one type of BackendSecurityPolicy can be defined.
name="type"
type="[BackendSecurityPolicyType](#backendsecuritypolicytype)"
required="true"
- description="Type specifies the auth mechanism used to access the provider. Currently, only `APIKey`, `AWSCredentials`, and `AzureCredentials` are supported."
+ description="Type specifies the type of the backend security policy."
/>
@@ -945,7 +986,103 @@ BackendSecurityPolicyType specifies the type of auth mechanism used to access a
type="enum"
required="false"
description=""
+/>
+#### GCPServiceAccountImpersonationConfig
+
+
+
+**Appears in:**
+- [GCPWorkLoadIdentityFederationConfig](#gcpworkloadidentityfederationconfig)
+
+
+
+##### Fields
+
+
+
+
+
+
+#### GCPWorkLoadIdentityFederationConfig
+
+
+
+**Appears in:**
+- [BackendSecurityPolicyGCPCredentials](#backendsecuritypolicygcpcredentials)
+
+
+
+##### Fields
+
+
+
+
+
+
+#### GCPWorkloadIdentityProvider
+
+
+
+**Appears in:**
+- [GCPWorkLoadIdentityFederationConfig](#gcpworkloadidentityfederationconfig)
+
+GCPWorkloadIdentityProvider specifies the external identity provider to be used to authenticate against GCP.
+The external identity provider can be AWS, Microsoft, etc but must be pre-registered in the GCP project
+
+https://cloud.google.com/iam/docs/workload-identity-federation
+
+##### Fields
+
+
+
+
+
+
#### LLMRequestCost
diff --git a/tests/crdcel/main_test.go b/tests/crdcel/main_test.go
index 86b8d03e16..29c47aec23 100644
--- a/tests/crdcel/main_test.go
+++ b/tests/crdcel/main_test.go
@@ -142,6 +142,7 @@ func TestBackendSecurityPolicies(t *testing.T) {
{name: "azure_valid_credentials.yaml"},
{name: "aws_credential_file.yaml"},
{name: "aws_oidc.yaml"},
+ {name: "gcp_oidc.yaml"},
} {
t.Run(tc.name, func(t *testing.T) {
data, err := testdata.ReadFile(path.Join("testdata/backendsecuritypolicies", tc.name))
diff --git a/tests/crdcel/testdata/backendsecuritypolicies/gcp_oidc.yaml b/tests/crdcel/testdata/backendsecuritypolicies/gcp_oidc.yaml
new file mode 100644
index 0000000000..1ef952662b
--- /dev/null
+++ b/tests/crdcel/testdata/backendsecuritypolicies/gcp_oidc.yaml
@@ -0,0 +1,26 @@
+# Copyright Envoy AI Gateway Authors
+# SPDX-License-Identifier: Apache-2.0
+# The full text of the Apache license is available in the LICENSE file at
+# the root of the repo.
+
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: BackendSecurityPolicy
+metadata:
+ name: envoy-ai-gateway-basic-gcp-credentials
+ namespace: default
+spec:
+ type: GCPCredentials
+ gcpCredentials:
+ workLoadIdentityFederationConfig:
+ projectID: GCP_PROJECT_ID
+ workloadIdentityPoolName: GCP_WORKLOAD_IDENTITY_POOL
+ workloadIdentityProvider:
+ name: GCP_IDENTITY_PROVIDER_NAME
+ OIDCProvider:
+ oidc:
+ provider:
+ issuer: GCP_OIDC_PROVIDER_ISSUER
+ clientID: GCP_OIDC_CLIENT_ID
+ clientSecret:
+ name: envoy-ai-gateway-basic-gcp-client-secret
+ namespace: default