{ "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "LocalConfig", "type": "object", "properties": { "config": { "$ref": "#/$defs/RawConfig", "default": null }, "binds": { "type": "array", "items": { "$ref": "#/$defs/LocalBind" } }, "frontendPolicies": { "$ref": "#/$defs/LocalFrontendPolicies" }, "policies": { "description": "policies defines additional policies that can be attached to various other configurations.\nThis is an advanced feature; users should typically use the inline `policies` field under route/gateway.", "type": "array", "items": { "$ref": "#/$defs/LocalPolicy" } }, "workloads": { "default": [] }, "services": { "default": [] }, "backends": { "type": "array", "items": { "$ref": "#/$defs/FullLocalBackend" } }, "llm": { "anyOf": [ { "$ref": "#/$defs/LocalLLMConfig" }, { "type": "null" } ] }, "mcp": { "anyOf": [ { "$ref": "#/$defs/LocalSimpleMcpConfig" }, { "type": "null" } ] } }, "additionalProperties": false, "$defs": { "RawConfig": { "type": "object", "properties": { "enableIpv6": { "type": [ "boolean", "null" ] }, "dns": { "description": "DNS resolver settings.", "anyOf": [ { "$ref": "#/$defs/RawDnsConfig" }, { "type": "null" } ] }, "localXdsPath": { "description": "Local XDS path. If not specified, the current configuration file will be used.", "type": [ "string", "null" ] }, "caAddress": { "type": [ "string", "null" ] }, "caAuthToken": { "type": [ "string", "null" ] }, "xdsAddress": { "type": [ "string", "null" ] }, "xdsAuthToken": { "type": [ "string", "null" ] }, "namespace": { "type": [ "string", "null" ] }, "gateway": { "type": [ "string", "null" ] }, "trustDomain": { "type": [ "string", "null" ] }, "serviceAccount": { "type": [ "string", "null" ] }, "clusterId": { "type": [ "string", "null" ] }, "network": { "type": [ "string", "null" ] }, "adminAddr": { "description": "Admin UI address in the format \"ip:port\"", "type": [ "string", "null" ] }, "statsAddr": { "description": "Stats/metrics server address in the format \"ip:port\"", "type": [ "string", "null" ] }, "readinessAddr": { "description": "Readiness probe server address in the format \"ip:port\"", "type": [ "string", "null" ] }, "session": { "description": "Configuration for stateful session management", "anyOf": [ { "$ref": "#/$defs/RawSession" }, { "type": "null" } ] }, "connectionTerminationDeadline": { "type": [ "string", "null" ], "default": null }, "connectionMinTerminationDeadline": { "type": [ "string", "null" ], "default": null }, "workerThreads": { "type": [ "string", "null" ] }, "tracing": { "anyOf": [ { "$ref": "#/$defs/RawTracing" }, { "type": "null" } ] }, "logging": { "anyOf": [ { "$ref": "#/$defs/RawLogging" }, { "type": "null" } ] }, "metrics": { "anyOf": [ { "$ref": "#/$defs/RawMetrics" }, { "type": "null" } ] }, "backend": { "$ref": "#/$defs/BackendConfig", "default": { "keepalives": { "enabled": true, "time": "3m0s", "interval": "3m0s", "retries": 9 }, "connectTimeout": "10s", "poolIdleTimeout": "1m30s", "poolMaxSize": null } }, "hbone": { "anyOf": [ { "$ref": "#/$defs/RawHBONE" }, { "type": "null" } ] } }, "additionalProperties": false }, "RawDnsConfig": { "type": "object", "properties": { "lookupFamily": { "description": "Controls which IP address families the DNS resolver will query for\nupstream connections.\nAccepted values: All, Auto, V4Preferred, V4Only, V6Only.\nDefaults to Auto (IPv4-only when enableIpv6 is false, both when true).", "anyOf": [ { "$ref": "#/$defs/DnsLookupFamily" }, { "type": "null" } ] }, "edns0": { "description": "Whether to enable EDNS0 (Extension Mechanisms for DNS) in the resolver.\nWhen `None`, the system-provided resolver setting is preserved.\nCan also be set via the `DNS_EDNS0` environment variable.", "type": [ "boolean", "null" ] } }, "additionalProperties": false }, "DnsLookupFamily": { "description": "Controls which IP address families the DNS resolver will query for\nupstream (backend) connections.\n\n Maps to hickory_resolver's `LookupIpStrategy` under the hood.\n\nCan be set via the `DNS_LOOKUP_FAMILY` environment variable or the\n`dns.lookupFamily` field in the config file.\n\nSee: ", "oneOf": [ { "description": "Query for both A and AAAA records in parallel and use all results.", "type": "string", "const": "All" }, { "description": "Automatically choose based on the `enable_ipv6` setting. When IPv6 is\nenabled this behaves like `V4Preferred`; otherwise `V4Only`.", "type": "string", "const": "Auto" }, { "description": "Query for both A and AAAA, but prefer IPv4 addresses when both are\navailable.", "type": "string", "const": "V4Preferred" }, { "description": "Only query for A (IPv4) records.", "type": "string", "const": "V4Only" }, { "description": "Only query for AAAA (IPv6) records.", "type": "string", "const": "V6Only" } ] }, "RawSession": { "type": "object", "properties": { "key": { "description": "The AES-256-GCM session protection key to be used for session tokens.\nIf not set, sessions will not be encrypted.\nFor example, generated via `openssl rand -hex 32`.", "type": "string" } }, "additionalProperties": false, "required": [ "key" ] }, "RawTracing": { "type": "object", "properties": { "otlpEndpoint": { "type": "string" }, "headers": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} }, "otlpProtocol": { "$ref": "#/$defs/Protocol", "default": "grpc" }, "fields": { "anyOf": [ { "$ref": "#/$defs/RawLoggingFields" }, { "type": "null" } ] }, "randomSampling": { "description": "Expression to determine the amount of *random sampling*.\nRandom sampling will initiate a new trace span if the incoming request does not have a trace already.\nThis should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.\nThis defaults to 'false'.", "anyOf": [ { "$ref": "#/$defs/StringBoolFloat" }, { "type": "null" } ] }, "clientSampling": { "description": "Expression to determine the amount of *client sampling*.\nClient sampling determines whether to initiate a new trace span if the incoming request does have a trace already.\nThis should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.\nThis defaults to 'true'.", "anyOf": [ { "$ref": "#/$defs/StringBoolFloat" }, { "type": "null" } ] }, "path": { "description": "OTLP path. Default is /v1/traces", "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "otlpEndpoint" ] }, "Protocol": { "type": "string", "enum": [ "grpc", "http" ] }, "RawLoggingFields": { "type": "object", "properties": { "remove": { "type": "array", "items": { "type": "string" }, "default": [] }, "add": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} } }, "additionalProperties": false }, "StringBoolFloat": { "type": [ "string", "number", "boolean" ] }, "RawLogging": { "type": "object", "properties": { "filter": { "type": [ "string", "null" ] }, "fields": { "anyOf": [ { "$ref": "#/$defs/RawLoggingFields" }, { "type": "null" } ] }, "level": { "anyOf": [ { "$ref": "#/$defs/RawLoggingLevel" }, { "type": "null" } ] }, "format": { "anyOf": [ { "$ref": "#/$defs/LoggingFormat" }, { "type": "null" } ] } }, "additionalProperties": false }, "RawLoggingLevel": { "anyOf": [ { "type": "string" }, { "type": "array", "items": { "type": "string" } } ] }, "LoggingFormat": { "type": "string", "enum": [ "text", "json" ] }, "RawMetrics": { "type": "object", "properties": { "remove": { "type": "array", "items": { "type": "string" }, "default": [] }, "fields": { "anyOf": [ { "$ref": "#/$defs/RawMetricFields" }, { "type": "null" } ] } }, "additionalProperties": false }, "RawMetricFields": { "type": "object", "properties": { "add": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} } }, "additionalProperties": false }, "BackendConfig": { "type": "object", "properties": { "keepalives": { "$ref": "#/$defs/KeepaliveConfig", "default": { "enabled": true, "time": "3m0s", "interval": "3m0s", "retries": 9 } }, "connectTimeout": { "type": "string", "default": "10s" }, "poolIdleTimeout": { "description": "The maximum duration to keep an idle connection alive.", "type": "string", "default": "1m30s" }, "poolMaxSize": { "description": "The maximum number of connections allowed in the pool, per hostname. If set, this will limit\nthe total number of connections kept alive to any given host.\nNote: excess connections will still be created, they will just not remain idle.\nIf unset, there is no limit", "type": [ "integer", "null" ], "format": "uint", "minimum": 0, "default": null } }, "additionalProperties": false }, "KeepaliveConfig": { "type": "object", "properties": { "enabled": { "type": "boolean", "default": true }, "time": { "type": "string", "default": "3m0s" }, "interval": { "type": "string", "default": "3m0s" }, "retries": { "type": "integer", "format": "uint32", "minimum": 0, "default": 9 } }, "additionalProperties": false }, "RawHBONE": { "type": "object", "properties": { "windowSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0 }, "connectionWindowSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0 }, "frameSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0 }, "poolMaxStreamsPerConn": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "poolUnusedReleaseTimeout": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "LocalBind": { "type": "object", "properties": { "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 }, "listeners": { "type": "array", "items": { "$ref": "#/$defs/LocalListener" } }, "tunnelProtocol": { "$ref": "#/$defs/TunnelProtocol", "default": "direct" } }, "additionalProperties": false, "required": [ "port", "listeners" ] }, "LocalListener": { "type": "object", "properties": { "name": { "type": [ "string", "null" ], "default": null }, "namespace": { "type": [ "string", "null" ], "default": null }, "hostname": { "description": "Can be a wildcard", "type": [ "string", "null" ] }, "protocol": { "$ref": "#/$defs/LocalListenerProtocol" }, "tls": { "anyOf": [ { "$ref": "#/$defs/LocalTLSServerConfig" }, { "type": "null" } ] }, "routes": { "type": [ "array", "null" ], "items": { "$ref": "#/$defs/LocalRoute" } }, "tcpRoutes": { "type": [ "array", "null" ], "items": { "$ref": "#/$defs/LocalTCPRoute" } }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalGatewayPolicy" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalListenerProtocol": { "type": "string", "enum": [ "HTTP", "HTTPS", "TLS", "TCP", "HBONE" ] }, "LocalTLSServerConfig": { "type": "object", "properties": { "cert": { "type": "string" }, "key": { "type": "string" }, "root": { "type": [ "string", "null" ] }, "cipherSuites": { "description": "Optional cipher suite allowlist (order is preserved).", "type": [ "array", "null" ], "items": { "type": "string" } }, "minTLSVersion": { "description": "Minimum supported TLS version (only TLS 1.2 and 1.3 are supported).", "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "maxTLSVersion": { "description": "Maximum supported TLS version (only TLS 1.2 and 1.3 are supported).", "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "cert", "key" ] }, "TLSVersion": { "type": "string", "enum": [ "TLS_V1_0", "TLS_V1_1", "TLS_V1_2", "TLS_V1_3" ] }, "LocalRoute": { "type": "object", "properties": { "name": { "type": [ "string", "null" ], "default": null }, "namespace": { "type": [ "string", "null" ], "default": null }, "ruleName": { "type": [ "string", "null" ], "default": null }, "hostnames": { "description": "Can be a wildcard", "type": "array", "items": { "type": "string" } }, "matches": { "type": "array", "items": { "$ref": "#/$defs/RouteMatch" }, "default": [ { "path": { "pathPrefix": "/" } } ] }, "policies": { "anyOf": [ { "$ref": "#/$defs/FilterOrPolicy" }, { "type": "null" } ] }, "backends": { "type": "array", "items": { "$ref": "#/$defs/LocalRouteBackend" } } }, "additionalProperties": false }, "RouteMatch": { "type": "object", "properties": { "headers": { "type": "array", "items": { "$ref": "#/$defs/HeaderMatch" } }, "path": { "$ref": "#/$defs/PathMatch", "default": { "pathPrefix": "/" } }, "method": { "type": "string" }, "query": { "type": "array", "items": { "$ref": "#/$defs/QueryMatch" } } }, "additionalProperties": false }, "HeaderMatch": { "type": "object", "properties": { "name": { "type": "string" }, "value": { "$ref": "#/$defs/HeaderValueMatch" } }, "additionalProperties": false, "required": [ "name", "value" ] }, "HeaderValueMatch": { "oneOf": [ { "type": "object", "properties": { "exact": { "type": "string" } }, "required": [ "exact" ], "additionalProperties": false }, { "type": "object", "properties": { "regex": { "type": "string" } }, "required": [ "regex" ], "additionalProperties": false } ] }, "PathMatch": { "oneOf": [ { "type": "object", "properties": { "exact": { "type": "string" } }, "required": [ "exact" ], "additionalProperties": false }, { "type": "object", "properties": { "pathPrefix": { "type": "string" } }, "required": [ "pathPrefix" ], "additionalProperties": false }, { "type": "object", "properties": { "regex": { "type": "string" } }, "required": [ "regex" ], "additionalProperties": false } ] }, "QueryMatch": { "type": "object", "properties": { "name": { "type": "string" }, "value": { "$ref": "#/$defs/QueryValueMatch" } }, "additionalProperties": false, "required": [ "name", "value" ] }, "QueryValueMatch": { "oneOf": [ { "type": "object", "properties": { "exact": { "type": "string" } }, "required": [ "exact" ], "additionalProperties": false }, { "type": "object", "properties": { "regex": { "type": "string" } }, "required": [ "regex" ], "additionalProperties": false } ] }, "FilterOrPolicy": { "type": "object", "properties": { "requestHeaderModifier": { "description": "Headers to be modified in the request.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "responseHeaderModifier": { "description": "Headers to be modified in the response.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "requestRedirect": { "description": "Directly respond to the request with a redirect.", "anyOf": [ { "$ref": "#/$defs/RequestRedirect" }, { "type": "null" } ], "default": null }, "urlRewrite": { "description": "Modify the URL path or authority.", "anyOf": [ { "$ref": "#/$defs/UrlRewrite" }, { "type": "null" } ], "default": null }, "requestMirror": { "description": "Mirror incoming requests to another destination.", "anyOf": [ { "$ref": "#/$defs/RequestMirror" }, { "type": "null" } ], "default": null }, "directResponse": { "description": "Directly respond to the request with a static response.", "anyOf": [ { "$ref": "#/$defs/DirectResponse" }, { "type": "null" } ], "default": null }, "cors": { "description": "Handle CORS preflight requests and append configured CORS headers to applicable requests.", "anyOf": [ { "$ref": "#/$defs/CorsSerde" }, { "type": "null" } ], "default": null }, "mcpAuthorization": { "description": "Authorization policies for MCP access.", "anyOf": [ { "$ref": "#/$defs/McpAuthorization" }, { "type": "null" } ], "default": null }, "authorization": { "description": "Authorization policies for HTTP access.", "anyOf": [ { "$ref": "#/$defs/Authorization" }, { "type": "null" } ], "default": null }, "mcpAuthentication": { "description": "Authentication for MCP clients.", "anyOf": [ { "$ref": "#/$defs/LocalMcpAuthentication" }, { "type": "null" } ] }, "a2a": { "description": "Mark this traffic as A2A to enable A2A processing and telemetry.", "anyOf": [ { "$ref": "#/$defs/A2aPolicy" }, { "type": "null" } ], "default": null }, "ai": { "description": "Mark this as LLM traffic to enable LLM processing.", "anyOf": [ { "$ref": "#/$defs/Policy" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "Send TLS to the backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendTunnel": { "description": "Tunnel to the backend.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "backendAuth": { "description": "Authenticate to the backend.", "anyOf": [ { "$ref": "#/$defs/BackendAuth" }, { "type": "null" } ], "default": null }, "localRateLimit": { "description": "Rate limit incoming requests. State is kept local.", "type": "array", "items": { "$ref": "#/$defs/RateLimitSpec" }, "default": [] }, "remoteRateLimit": { "description": "Rate limit incoming requests. State is managed by a remote server.", "anyOf": [ { "$ref": "#/$defs/RemoteRateLimit" }, { "type": "null" } ], "default": null }, "jwtAuth": { "description": "Authenticate incoming JWT requests.", "anyOf": [ { "$ref": "#/$defs/LocalJwtConfig" }, { "type": "null" } ] }, "oidc": { "description": "Authenticate incoming browser requests with OIDC authorization code flow.", "anyOf": [ { "$ref": "#/$defs/LocalOidcConfig" }, { "type": "null" } ] }, "basicAuth": { "description": "Authenticate incoming requests using Basic Authentication with htpasswd.", "anyOf": [ { "$ref": "#/$defs/LocalBasicAuth" }, { "type": "null" } ] }, "apiKey": { "description": "Authenticate incoming requests using API Keys", "anyOf": [ { "$ref": "#/$defs/LocalAPIKeys" }, { "type": "null" } ] }, "extAuthz": { "description": "Authenticate incoming requests by calling an external authorization server.", "anyOf": [ { "$ref": "#/$defs/ExtAuthz" }, { "type": "null" } ], "default": null }, "extProc": { "description": "Extend agentgateway with an external processor", "anyOf": [ { "$ref": "#/$defs/ExtProc" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify requests and responses", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "csrf": { "description": "Handle CSRF protection by validating request origins against configured allowed origins.", "anyOf": [ { "$ref": "#/$defs/Csrf" }, { "type": "null" } ], "default": null }, "timeout": { "description": "Timeout requests that exceed the configured duration.", "anyOf": [ { "$ref": "#/$defs/Policy2" }, { "type": "null" } ], "default": null }, "retry": { "description": "Retry matching requests.", "anyOf": [ { "$ref": "#/$defs/Policy3" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "HeaderModifier": { "type": "object", "properties": { "add": { "type": "object", "additionalProperties": { "type": "string" } }, "set": { "type": "object", "additionalProperties": { "type": "string" } }, "remove": { "type": "array", "items": { "type": "string" } } }, "additionalProperties": false }, "RequestRedirect": { "type": "object", "properties": { "scheme": { "type": [ "string", "null" ] }, "authority": { "anyOf": [ { "$ref": "#/$defs/HostRedirect" }, { "type": "null" } ] }, "path": { "anyOf": [ { "$ref": "#/$defs/PathRedirect" }, { "type": "null" } ] }, "status": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 1, "maximum": 65535 } }, "additionalProperties": false }, "HostRedirect": { "oneOf": [ { "type": "string", "enum": [ "auto", "none" ] }, { "type": "object", "properties": { "full": { "type": "string" } }, "required": [ "full" ], "additionalProperties": false }, { "type": "object", "properties": { "host": { "type": "string" } }, "required": [ "host" ], "additionalProperties": false }, { "type": "object", "properties": { "port": { "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535 } }, "required": [ "port" ], "additionalProperties": false } ] }, "PathRedirect": { "oneOf": [ { "type": "object", "properties": { "full": { "type": "string" } }, "required": [ "full" ], "additionalProperties": false }, { "type": "object", "properties": { "prefix": { "type": "string" } }, "required": [ "prefix" ], "additionalProperties": false } ] }, "UrlRewrite": { "type": "object", "properties": { "authority": { "anyOf": [ { "$ref": "#/$defs/HostRedirect" }, { "type": "null" } ] }, "path": { "anyOf": [ { "$ref": "#/$defs/PathRedirect" }, { "type": "null" } ] } }, "additionalProperties": false }, "RequestMirror": { "type": "object", "properties": { "backend": { "$ref": "#/$defs/SimpleLocalBackend" }, "percentage": { "type": "number", "format": "double" } }, "additionalProperties": false, "required": [ "backend", "percentage" ] }, "SimpleLocalBackend": { "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ], "additionalProperties": false }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ], "additionalProperties": false }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ], "additionalProperties": false } ] }, "NamespacedHostname": { "type": "object", "properties": { "namespace": { "type": "string" }, "hostname": { "type": "string" } }, "required": [ "namespace", "hostname" ] }, "DirectResponse": { "type": "object", "properties": { "body": { "$ref": "#/$defs/Bytes" }, "status": { "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535 } }, "additionalProperties": false, "required": [ "body", "status" ] }, "Bytes": { "type": [ "array", "string" ], "items": { "type": "integer", "format": "uint8", "minimum": 0, "maximum": 255 } }, "CorsSerde": { "type": "object", "properties": { "allowCredentials": { "type": "boolean", "default": false }, "allowHeaders": { "type": "array", "items": { "type": "string" }, "default": [] }, "allowMethods": { "type": "array", "items": { "type": "string" }, "default": [] }, "allowOrigins": { "type": "array", "items": { "type": "string" }, "default": [] }, "exposeHeaders": { "type": "array", "items": { "type": "string" }, "default": [] }, "maxAge": { "type": [ "string", "null" ], "default": null } }, "additionalProperties": false }, "McpAuthorization": { "$ref": "#/$defs/RuleSet" }, "RuleSet": { "type": "object", "properties": { "rules": { "type": "array", "items": { "type": "string" } } }, "additionalProperties": false, "required": [ "rules" ] }, "Authorization": { "$ref": "#/$defs/RuleSet" }, "LocalMcpAuthentication": { "type": "object", "properties": { "issuer": { "type": "string" }, "audiences": { "type": "array", "items": { "type": "string" } }, "provider": { "anyOf": [ { "$ref": "#/$defs/McpIDP" }, { "type": "null" } ] }, "resourceMetadata": { "$ref": "#/$defs/ResourceMetadata" }, "jwks": { "$ref": "#/$defs/FileInlineOrRemote" }, "mode": { "$ref": "#/$defs/McpAuthenticationMode", "default": "strict" }, "jwtValidationOptions": { "$ref": "#/$defs/JWTValidationOptions", "default": { "requiredClaims": [ "exp" ] } } }, "additionalProperties": false, "required": [ "issuer", "audiences", "resourceMetadata", "jwks" ] }, "McpIDP": { "oneOf": [ { "type": "object", "properties": { "auth0": { "type": "object", "additionalProperties": false } }, "required": [ "auth0" ], "additionalProperties": false }, { "type": "object", "properties": { "keycloak": { "type": "object", "additionalProperties": false } }, "required": [ "keycloak" ], "additionalProperties": false } ] }, "ResourceMetadata": { "type": "object", "additionalProperties": true }, "FileInlineOrRemote": { "anyOf": [ { "type": "object", "properties": { "file": { "type": "string" } }, "required": [ "file" ] }, { "type": "string" }, { "type": "object", "properties": { "url": { "type": "string" } }, "required": [ "url" ] } ] }, "McpAuthenticationMode": { "oneOf": [ { "description": "A valid token, issued by a configured issuer, must be present.\nThis is the default option.", "type": "string", "const": "strict" }, { "description": "If a token exists, validate it.\nWarning: this allows requests without a JWT token! Additionally, 401 errors will not be returned,\nwhich will not trigger clients to initiate an oauth flow.", "type": "string", "const": "optional" }, { "description": "Requests are never rejected. This is useful for usage of claims in later steps (authorization, logging, etc).\nWarning: this allows requests without a JWT token! Additionally, 401 errors will not be returned,\nwhich will not trigger clients to initiate an oauth flow.", "type": "string", "const": "permissive" } ] }, "JWTValidationOptions": { "description": "JWT validation options controlling which claims must be present in a token.\n\nThe `required_claims` set specifies which RFC 7519 registered claims must\nexist in the token payload before validation proceeds. Only the following\nvalues are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered\nclaims such as `iat` and `jti` are **not** enforced by the underlying\n`jsonwebtoken` library and will be silently ignored.\n\nThis only enforces **presence**. Standard claims like `exp` and `nbf`\nhave their values validated independently (e.g., expiry is always checked\nwhen the `exp` claim is present, regardless of this setting).\n\nDefaults to `[\"exp\"]`.", "type": "object", "properties": { "requiredClaims": { "description": "Claims that must be present in the token before validation.\nOnly \"exp\", \"nbf\", \"aud\", \"iss\", \"sub\" are enforced; others\n(including \"iat\" and \"jti\") are ignored.\nDefaults to [\"exp\"]. Use an empty list to require no claims.", "type": "array", "uniqueItems": true, "items": { "type": "string" }, "default": [ "exp" ] } }, "additionalProperties": false }, "A2aPolicy": { "type": "object", "additionalProperties": false }, "Policy": { "type": "object", "properties": { "promptGuard": { "anyOf": [ { "$ref": "#/$defs/PromptGuard" }, { "type": "null" } ] }, "defaults": { "type": [ "object", "null" ], "additionalProperties": true }, "overrides": { "type": [ "object", "null" ], "additionalProperties": true }, "transformations": { "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "prompts": { "anyOf": [ { "$ref": "#/$defs/PromptEnrichment" }, { "type": "null" } ] }, "modelAliases": { "type": "object", "additionalProperties": { "type": "string" } }, "promptCaching": { "anyOf": [ { "$ref": "#/$defs/PromptCachingConfig" }, { "type": "null" } ] }, "routes": { "type": "object", "additionalProperties": { "$ref": "#/$defs/RouteType" } } }, "additionalProperties": false }, "PromptGuard": { "type": "object", "properties": { "request": { "type": "array", "items": { "$ref": "#/$defs/RequestGuard" } }, "response": { "type": "array", "items": { "$ref": "#/$defs/ResponseGuard" } } }, "additionalProperties": false }, "RequestGuard": { "type": "object", "properties": { "rejection": { "$ref": "#/$defs/RequestRejection", "default": { "body": "The request was rejected due to inappropriate content", "status": 403 } } }, "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "regex": { "$ref": "#/$defs/RegexRules" } }, "required": [ "regex" ] }, { "type": "object", "properties": { "webhook": { "$ref": "#/$defs/Webhook" } }, "required": [ "webhook" ] }, { "type": "object", "properties": { "openAIModeration": { "$ref": "#/$defs/Moderation" } }, "required": [ "openAIModeration" ] }, { "type": "object", "properties": { "bedrockGuardrails": { "$ref": "#/$defs/BedrockGuardrails" } }, "required": [ "bedrockGuardrails" ] }, { "type": "object", "properties": { "googleModelArmor": { "$ref": "#/$defs/GoogleModelArmor" } }, "required": [ "googleModelArmor" ] } ] }, "RequestRejection": { "type": "object", "properties": { "body": { "$ref": "#/$defs/Bytes", "default": "The request was rejected due to inappropriate content" }, "status": { "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535, "default": 403 }, "headers": { "description": "Optional headers to add, set, or remove from the rejection response", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ] } }, "additionalProperties": false }, "RegexRules": { "type": "object", "properties": { "action": { "$ref": "#/$defs/Action", "default": "mask" }, "rules": { "type": "array", "items": { "$ref": "#/$defs/RegexRule" } } }, "additionalProperties": false, "required": [ "rules" ] }, "Action": { "type": "string", "enum": [ "mask", "reject" ] }, "RegexRule": { "anyOf": [ { "type": "object", "properties": { "builtin": { "$ref": "#/$defs/Builtin" } }, "additionalProperties": false, "required": [ "builtin" ] }, { "type": "object", "properties": { "pattern": { "type": "string" } }, "additionalProperties": false, "required": [ "pattern" ] } ] }, "Builtin": { "type": "string", "enum": [ "ssn", "creditCard", "phoneNumber", "email", "caSin" ] }, "Webhook": { "type": "object", "properties": { "target": { "$ref": "#/$defs/SimpleLocalBackend" }, "forwardHeaderMatches": { "type": "array", "items": { "$ref": "#/$defs/HeaderMatch" } } }, "additionalProperties": false, "required": [ "target" ] }, "Moderation": { "type": "object", "properties": { "model": { "description": "Model to use. Defaults to `omni-moderation-latest`", "type": [ "string", "null" ] }, "policies": { "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false }, "SimpleLocalBackendPolicies": { "type": "object", "properties": { "requestHeaderModifier": { "description": "Headers to be modified in the request.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "responseHeaderModifier": { "description": "Headers to be modified in the response.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "requestRedirect": { "description": "Directly respond to the request with a redirect.", "anyOf": [ { "$ref": "#/$defs/RequestRedirect" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify requests and responses sent to and from the backend.", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "Send TLS to the backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendAuth": { "description": "Authenticate to the backend.", "anyOf": [ { "$ref": "#/$defs/BackendAuth" }, { "type": "null" } ], "default": null }, "http": { "description": "Specify HTTP settings for the backend", "anyOf": [ { "$ref": "#/$defs/HTTP" }, { "type": "null" } ], "default": null }, "tcp": { "description": "Specify TCP settings for the backend", "anyOf": [ { "$ref": "#/$defs/TCP" }, { "type": "null" } ], "default": null }, "health": { "description": "Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration.", "anyOf": [ { "$ref": "#/$defs/LocalHealthPolicy" }, { "type": "null" } ], "default": null }, "backendTunnel": { "description": "Specify a tunnel to use when connecting to the backend", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "LocalTransformationConfig": { "type": "object", "properties": { "request": { "anyOf": [ { "$ref": "#/$defs/LocalTransform" }, { "type": "null" } ] }, "response": { "anyOf": [ { "$ref": "#/$defs/LocalTransform" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalTransform": { "type": "object", "properties": { "add": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} }, "set": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} }, "remove": { "type": "array", "items": { "type": "string" }, "default": [] }, "body": { "type": [ "string", "null" ], "default": null }, "metadata": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} } }, "additionalProperties": false }, "LocalBackendTLS": { "type": "object", "properties": { "cert": { "type": [ "string", "null" ] }, "key": { "type": [ "string", "null" ] }, "root": { "type": [ "string", "null" ] }, "hostname": { "type": [ "string", "null" ] }, "insecure": { "type": "boolean", "default": false }, "insecureHost": { "type": "boolean", "default": false }, "alpn": { "type": [ "array", "null" ], "items": { "type": "string" }, "default": null }, "subjectAltNames": { "type": [ "array", "null" ], "items": { "type": "string" }, "default": null } }, "additionalProperties": false }, "BackendAuth": { "oneOf": [ { "type": "object", "properties": { "passthrough": { "type": "object", "additionalProperties": false } }, "required": [ "passthrough" ], "additionalProperties": false }, { "type": "object", "properties": { "key": { "$ref": "#/$defs/FileOrInline" } }, "required": [ "key" ], "additionalProperties": false }, { "type": "object", "properties": { "gcp": { "$ref": "#/$defs/GcpAuth" } }, "required": [ "gcp" ], "additionalProperties": false }, { "type": "object", "properties": { "aws": { "$ref": "#/$defs/AwsAuth" } }, "required": [ "aws" ], "additionalProperties": false }, { "type": "object", "properties": { "azure": { "$ref": "#/$defs/AzureAuth" } }, "required": [ "azure" ], "additionalProperties": false } ] }, "FileOrInline": { "anyOf": [ { "type": "object", "properties": { "file": { "type": "string" } }, "required": [ "file" ] }, { "type": "string" } ] }, "GcpAuth": { "anyOf": [ { "description": "Fetch an id token", "type": "object", "properties": { "type": { "$ref": "#/$defs/IdToken" }, "audience": { "description": "Audience for the token. If not set, the destination host will be used.", "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "type" ] }, { "description": "Fetch an access token", "type": "object", "properties": { "type": { "anyOf": [ { "$ref": "#/$defs/AccessToken" }, { "type": "null" } ], "default": null } }, "additionalProperties": false } ] }, "IdToken": { "type": "string", "format": "const", "const": "idToken" }, "AccessToken": { "type": "string", "format": "const", "const": "accessToken" }, "AwsAuth": { "anyOf": [ { "description": "Use explicit AWS credentials", "type": "object", "properties": { "accessKeyId": { "type": "string" }, "secretAccessKey": { "type": "string" }, "region": { "type": [ "string", "null" ] }, "sessionToken": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "accessKeyId", "secretAccessKey" ] }, { "description": "Use implicit AWS authentication (environment variables, IAM roles, etc.)", "type": "object", "additionalProperties": false } ] }, "AzureAuth": { "oneOf": [ { "description": "Use explicit Azure credentials", "type": "object", "properties": { "explicitConfig": { "type": "object", "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "clientSecret": { "type": "object", "properties": { "tenant_id": { "type": "string" }, "client_id": { "type": "string" }, "client_secret": { "type": "string" } }, "additionalProperties": false, "required": [ "tenant_id", "client_id", "client_secret" ] } }, "required": [ "clientSecret" ] }, { "type": "object", "properties": { "managedIdentity": { "type": "object", "properties": { "userAssignedIdentity": { "anyOf": [ { "$ref": "#/$defs/AzureUserAssignedIdentity" }, { "type": "null" } ] } }, "additionalProperties": false } }, "required": [ "managedIdentity" ] }, { "type": "object", "properties": { "workloadIdentity": { "type": "object", "additionalProperties": false } }, "required": [ "workloadIdentity" ] } ] } }, "required": [ "explicitConfig" ], "additionalProperties": false }, { "description": "Use implicit Azure auth. Note that this is for developer use-cases only!", "type": "object", "properties": { "developerImplicit": { "type": "object", "additionalProperties": false } }, "required": [ "developerImplicit" ], "additionalProperties": false }, { "description": "Automatically detect authentication method based on environment.\nUses Workload Identity on K8s, Managed Identity on Azure VMs, or Developer Tools locally.", "type": "object", "properties": { "implicit": { "type": "object", "additionalProperties": false } }, "required": [ "implicit" ], "additionalProperties": false } ] }, "AzureUserAssignedIdentity": { "oneOf": [ { "type": "object", "properties": { "clientId": { "type": "string" } }, "required": [ "clientId" ], "additionalProperties": false }, { "type": "object", "properties": { "objectId": { "type": "string" } }, "required": [ "objectId" ], "additionalProperties": false }, { "type": "object", "properties": { "resourceId": { "type": "string" } }, "required": [ "resourceId" ], "additionalProperties": false } ] }, "HTTP": { "type": "object", "properties": { "version": { "type": [ "string", "null" ], "default": null }, "requestTimeout": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "TCP": { "type": "object", "properties": { "keepalives": { "$ref": "#/$defs/KeepaliveConfig" }, "connectTimeout": { "$ref": "#/$defs/Duration" } }, "additionalProperties": false, "required": [ "keepalives", "connectTimeout" ] }, "Duration": { "type": "object", "properties": { "secs": { "type": "integer", "format": "uint64", "minimum": 0 }, "nanos": { "type": "integer", "format": "uint32", "minimum": 0 } }, "required": [ "secs", "nanos" ] }, "LocalHealthPolicy": { "description": "Local/config health policy with CEL as string; converted to Policy by compiling the expression.\nMirrors the proto `Health` message structure.", "type": "object", "properties": { "unhealthyExpression": { "description": "CEL expression; `true` means unhealthy (evict). E.g. `response.code >= 500`.\nWhen unset, any 5xx or connection failure is treated as unhealthy.", "type": [ "string", "null" ] }, "eviction": { "anyOf": [ { "$ref": "#/$defs/LocalEviction" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalEviction": { "description": "Local/config eviction sub-policy with duration as string; mirrors `Eviction`.", "type": "object", "properties": { "duration": { "type": [ "string", "null" ] }, "restoreHealth": { "type": [ "number", "null" ], "format": "double" }, "consecutiveFailures": { "type": [ "integer", "null" ], "format": "int32" }, "healthThreshold": { "type": [ "number", "null" ], "format": "double" } }, "additionalProperties": false }, "Tunnel": { "type": "object", "properties": { "proxy": { "description": "Reference to the proxy address", "$ref": "#/$defs/SimpleLocalBackend" } }, "additionalProperties": false, "required": [ "proxy" ] }, "BedrockGuardrails": { "description": "Configuration for AWS Bedrock Guardrails integration.", "type": "object", "properties": { "guardrailIdentifier": { "description": "The unique identifier of the guardrail", "type": "string" }, "guardrailVersion": { "description": "The version of the guardrail", "type": "string" }, "region": { "description": "AWS region where the guardrail is deployed", "type": "string" }, "policies": { "description": "Backend policies for AWS authentication (optional, defaults to implicit AWS auth)", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "guardrailIdentifier", "guardrailVersion", "region" ] }, "GoogleModelArmor": { "description": "Configuration for Google Cloud Model Armor integration.", "type": "object", "properties": { "templateId": { "description": "The template ID for the Model Armor configuration", "type": "string" }, "projectId": { "description": "The GCP project ID", "type": "string" }, "location": { "description": "The GCP region (default: us-central1)", "type": [ "string", "null" ] }, "policies": { "description": "Backend policies for GCP authentication (optional, defaults to implicit GCP auth)", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "templateId", "projectId" ] }, "ResponseGuard": { "type": "object", "properties": { "rejection": { "$ref": "#/$defs/RequestRejection", "default": { "body": "The request was rejected due to inappropriate content", "status": 403 } } }, "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "regex": { "$ref": "#/$defs/RegexRules" } }, "required": [ "regex" ] }, { "type": "object", "properties": { "webhook": { "$ref": "#/$defs/Webhook" } }, "required": [ "webhook" ] }, { "type": "object", "properties": { "bedrockGuardrails": { "$ref": "#/$defs/BedrockGuardrails" } }, "required": [ "bedrockGuardrails" ] }, { "type": "object", "properties": { "googleModelArmor": { "$ref": "#/$defs/GoogleModelArmor" } }, "required": [ "googleModelArmor" ] } ] }, "Expression": { "type": "string" }, "PromptEnrichment": { "type": "object", "properties": { "append": { "type": "array", "items": { "$ref": "#/$defs/SimpleChatCompletionMessage" } }, "prepend": { "type": "array", "items": { "$ref": "#/$defs/SimpleChatCompletionMessage" } } }, "additionalProperties": false, "minProperties": 1 }, "SimpleChatCompletionMessage": { "description": "SimpleChatCompletionMessage is a simplified chat message", "type": "object", "properties": { "role": { "type": "string" }, "content": { "type": "string" } }, "additionalProperties": false, "required": [ "role", "content" ] }, "PromptCachingConfig": { "type": "object", "properties": { "cacheSystem": { "type": "boolean", "default": true }, "cacheMessages": { "type": "boolean", "default": true }, "cacheTools": { "type": "boolean", "default": false }, "minTokens": { "type": [ "integer", "null" ], "format": "uint", "minimum": 0, "default": 1024 } }, "additionalProperties": false }, "RouteType": { "oneOf": [ { "description": "OpenAI /v1/chat/completions", "type": "string", "const": "completions" }, { "description": "Anthropic /v1/messages", "type": "string", "const": "messages" }, { "description": "OpenAI /v1/models", "type": "string", "const": "models" }, { "description": "Send the request to the upstream LLM provider as-is", "type": "string", "const": "passthrough" }, { "description": "Send the request to the upstream LLM provider as-is but attempt to extract information from it\nand apply a subset of policies (rate limit and telemetry; no guardrails).", "type": "string", "const": "detect" }, { "description": "OpenAI /responses", "type": "string", "const": "responses" }, { "description": "OpenAI /embeddings", "type": "string", "const": "embeddings" }, { "description": "OpenAI /realtime (websockets)", "type": "string", "const": "realtime" }, { "description": "Anthropic /v1/messages/count_tokens", "type": "string", "const": "anthropicTokenCount" } ] }, "RateLimitSpec": { "type": "object", "properties": { "maxTokens": { "type": "integer", "format": "uint64", "minimum": 0, "default": 0 }, "tokensPerFill": { "type": "integer", "format": "uint64", "minimum": 0, "default": 0 }, "fillInterval": { "type": "string" }, "type": { "$ref": "#/$defs/RateLimitType", "default": "requests" } }, "additionalProperties": false, "required": [ "fillInterval" ] }, "RateLimitType": { "type": "string", "enum": [ "requests", "tokens" ] }, "RemoteRateLimit": { "type": "object", "properties": { "domain": { "type": "string" }, "policies": { "description": "Policies to connect to the backend", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "descriptors": { "$ref": "#/$defs/DescriptorSet" }, "failureMode": { "description": "Behavior when the remote rate limit service is unavailable or returns an error.