Contour's implementation of the Kubernetes Gateway API, supporting HTTPRoute and TLSRoute resources for defining ingress traffic routing rules. Gateway API is the next-generation Kubernetes ingress standard and Contour provides support for GatewayClass, Gateway, HTTPRoute, and related resources.
openapi: 3.1.0
info:
title: Contour Gateway API
description: >-
Contour's implementation of the Kubernetes Gateway API, providing support
for GatewayClass, Gateway, HTTPRoute, TLSRoute, and related resources.
The Gateway API is the next-generation Kubernetes ingress standard, and
Contour implements it alongside the legacy Ingress and HTTPProxy resources.
All resources are managed through the Kubernetes API server using standard
Kubernetes CRD patterns.
version: '1.30.0'
contact:
name: Contour Community
url: https://projectcontour.io/community/
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0
externalDocs:
description: Contour Gateway API Documentation
url: https://projectcontour.io/docs/1.30/config/gateway-api/
servers:
- url: https://{kubernetes-api-server}
description: Kubernetes API server
variables:
kubernetes-api-server:
default: localhost:6443
description: Address of the Kubernetes API server
tags:
- name: Gateway
description: >-
Namespace-scoped resources that describe network infrastructure instances
that route traffic. Each Gateway is associated with a GatewayClass and
defines listeners for inbound traffic.
- name: GatewayClass
description: >-
Cluster-scoped resources that define the controller responsible for
managing Gateways of a particular class. GatewayClass is analogous to
IngressClass in the legacy Ingress API.
- name: HTTPRoute
description: >-
Namespace-scoped resources that define HTTP routing rules, mapping
HTTP/HTTPS requests to backend Kubernetes services based on host,
path, headers, and other criteria.
- name: TLSRoute
description: >-
Namespace-scoped resources that define TLS routing rules for routing
TLS connections based on SNI hostname to backend services.
paths:
/apis/gateway.networking.k8s.io/v1/gatewayclasses:
get:
operationId: listGatewayClass
summary: Contour List GatewayClass resources
description: >-
Returns all GatewayClass resources in the cluster. GatewayClasses are
cluster-scoped and define which controller (such as Contour) manages
Gateways of that class. Contour registers a GatewayClass for itself
during installation.
tags:
- GatewayClass
parameters:
- $ref: '#/components/parameters/labelSelector'
- $ref: '#/components/parameters/fieldSelector'
responses:
'200':
description: List of GatewayClass resources
content:
application/json:
schema:
$ref: '#/components/schemas/GatewayClassList'
'401':
description: Unauthorized
'403':
description: Forbidden
/apis/gateway.networking.k8s.io/v1/gatewayclasses/{name}:
get:
operationId: readGatewayClass
summary: Contour Get a specific GatewayClass
description: >-
Returns the specified GatewayClass resource including its controller
reference, parameters, and current acceptance status.
tags:
- GatewayClass
parameters:
- $ref: '#/components/parameters/name'
responses:
'200':
description: GatewayClass resource
content:
application/json:
schema:
$ref: '#/components/schemas/GatewayClass'
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: GatewayClass not found
/apis/gateway.networking.k8s.io/v1/namespaces/{namespace}/gateways:
get:
operationId: listNamespacedGateway
summary: Contour List Gateway resources in a namespace
description: >-
Returns all Gateway resources in the specified namespace. Each Gateway
describes network infrastructure with one or more listeners for inbound
traffic, associated with a GatewayClass.
tags:
- Gateway
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/labelSelector'
responses:
'200':
description: List of Gateway resources
content:
application/json:
schema:
$ref: '#/components/schemas/GatewayList'
'401':
description: Unauthorized
'403':
description: Forbidden
post:
operationId: createNamespacedGateway
summary: Contour Create a Gateway resource
description: >-
Creates a new Gateway resource in the specified namespace. Contour will
provision an Envoy instance to handle traffic according to the Gateway's
listener configuration.