\nDefaults to failClosed, denying requests with a 500 status on service failure.", "$ref": "#/$defs/FailureMode", "default": "failClosed" } }, "required": [ "domain", "descriptors" ], "unevaluatedProperties": false, "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "DescriptorSet": { "type": "array", "items": { "$ref": "#/$defs/DescriptorEntry" } }, "DescriptorEntry": { "type": "object", "properties": { "entries": { "type": "array", "items": { "$ref": "#/$defs/KV" } }, "type": { "$ref": "#/$defs/RateLimitType", "default": "requests" } }, "additionalProperties": false, "required": [ "entries" ] }, "KV": { "type": "object", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "required": [ "key", "value" ] }, "FailureMode": { "description": "Defines how the proxy behaves when the remote rate limit service is\nunavailable or returns an error.\n\nDefaults to `FailClosed`. When failing closed, a 500 Internal Server Error\nis returned when the service is unavailable. When failing open, requests are\nallowed through despite the service failure.\n\n# Configuration\n\nBoth camelCase (`failOpen`, `failClosed`) and PascalCase (`FailOpen`,\n`FailClosed`) are accepted in configuration files", "oneOf": [ { "description": "Deny the request with a 500 status when the rate limit service is unavailable (default).", "type": "string", "const": "failClosed" }, { "description": "Allow the request through when the rate limit service is unavailable.", "type": "string", "const": "failOpen" } ] }, "LocalJwtConfig": { "anyOf": [ { "type": "object", "properties": { "mode": { "$ref": "#/$defs/Mode", "default": "optional" }, "providers": { "type": "array", "items": { "$ref": "#/$defs/ProviderConfig" } } }, "additionalProperties": false, "required": [ "providers" ] }, { "type": "object", "properties": { "mode": { "$ref": "#/$defs/Mode", "default": "optional" }, "issuer": { "type": "string" }, "audiences": { "type": [ "array", "null" ], "items": { "type": "string" } }, "jwks": { "$ref": "#/$defs/FileInlineOrRemote" }, "jwtValidationOptions": { "$ref": "#/$defs/JWTValidationOptions", "default": { "requiredClaims": [ "exp" ] } } }, "additionalProperties": false, "required": [ "issuer", "jwks" ] } ] }, "Mode": { "oneOf": [ { "description": "A valid token, issued by a configured issuer, must be present.", "type": "string", "const": "strict" }, { "description": "If a token exists, validate it.\nThis is the default option.\nWarning: this allows requests without a JWT token!", "type": "string", "const": "optional" }, { "description": "Requests are never rejected. This is useful for usage of claims in later steps (authorization, logging, etc).\nWarning: this allows requests without a JWT token!", "type": "string", "const": "permissive" } ] }, "ProviderConfig": { "type": "object", "properties": { "issuer": { "type": "string" }, "audiences": { "type": [ "array", "null" ], "items": { "type": "string" } }, "jwks": { "$ref": "#/$defs/FileInlineOrRemote" }, "jwtValidationOptions": { "$ref": "#/$defs/JWTValidationOptions", "default": { "requiredClaims": [ "exp" ] } } }, "additionalProperties": false, "required": [ "issuer", "jwks" ] }, "LocalOidcConfig": { "description": "Browser-based OIDC authentication policy.\n\nExplicit mode is still OIDC: it supplies provider metadata manually instead of using discovery.\nUnauthenticated non-callback requests always redirect to the provider login flow. Routes that\nneed non-redirect authentication behavior should use a different auth policy.", "type": "object", "properties": { "issuer": { "description": "Issuer used for discovery and ID token validation.", "type": "string" }, "discovery": { "description": "Optional discovery document override. If omitted, discovery uses\n`${issuer}/.well-known/openid-configuration`.", "anyOf": [ { "$ref": "#/$defs/FileInlineOrRemote" }, { "type": "null" } ] }, "authorizationEndpoint": { "description": "Authorization endpoint used to start the browser login flow.", "type": [ "string", "null" ], "default": null }, "tokenEndpoint": { "description": "Token endpoint used to exchange the authorization code.", "type": [ "string", "null" ], "default": null }, "tokenEndpointAuth": { "description": "Token endpoint client authentication method for explicit provider configuration.\n\nDiscovery mode derives this from provider metadata. Explicit mode defaults to\n`clientSecretBasic` when omitted.", "anyOf": [ { "$ref": "#/$defs/TokenEndpointAuth" }, { "type": "null" } ], "default": null }, "jwks": { "description": "JWKS source used to validate returned ID tokens.", "anyOf": [ { "$ref": "#/$defs/FileInlineOrRemote" }, { "type": "null" } ] }, "clientId": { "description": "OAuth2 client identifier used for authorization and token exchange.", "type": "string" }, "clientSecret": { "description": "OAuth2 client secret used for token exchange.", "type": "string" }, "redirectURI": { "description": "Absolute callback URI handled by the gateway.\nThis policy always redirects unauthenticated non-callback requests back through this login\nflow.", "type": "string" }, "scopes": { "description": "Additional OAuth2 scopes to request. `openid` is always included.", "type": "array", "items": { "type": "string" }, "default": [] } }, "additionalProperties": false, "required": [ "issuer", "clientId", "clientSecret", "redirectURI" ] }, "TokenEndpointAuth": { "type": "string", "enum": [ "clientSecretBasic", "clientSecretPost" ] }, "LocalBasicAuth": { "type": "object", "properties": { "htpasswd": { "description": ".htpasswd file contents/reference", "$ref": "#/$defs/FileOrInline" }, "realm": { "description": "Realm name for the WWW-Authenticate header", "type": [ "string", "null" ], "default": null }, "mode": { "description": "Validation mode for basic authentication", "$ref": "#/$defs/Mode2", "default": "optional" } }, "additionalProperties": false, "required": [ "htpasswd" ] }, "Mode2": { "description": "Validation mode for basic authentication", "oneOf": [ { "description": "A valid username/password must be present.", "type": "string", "const": "strict" }, { "description": "If credentials exist, validate them.\nThis is the default option.\nWarning: this allows requests without credentials!", "type": "string", "const": "optional" } ] }, "LocalAPIKeys": { "type": "object", "properties": { "keys": { "description": "List of API keys", "type": "array", "items": { "$ref": "#/$defs/LocalAPIKey" } }, "mode": { "description": "Validation mode for API keys", "$ref": "#/$defs/Mode3", "default": "optional" } }, "additionalProperties": false, "required": [ "keys" ] }, "LocalAPIKey": { "type": "object", "properties": { "key": { "$ref": "#/$defs/APIKey" }, "metadata": true }, "additionalProperties": false, "required": [ "key" ] }, "APIKey": { "type": "string" }, "Mode3": { "description": "Validation mode for API Key authentication", "oneOf": [ { "description": "A valid API Key must be present.", "type": "string", "const": "strict" }, { "description": "If credentials exist, validate them.\nThis is the default option.\nWarning: this allows requests without credentials!", "type": "string", "const": "optional" } ] }, "ExtAuthz": { "type": "object", "properties": { "policies": { "description": "Policies to connect to the backend", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "protocol": { "description": "The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended.", "$ref": "#/$defs/Protocol2", "default": { "grpc": {} } }, "failureMode": { "description": "Behavior when the authorization service is unavailable or returns an error", "$ref": "#/$defs/FailureMode2", "default": "deny" }, "includeRequestHeaders": { "description": "Specific headers to include in the authorization request.\nIf unset, the gRPC protocol sends all request headers. The HTTP protocol sends only 'Authorization'.", "type": "array", "items": { "$ref": "#/$defs/HeaderOrPseudo" } }, "includeRequestBody": { "description": "Options for including the request body in the authorization request", "anyOf": [ { "$ref": "#/$defs/BodyOptions" }, { "type": "null" } ] } }, "unevaluatedProperties": false, "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "Protocol2": { "oneOf": [ { "type": "object", "properties": { "grpc": { "type": "object", "properties": { "context": { "description": "Additional context to send to the authorization service.\nThis maps to the `context_extensions` field of the request, and only allows static values.", "type": [ "object", "null" ], "additionalProperties": { "type": "string" } }, "metadata": { "description": "Additional metadata to send to the authorization service.\nThis maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions.\nIf unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } } }, "additionalProperties": false } }, "required": [ "grpc" ], "additionalProperties": false }, { "type": "object", "properties": { "http": { "type": "object", "properties": { "path": { "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "redirect": { "description": "When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by\nthe provided expression rather than directly returning the error.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "includeResponseHeaders": { "description": "Specific headers from the authorization response will be copied into the request to the backend.", "type": "array", "items": { "type": "string" } }, "addRequestHeaders": { "description": "Specific headers to add in the authorization request (empty = all headers), based on the expression", "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } }, "metadata": { "description": "Metadata to include under the `extauthz` variable, based on the authorization response.", "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } } }, "additionalProperties": false } }, "required": [ "http" ], "additionalProperties": false } ] }, "FailureMode2": { "oneOf": [ { "type": "string", "enum": [ "allow", "deny" ] }, { "type": "object", "properties": { "denyWithStatus": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "required": [ "denyWithStatus" ], "additionalProperties": false } ] }, "HeaderOrPseudo": { "type": "string" }, "BodyOptions": { "type": "object", "properties": { "maxRequestBytes": { "description": "Maximum size of request body to buffer (default: 8192)", "type": "integer", "format": "uint32", "minimum": 0, "default": 0 }, "allowPartialMessage": { "description": "If true, send partial body when max_request_bytes is reached", "type": "boolean", "default": false }, "packAsBytes": { "description": "If true, pack body as raw bytes in gRPC", "type": "boolean", "default": false } }, "additionalProperties": false }, "ExtProc": { "type": "object", "properties": { "policies": { "description": "Policies to connect to the backend", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "failureMode": { "description": "Behavior when the ext_proc service is unavailable or returns an error", "$ref": "#/$defs/FailureMode3", "default": "failClosed" }, "metadataContext": { "description": "Additional metadata to send to the external processing service.\nMaps to the `metadata_context.filter_metadata` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } } }, "requestAttributes": { "description": "Maps to the request `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "responseAttributes": { "description": "Maps to the response `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } } }, "unevaluatedProperties": false, "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "FailureMode3": { "type": "string", "enum": [ "failClosed", "failOpen" ] }, "Csrf": { "type": "object", "properties": { "additionalOrigins": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "default": [] } }, "additionalProperties": false }, "Policy2": { "type": "object", "properties": { "requestTimeout": { "type": [ "string", "null" ] }, "backendRequestTimeout": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "Policy3": { "type": "object", "properties": { "attempts": { "type": "integer", "format": "uint8", "minimum": 1, "maximum": 255, "default": 1 }, "backoff": { "type": [ "string", "null" ] }, "codes": { "type": "array", "items": { "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535 } } }, "additionalProperties": false, "required": [ "codes" ] }, "LocalRouteBackend": { "type": "object", "properties": { "weight": { "type": "integer", "format": "uint", "minimum": 0, "default": 1 }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalBackendPolicies" }, { "type": "null" } ] } }, "unevaluatedProperties": false, "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "type": "object", "properties": { "backend": { "type": "string" } }, "required": [ "backend" ] }, { "type": "object", "properties": { "host": { "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "dynamic": { "type": "object", "additionalProperties": false } }, "required": [ "dynamic" ] }, { "type": "object", "properties": { "mcp": { "$ref": "#/$defs/LocalMcpBackend" } }, "required": [ "mcp" ] }, { "type": "object", "properties": { "ai": { "$ref": "#/$defs/LocalAIBackend" } }, "required": [ "ai" ] }, { "type": "object", "properties": { "aws": { "$ref": "#/$defs/LocalAwsBackend" } }, "required": [ "aws" ] } ] }, "LocalMcpBackend": { "type": "object", "properties": { "targets": { "type": "array", "items": { "$ref": "#/$defs/LocalMcpTarget" } }, "statefulMode": { "$ref": "#/$defs/McpStatefulMode" }, "prefixMode": { "anyOf": [ { "$ref": "#/$defs/McpPrefixMode" }, { "type": "null" } ] }, "failureMode": { "description": "Behavior when one or more MCP targets fail to initialize or fail during fanout.\nDefaults to `failClosed`.", "anyOf": [ { "$ref": "#/$defs/FailureMode4" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "targets" ] }, "LocalMcpTarget": { "type": "object", "properties": { "name": { "type": "string" }, "policies": { "anyOf": [ { "$ref": "#/$defs/MCPLocalBackendPolicies" }, { "type": "null" } ] } }, "required": [ "name" ], "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "sse": { "type": "object", "properties": { "host": { "type": "string" }, "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "path": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "host" ] } }, "required": [ "sse" ] }, { "type": "object", "properties": { "mcp": { "type": "object", "properties": { "host": { "type": "string" }, "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "path": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "host" ] } }, "required": [ "mcp" ] }, { "type": "object", "properties": { "stdio": { "type": "object", "properties": { "cmd": { "type": "string" }, "args": { "type": "array", "items": { "type": "string" } }, "env": { "type": "object", "additionalProperties": { "type": "string" } } }, "additionalProperties": false, "required": [ "cmd" ] } }, "required": [ "stdio" ] }, { "type": "object", "properties": { "openapi": { "type": "object", "properties": { "host": { "type": "string" }, "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "path": { "type": [ "string", "null" ] }, "schema": { "$ref": "#/$defs/FileInlineOrRemote" } }, "additionalProperties": false, "required": [ "host", "schema" ] } }, "required": [ "openapi" ] } ] }, "MCPLocalBackendPolicies": { "type": "object", "properties": { "requestHeaderModifier": { "description": "Headers to be modified in the request.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "responseHeaderModifier": { "description": "Headers to be modified in the response.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "requestRedirect": { "description": "Directly respond to the request with a redirect.", "anyOf": [ { "$ref": "#/$defs/RequestRedirect" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify requests and responses sent to and from the backend.", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "Send TLS to the backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendAuth": { "description": "Authenticate to the backend.", "anyOf": [ { "$ref": "#/$defs/BackendAuth" }, { "type": "null" } ], "default": null }, "http": { "description": "Specify HTTP settings for the backend", "anyOf": [ { "$ref": "#/$defs/HTTP" }, { "type": "null" } ], "default": null }, "tcp": { "description": "Specify TCP settings for the backend", "anyOf": [ { "$ref": "#/$defs/TCP" }, { "type": "null" } ], "default": null }, "health": { "description": "Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration.", "anyOf": [ { "$ref": "#/$defs/LocalHealthPolicy" }, { "type": "null" } ], "default": null }, "backendTunnel": { "description": "Specify a tunnel to use when connecting to the backend", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "mcpAuthorization": { "description": "Authorization policies for MCP access.", "anyOf": [ { "$ref": "#/$defs/McpAuthorization" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "McpStatefulMode": { "type": "string", "enum": [ "stateless", "stateful" ] }, "McpPrefixMode": { "type": "string", "enum": [ "always", "conditional" ] }, "FailureMode4": { "oneOf": [ { "description": "Fail the entire session if any target fails to initialize or any\nupstream fails during a fanout. This is the default and matches\ncurrent behavior.", "type": "string", "const": "failClosed" }, { "description": "Skip failed targets/upstreams and continue serving from healthy ones.\nIf ALL targets fail, still return an error.", "type": "string", "const": "failOpen" } ] }, "LocalAIBackend": { "anyOf": [ { "$ref": "#/$defs/LocalNamedAIProvider" }, { "type": "object", "properties": { "groups": { "type": "array", "items": { "$ref": "#/$defs/LocalAIProviders" } } }, "additionalProperties": false, "required": [ "groups" ] } ] }, "LocalNamedAIProvider": { "type": "object", "properties": { "name": { "type": "string" }, "provider": { "$ref": "#/$defs/AIProvider" }, "hostOverride": { "description": "Override the upstream host for this provider.", "type": [ "string", "null" ] }, "pathOverride": { "description": "Override the upstream path for this provider.", "type": [ "string", "null" ] }, "pathPrefix": { "description": "Override the default base path prefix for this provider.", "type": [ "string", "null" ] }, "tokenize": { "description": "Whether to tokenize on the request flow. This enables us to do more accurate rate limits,\nsince we know (part of) the cost of the request upfront.\nThis comes with the cost of an expensive operation.", "type": "boolean", "default": false }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "name", "provider" ] }, "AIProvider": { "oneOf": [ { "type": "object", "properties": { "openAI": { "$ref": "#/$defs/Provider" } }, "required": [ "openAI" ], "additionalProperties": false }, { "type": "object", "properties": { "gemini": { "$ref": "#/$defs/Provider2" } }, "required": [ "gemini" ], "additionalProperties": false }, { "type": "object", "properties": { "vertex": { "$ref": "#/$defs/Provider3" } }, "required": [ "vertex" ], "additionalProperties": false }, { "type": "object", "properties": { "anthropic": { "$ref": "#/$defs/Provider4" } }, "required": [ "anthropic" ], "additionalProperties": false }, { "type": "object", "properties": { "bedrock": { "$ref": "#/$defs/Provider5" } }, "required": [ "bedrock" ], "additionalProperties": false }, { "type": "object", "properties": { "azureOpenAI": { "$ref": "#/$defs/Provider6" } }, "required": [ "azureOpenAI" ], "additionalProperties": false } ] }, "Provider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "Provider2": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] } } }, "Provider3": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] }, "region": { "type": [ "string", "null" ] }, "projectId": { "type": "string" } }, "additionalProperties": false, "required": [ "projectId" ] }, "Provider4": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "Provider5": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] }, "region": { "type": "string" }, "guardrailIdentifier": { "type": [ "string", "null" ] }, "guardrailVersion": { "type": [ "string", "null" ] } }, "required": [ "region" ] }, "Provider6": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] }, "host": { "type": "string" }, "apiVersion": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "host" ] }, "LocalBackendPolicies": { "type": "object", "properties": { "requestHeaderModifier": { "description": "Headers to be modified in the request.