tags:
- Gateway
parameters:
- $ref: '#/components/parameters/namespace'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Gateway'
responses:
'201':
description: Gateway created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Gateway'
'400':
description: Invalid Gateway specification
'401':
description: Unauthorized
'403':
description: Forbidden
'409':
description: Gateway with this name already exists
/apis/gateway.networking.k8s.io/v1/namespaces/{namespace}/gateways/{name}:
get:
operationId: readNamespacedGateway
summary: Contour Get a specific Gateway resource
description: >-
Returns the specified Gateway resource, including its listeners,
addresses, and current status as reported by the Contour controller.
tags:
- Gateway
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
responses:
'200':
description: Gateway resource
content:
application/json:
schema:
$ref: '#/components/schemas/Gateway'
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Gateway not found
put:
operationId: replaceNamespacedGateway
summary: Contour Replace a Gateway resource
description: >-
Replaces the entire Gateway resource with the provided specification.
tags:
- Gateway
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Gateway'
responses:
'200':
description: Gateway updated
content:
application/json:
schema:
$ref: '#/components/schemas/Gateway'
'400':
description: Invalid specification
'401':
description: Unauthorized
'404':
description: Gateway not found
delete:
operationId: deleteNamespacedGateway
summary: Contour Delete a Gateway resource
description: >-
Deletes the specified Gateway resource. Contour will decommission the
associated Envoy infrastructure.
tags:
- Gateway
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
responses:
'200':
description: Gateway deleted
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Gateway not found
/apis/gateway.networking.k8s.io/v1/namespaces/{namespace}/httproutes:
get:
operationId: listNamespacedHTTPRoute
summary: Contour List HTTPRoute resources in a namespace
description: >-
Returns all HTTPRoute resources in the specified namespace. HTTPRoutes
define routing rules for HTTP and HTTPS traffic, attaching to one or
more Gateways.
tags:
- HTTPRoute
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/labelSelector'
responses:
'200':
description: List of HTTPRoute resources
content:
application/json:
schema:
$ref: '#/components/schemas/HTTPRouteList'
'401':
description: Unauthorized
'403':
description: Forbidden
post:
operationId: createNamespacedHTTPRoute
summary: Contour Create an HTTPRoute resource
description: >-
Creates a new HTTPRoute resource that defines HTTP traffic routing
rules and attaches them to a Gateway. The route can match on host,
path, headers, query parameters, and HTTP method.
tags:
- HTTPRoute
parameters:
- $ref: '#/components/parameters/namespace'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/HTTPRoute'
responses:
'201':
description: HTTPRoute created
content:
application/json:
schema:
$ref: '#/components/schemas/HTTPRoute'
'400':
description: Invalid HTTPRoute specification
'401':
description: Unauthorized
'403':
description: Forbidden
/apis/gateway.networking.k8s.io/v1/namespaces/{namespace}/httproutes/{name}:
get:
operationId: readNamespacedHTTPRoute
summary: Contour Get a specific HTTPRoute resource
description: >-
Returns the specified HTTPRoute resource, including its routing rules
and current status conditions.
tags:
- HTTPRoute
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
responses:
'200':
description: HTTPRoute resource
content:
application/json:
schema:
$ref: '#/components/schemas/HTTPRoute'
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: HTTPRoute not found
put:
operationId: replaceNamespacedHTTPRoute
summary: Contour Replace an HTTPRoute resource
description: >-
Replaces the entire HTTPRoute resource with the provided specification.
tags:
- HTTPRoute
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/HTTPRoute'
responses:
'200':
description: HTTPRoute updated
content:
application/json:
schema:
$ref: '#/components/schemas/HTTPRoute'
'400':
description: Invalid specification
'401':
description: Unauthorized
'404':
description: HTTPRoute not found
delete:
operationId: deleteNamespacedHTTPRoute
summary: Contour Delete an HTTPRoute resource
description: >-
Deletes the specified HTTPRoute resource. Contour will remove the
associated routing rules from the Envoy configuration.
tags:
- HTTPRoute
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
responses:
'200':
description: HTTPRoute deleted
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: HTTPRoute not found
/apis/gateway.networking.k8s.io/v1alpha2/namespaces/{namespace}/tlsroutes:
get:
operationId: listNamespacedTLSRoute
summary: Contour List TLSRoute resources in a namespace
description: >-
Returns all TLSRoute resources in the specified namespace. TLSRoutes
define routing rules for TLS connections, routing based on SNI
hostnames to backend services.