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "responseHeaderModifier": { "description": "Headers to be modified in the response.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "requestRedirect": { "description": "Directly respond to the request with a redirect.", "anyOf": [ { "$ref": "#/$defs/RequestRedirect" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify requests and responses sent to and from the backend.", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "Send TLS to the backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendAuth": { "description": "Authenticate to the backend.", "anyOf": [ { "$ref": "#/$defs/BackendAuth" }, { "type": "null" } ], "default": null }, "http": { "description": "Specify HTTP settings for the backend", "anyOf": [ { "$ref": "#/$defs/HTTP" }, { "type": "null" } ], "default": null }, "tcp": { "description": "Specify TCP settings for the backend", "anyOf": [ { "$ref": "#/$defs/TCP" }, { "type": "null" } ], "default": null }, "health": { "description": "Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration.", "anyOf": [ { "$ref": "#/$defs/LocalHealthPolicy" }, { "type": "null" } ], "default": null }, "backendTunnel": { "description": "Specify a tunnel to use when connecting to the backend", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "mcpAuthorization": { "description": "Authorization policies for MCP access.", "anyOf": [ { "$ref": "#/$defs/McpAuthorization" }, { "type": "null" } ], "default": null }, "a2a": { "description": "Mark this traffic as A2A to enable A2A processing and telemetry.", "anyOf": [ { "$ref": "#/$defs/A2aPolicy" }, { "type": "null" } ], "default": null }, "ai": { "description": "Mark this as LLM traffic to enable LLM processing.", "anyOf": [ { "$ref": "#/$defs/Policy" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "LocalAIProviders": { "type": "object", "properties": { "providers": { "type": "array", "items": { "$ref": "#/$defs/LocalNamedAIProvider" } } }, "additionalProperties": false, "required": [ "providers" ] }, "LocalAwsBackend": { "type": "object", "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "agentCore": { "$ref": "#/$defs/LocalAgentCoreBackend" } }, "required": [ "agentCore" ] } ] }, "LocalAgentCoreBackend": { "type": "object", "properties": { "agentRuntimeArn": { "type": "string" }, "qualifier": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "agentRuntimeArn" ] }, "LocalTCPRoute": { "type": "object", "properties": { "name": { "type": [ "string", "null" ], "default": null }, "namespace": { "type": [ "string", "null" ], "default": null }, "ruleName": { "type": [ "string", "null" ], "default": null }, "hostnames": { "description": "Can be a wildcard", "type": "array", "items": { "type": "string" } }, "policies": { "anyOf": [ { "$ref": "#/$defs/TCPFilterOrPolicy" }, { "type": "null" } ] }, "backends": { "type": "array", "items": { "$ref": "#/$defs/LocalTCPRouteBackend" } } }, "additionalProperties": false }, "TCPFilterOrPolicy": { "type": "object", "properties": { "backendTLS": { "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalTCPRouteBackend": { "type": "object", "properties": { "weight": { "type": "integer", "format": "uint", "minimum": 0, "default": 1 }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalTCPBackendPolicies" }, { "type": "null" } ] } }, "unevaluatedProperties": false, "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "LocalTCPBackendPolicies": { "type": "object", "properties": { "backendTLS": { "description": "Send TLS to the backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendTunnel": { "description": "Tunnel to the backend.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "LocalGatewayPolicy": { "type": "object", "properties": { "oidc": { "description": "Authenticate incoming browser requests with OIDC authorization code flow.", "anyOf": [ { "$ref": "#/$defs/LocalOidcConfig" }, { "type": "null" } ] }, "jwtAuth": { "description": "Authenticate incoming JWT requests.", "anyOf": [ { "$ref": "#/$defs/LocalJwtConfig" }, { "type": "null" } ] }, "extAuthz": { "description": "Authenticate incoming requests by calling an external authorization server.", "anyOf": [ { "$ref": "#/$defs/ExtAuthz" }, { "type": "null" } ], "default": null }, "extProc": { "description": "Extend agentgateway with an external processor", "anyOf": [ { "$ref": "#/$defs/ExtProc" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify requests and responses", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "basicAuth": { "description": "Authenticate incoming requests using Basic Authentication with htpasswd.", "anyOf": [ { "$ref": "#/$defs/LocalBasicAuth" }, { "type": "null" } ] }, "apiKey": { "description": "Authenticate incoming requests using API Keys", "anyOf": [ { "$ref": "#/$defs/LocalAPIKeys" }, { "type": "null" } ] } }, "additionalProperties": false }, "TunnelProtocol": { "type": "string", "enum": [ "direct", "hboneWaypoint", "hboneGateway", "proxy" ] }, "LocalFrontendPolicies": { "type": "object", "properties": { "http": { "description": "Settings for handling incoming HTTP requests.", "anyOf": [ { "$ref": "#/$defs/HTTP2" }, { "type": "null" } ], "default": null }, "tls": { "description": "Settings for handling incoming TLS connections.", "anyOf": [ { "$ref": "#/$defs/TLS" }, { "type": "null" } ], "default": null }, "tcp": { "description": "Settings for handling incoming TCP connections.", "anyOf": [ { "$ref": "#/$defs/TCP2" }, { "type": "null" } ], "default": null }, "networkAuthorization": { "description": "CEL authorization for downstream network connections.", "anyOf": [ { "$ref": "#/$defs/NetworkAuthorization" }, { "type": "null" } ], "default": null }, "accessLog": { "description": "Settings for request access logs.", "anyOf": [ { "$ref": "#/$defs/LoggingPolicy" }, { "type": "null" } ], "default": null }, "tracing": { "anyOf": [ { "$ref": "#/$defs/TracingConfig" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "HTTP2": { "type": "object", "properties": { "maxBufferSize": { "type": "integer", "format": "uint", "minimum": 0, "default": 2097152 }, "http1MaxHeaders": { "description": "The maximum number of headers allowed in a request. Changing this value results in a performance\ndegradation, even if set to a lower value than the default (100)", "type": [ "integer", "null" ], "format": "uint", "minimum": 0, "default": null }, "http1IdleTimeout": { "type": "string", "default": "10m0s" }, "http2WindowSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0, "default": null }, "http2ConnectionWindowSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0, "default": null }, "http2FrameSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0, "default": null }, "http2KeepaliveInterval": { "type": [ "string", "null" ], "default": null }, "http2KeepaliveTimeout": { "type": [ "string", "null" ], "default": null } }, "additionalProperties": false }, "TLS": { "type": "object", "properties": { "handshakeTimeout": { "type": "string", "default": "15s" }, "alpn": { "type": [ "array", "null" ], "items": { "type": "array", "items": { "type": "integer", "format": "uint8", "minimum": 0, "maximum": 255 } }, "default": null }, "minVersion": { "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "maxVersion": { "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "cipherSuites": { "type": [ "array", "null" ], "items": { "type": "string" } } }, "additionalProperties": false }, "TCP2": { "type": "object", "properties": { "keepalives": { "$ref": "#/$defs/KeepaliveConfig" } }, "additionalProperties": false, "required": [ "keepalives" ] }, "NetworkAuthorization": { "$ref": "#/$defs/RuleSet" }, "LoggingPolicy": { "type": "object", "properties": { "filter": { "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "add": { "type": "object", "additionalProperties": { "type": "string" } }, "remove": { "type": "array", "uniqueItems": true, "items": { "type": "string" } }, "otlp": { "anyOf": [ { "$ref": "#/$defs/OtlpLoggingConfig" }, { "type": "null" } ] } }, "additionalProperties": false }, "OtlpLoggingConfig": { "type": "object", "properties": { "policies": { "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "protocol": { "$ref": "#/$defs/TracingProtocol", "default": "grpc" }, "path": { "type": "string" } }, "unevaluatedProperties": false, "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "TracingProtocol": { "type": "string", "enum": [ "grpc", "http" ] }, "TracingConfig": { "description": "Configuration for dynamic tracing policy", "type": "object", "properties": { "policies": { "description": "Policies to connect to the backend", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "attributes": { "description": "Span attributes to add, keyed by attribute name.", "$ref": "#/$defs/OrderedStringMap_Expression", "default": {} }, "resources": { "description": "Resource attributes to add to the tracer provider (OTel `Resource`).\nThis can be used to set things like `service.name` dynamically.", "$ref": "#/$defs/OrderedStringMap_Expression", "default": {} }, "remove": { "description": "Attribute keys to remove from the emitted span attributes.