tags:
- TLSRoute
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/labelSelector'
responses:
'200':
description: List of TLSRoute resources
content:
application/json:
schema:
$ref: '#/components/schemas/TLSRouteList'
'401':
description: Unauthorized
'403':
description: Forbidden
post:
operationId: createNamespacedTLSRoute
summary: Contour Create a TLSRoute resource
description: >-
Creates a new TLSRoute resource that defines TLS passthrough routing
rules attaching to a Gateway listener.
tags:
- TLSRoute
parameters:
- $ref: '#/components/parameters/namespace'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/TLSRoute'
responses:
'201':
description: TLSRoute created
content:
application/json:
schema:
$ref: '#/components/schemas/TLSRoute'
'400':
description: Invalid TLSRoute specification
'401':
description: Unauthorized
'403':
description: Forbidden
components:
parameters:
namespace:
name: namespace
in: path
required: true
description: The Kubernetes namespace of the resource.
schema:
type: string
name:
name: name
in: path
required: true
description: The name of the resource.
schema:
type: string
labelSelector:
name: labelSelector
in: query
required: false
description: Label selector to filter resources.
schema:
type: string
fieldSelector:
name: fieldSelector
in: query
required: false
description: Field selector to filter resources.
schema:
type: string
schemas:
GatewayClass:
type: object
description: >-
Cluster-scoped resource associating a controller with Gateways of a
given class. Contour registers a GatewayClass pointing to itself.
required:
- apiVersion
- kind
- metadata
- spec
properties:
apiVersion:
type: string
enum:
- gateway.networking.k8s.io/v1
kind:
type: string
enum:
- GatewayClass
metadata:
$ref: '#/components/schemas/ObjectMeta'
spec:
type: object
description: GatewayClass specification.
required:
- controllerName
properties:
controllerName:
type: string
description: >-
Name of the controller responsible for managing Gateways of this
class. For Contour, this is 'projectcontour.io/contour'.
example: projectcontour.io/contour
parametersRef:
type: object
description: Reference to a resource providing configuration for this class.
properties:
group:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
description:
type: string
description: Human-readable description of the GatewayClass.
status:
type: object
description: Status conditions reported by the controller.
properties:
conditions:
type: array
items:
$ref: '#/components/schemas/Condition'
GatewayClassList:
type: object
description: List of GatewayClass resources.
properties:
apiVersion:
type: string
kind:
type: string
items:
type: array
items:
$ref: '#/components/schemas/GatewayClass'
Gateway:
type: object
description: >-
Namespace-scoped resource describing a network infrastructure instance
with one or more listeners for handling inbound traffic.
required:
- apiVersion
- kind
- metadata
- spec
properties:
apiVersion:
type: string
enum:
- gateway.networking.k8s.io/v1
kind:
type: string
enum:
- Gateway
metadata:
$ref: '#/components/schemas/ObjectMeta'
spec:
type: object
description: Gateway specification.
required:
- gatewayClassName
properties:
gatewayClassName:
type: string
description: Name of the GatewayClass this Gateway belongs to.
listeners:
type: array
description: List of listeners for accepting inbound traffic.
items:
$ref: '#/components/schemas/Listener'
addresses:
type: array
description: Requested network addresses for the Gateway.
items:
type: object
properties:
type:
type: string
enum:
- IPAddress
- Hostname
value:
type: string
status:
type: object
description: Status of the Gateway as reported by the controller.
properties:
addresses:
type: array
description: Network addresses assigned to the Gateway.
items:
type: object
properties:
type:
type: string
value:
type: string
conditions:
type: array
items:
$ref: '#/components/schemas/Condition'
listeners:
type: array
items:
$ref: '#/components/schemas/ListenerStatus'
Listener:
type: object
description: A listener on the Gateway accepting inbound connections.
required:
- name
- port
- protocol
properties:
name:
type: string
description: Unique name for this listener within the Gateway.
hostname:
type: string
description: >-
Hostname that this listener is bound to. Requests with matching
SNI or Host header are routed to this listener.