\n\nThis is applied before `attributes` are evaluated/added, so it can be used to drop\ndefault attributes or avoid duplication.", "type": "array", "items": { "type": "string" }, "default": [] }, "randomSampling": { "description": "Optional per-policy override for random sampling. If set, overrides global config for\nrequests that use this frontend policy.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "clientSampling": { "description": "Optional per-policy override for client sampling. If set, overrides global config for\nrequests that use this frontend policy.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "path": { "type": "string", "default": "/v1/traces" }, "protocol": { "$ref": "#/$defs/TracingProtocol", "default": "grpc" } }, "unevaluatedProperties": false, "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "OrderedStringMap_Expression": { "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } }, "LocalPolicy": { "type": "object", "properties": { "name": { "$ref": "#/$defs/ResourceName" }, "target": { "$ref": "#/$defs/PolicyTarget" }, "phase": { "description": "phase defines at what level the policy runs at. Gateway policies run pre-routing, while\nRoute policies apply post-routing.\nOnly a subset of policies are eligible as Gateway policies.\nIn general, normal (route level) policies should be used, except you need the policy to influence\nrouting.", "$ref": "#/$defs/PolicyPhase", "default": "route" }, "policy": { "$ref": "#/$defs/FilterOrPolicy" } }, "additionalProperties": false, "required": [ "name", "target", "policy" ] }, "ResourceName": { "type": "object", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "additionalProperties": false, "required": [ "name", "namespace" ] }, "PolicyTarget": { "oneOf": [ { "type": "object", "properties": { "gateway": { "$ref": "#/$defs/ListenerTarget" } }, "required": [ "gateway" ], "additionalProperties": false }, { "type": "object", "properties": { "route": { "$ref": "#/$defs/RouteName" } }, "required": [ "route" ], "additionalProperties": false }, { "type": "object", "properties": { "backend": { "$ref": "#/$defs/BackendTarget" } }, "required": [ "backend" ], "additionalProperties": false } ] }, "ListenerTarget": { "type": "object", "properties": { "gatewayName": { "type": "string" }, "gatewayNamespace": { "type": "string" }, "listenerName": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "gatewayName", "gatewayNamespace" ] }, "RouteName": { "type": "object", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" }, "ruleName": { "type": [ "string", "null" ] }, "kind": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "name", "namespace" ] }, "BackendTarget": { "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "type": "object", "properties": { "backend": { "type": "object", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" }, "section": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "name", "namespace" ] } }, "required": [ "backend" ], "additionalProperties": false }, { "type": "object", "properties": { "service": { "type": "object", "properties": { "hostname": { "type": "string" }, "namespace": { "type": "string" }, "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "hostname", "namespace" ] } }, "required": [ "service" ], "additionalProperties": false } ] }, "PolicyPhase": { "type": "string", "enum": [ "route", "gateway" ] }, "FullLocalBackend": { "type": "object", "properties": { "name": { "type": "string" }, "host": { "type": "string" }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "name", "host" ] }, "LocalLLMConfig": { "type": "object", "properties": { "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "models": { "description": "models defines the set of models that can be served by this gateway. The model name refers to the\nmodel in the users request that is matched; the model sent to the actual LLM can be overridden\non a per-model basis.", "type": "array", "items": { "$ref": "#/$defs/LocalLLMModels" } }, "policies": { "description": "policies defines policies for handling incoming requests, before a model is selected", "anyOf": [ { "$ref": "#/$defs/LocalLLMPolicy" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "models" ] }, "LocalLLMModels": { "type": "object", "properties": { "name": { "description": "name is the name of the model we are matching from a users request. If params.model is set, that\nwill be used in the request to the LLM provider. If not, the incoming model is used.", "type": "string" }, "params": { "description": "params customizes parameters for the outgoing request", "$ref": "#/$defs/LocalLLMParams" }, "provider": { "description": "provider of the LLM we are connecting too", "$ref": "#/$defs/LocalModelAIProvider" }, "defaults": { "description": "defaults allows setting default values for the request. If these are not present in the request body, they will be set.\nTo override even when set, use `overrides`.", "type": [ "object", "null" ], "additionalProperties": true }, "overrides": { "description": "overrides allows setting values for the request, overriding any existing values", "type": [ "object", "null" ], "additionalProperties": true }, "transformation": { "description": "transformation allows setting values from CEL expressions for the request, overriding any existing values.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "requestHeaders": { "description": "requestHeaders modifies headers in requests to the LLM provider.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "responseHeaders": { "description": "responseHeaders modifies headers in responses from the LLM provider.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "backendTLS configures TLS when connecting to the LLM provider.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "health": { "description": "health configures outlier detection for this model backend.", "anyOf": [ { "$ref": "#/$defs/LocalHealthPolicy" }, { "type": "null" } ], "default": null }, "backendTunnel": { "description": "backendTunnel configures tunneling when connecting to the LLM provider.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "guardrails": { "description": "guardrails to apply to the request or response", "anyOf": [ { "$ref": "#/$defs/PromptGuard" }, { "type": "null" } ] }, "matches": { "description": "matches specifies the conditions under which this model should be used in addition to matching the model name.", "type": "array", "items": { "$ref": "#/$defs/LLMRouteMatch" } } }, "additionalProperties": false, "required": [ "name", "provider" ] }, "LocalLLMParams": { "type": "object", "properties": { "model": { "description": "The model to send to the provider.\nIf unset, the same model will be used from the request.", "type": [ "string", "null" ], "default": null }, "apiKey": { "description": "An API key to attach to the request.\nIf unset this will be automatically detected from the environment.", "anyOf": [ { "$ref": "#/$defs/SecretFromFile" }, { "type": "null" } ], "default": null }, "awsRegion": { "type": [ "string", "null" ] }, "vertexRegion": { "type": [ "string", "null" ] }, "vertexProject": { "type": [ "string", "null" ] }, "azureHost": { "description": "For Azure: the host of the deployment", "type": [ "string", "null" ] }, "azureApiVersion": { "description": "For Azure: the API version to use", "type": [ "string", "null" ] }, "hostOverride": { "description": "Override the upstream host for this provider.", "type": [ "string", "null" ], "default": null }, "pathOverride": { "description": "Override the upstream path for this provider.", "type": [ "string", "null" ], "default": null }, "pathPrefix": { "description": "Override the default base path prefix for this provider.", "type": [ "string", "null" ], "default": null }, "tokenize": { "description": "Whether to tokenize the request before forwarding it upstream.", "type": "boolean", "default": false } }, "additionalProperties": false }, "SecretFromFile": { "$ref": "#/$defs/FileOrInline" }, "LocalModelAIProvider": { "type": "string", "enum": [ "openAI", "gemini", "vertex", "anthropic", "bedrock", "azureOpenAI" ] }, "LLMRouteMatch": { "type": "object", "properties": { "headers": { "type": "array", "items": { "$ref": "#/$defs/HeaderMatch" } } }, "additionalProperties": false }, "LocalLLMPolicy": { "type": "object", "properties": { "oidc": { "description": "Authenticate incoming browser requests with OIDC authorization code flow.", "anyOf": [ { "$ref": "#/$defs/LocalOidcConfig" }, { "type": "null" } ] }, "jwtAuth": { "description": "Authenticate incoming JWT requests.", "anyOf": [ { "$ref": "#/$defs/LocalJwtConfig" }, { "type": "null" } ] }, "extAuthz": { "description": "Authenticate incoming requests by calling an external authorization server.", "anyOf": [ { "$ref": "#/$defs/ExtAuthz" }, { "type": "null" } ], "default": null }, "extProc": { "description": "Extend agentgateway with an external processor", "anyOf": [ { "$ref": "#/$defs/ExtProc" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify requests and responses", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "basicAuth": { "description": "Authenticate incoming requests using Basic Authentication with htpasswd.", "anyOf": [ { "$ref": "#/$defs/LocalBasicAuth" }, { "type": "null" } ] }, "apiKey": { "description": "Authenticate incoming requests using API Keys", "anyOf": [ { "$ref": "#/$defs/LocalAPIKeys" }, { "type": "null" } ] }, "authorization": { "description": "Authorization policies for HTTP access.", "anyOf": [ { "$ref": "#/$defs/Authorization" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "LocalSimpleMcpConfig": { "type": "object", "properties": { "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "targets": { "type": "array", "items": { "$ref": "#/$defs/LocalMcpTarget" } }, "statefulMode": { "$ref": "#/$defs/McpStatefulMode" }, "prefixMode": { "anyOf": [ { "$ref": "#/$defs/McpPrefixMode" }, { "type": "null" } ] }, "failureMode": { "description": "Behavior when one or more MCP targets fail to initialize or fail during fanout.\nDefaults to `failClosed`.", "anyOf": [ { "$ref": "#/$defs/FailureMode4" }, { "type": "null" } ] }, "policies": { "anyOf": [ { "$ref": "#/$defs/FilterOrPolicy" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "targets" ] } } }