port:
type: integer
description: Network port number the listener binds to.
minimum: 1
maximum: 65535
protocol:
type: string
description: Network protocol the listener accepts.
enum:
- HTTP
- HTTPS
- TLS
- TCP
tls:
type: object
description: TLS configuration for HTTPS and TLS listeners.
properties:
mode:
type: string
enum:
- Terminate
- Passthrough
certificateRefs:
type: array
items:
$ref: '#/components/schemas/SecretObjectReference'
allowedRoutes:
type: object
description: Defines which routes are allowed to attach to this listener.
properties:
namespaces:
type: object
properties:
from:
type: string
enum:
- All
- Same
- Selector
selector:
type: object
kinds:
type: array
items:
type: object
properties:
group:
type: string
kind:
type: string
ListenerStatus:
type: object
description: Status of a Gateway listener.
properties:
name:
type: string
description: Name of the listener.
supportedKinds:
type: array
description: Route kinds supported by this listener.
items:
type: object
attachedRoutes:
type: integer
description: Number of routes currently attached to this listener.
conditions:
type: array
items:
$ref: '#/components/schemas/Condition'
GatewayList:
type: object
description: List of Gateway resources.
properties:
apiVersion:
type: string
kind:
type: string
items:
type: array
items:
$ref: '#/components/schemas/Gateway'
HTTPRoute:
type: object
description: >-
Namespace-scoped resource defining HTTP/HTTPS routing rules that attach
to one or more Gateways. Supports matching on host, path, headers,
query parameters, and HTTP method.
required:
- apiVersion
- kind
- metadata
- spec
properties:
apiVersion:
type: string
enum:
- gateway.networking.k8s.io/v1
kind:
type: string
enum:
- HTTPRoute
metadata:
$ref: '#/components/schemas/ObjectMeta'
spec:
type: object
description: HTTPRoute specification.
properties:
parentRefs:
type: array
description: References to the Gateways this route attaches to.
items:
$ref: '#/components/schemas/ParentReference'
hostnames:
type: array
description: >-
Hostnames this route should match. Requests with matching
Host headers are routed according to this HTTPRoute.
items:
type: string
rules:
type: array
description: List of routing rules.
items:
$ref: '#/components/schemas/HTTPRouteRule'
status:
type: object
description: Status conditions for the route as reported by the controller.
properties:
parents:
type: array
items:
type: object
properties:
parentRef:
$ref: '#/components/schemas/ParentReference'
conditions:
type: array
items:
$ref: '#/components/schemas/Condition'
HTTPRouteRule:
type: object
description: A single routing rule within an HTTPRoute.
properties:
matches:
type: array
description: List of match criteria; request must match at least one.
items:
$ref: '#/components/schemas/HTTPRouteMatch'
filters:
type: array
description: List of filters applied to matching requests.
items:
$ref: '#/components/schemas/HTTPRouteFilter'
backendRefs:
type: array
description: Backend services to route matching requests to.
items:
$ref: '#/components/schemas/HTTPBackendRef'
timeouts:
type: object
description: Timeout configuration for this rule.
properties:
request:
type: string
description: Timeout for a complete HTTP request.
backendRequest:
type: string
description: Timeout for a request to the backend.
HTTPRouteMatch:
type: object
description: Criteria for matching an HTTP request to this routing rule.
properties:
path:
type: object
description: Path match criteria.
properties:
type:
type: string
enum:
- Exact
- PathPrefix
- RegularExpression
value:
type: string
headers:
type: array
description: Header match criteria.
items:
type: object
properties:
name:
type: string
type:
type: string
enum:
- Exact
- RegularExpression
value:
type: string
queryParams:
type: array
description: Query parameter match criteria.
items:
type: object
properties:
name:
type: string
type:
type: string
enum:
- Exact
- RegularExpression
value:
type: string
method:
type: string
description: HTTP method to match.
enum:
- GET
- POST
- PUT
- PATCH
- DELETE
- HEAD
- OPTIONS
- CONNECT
- TRACE
HTTPRouteFilter:
type: object
description: A filter applied to requests matching this route rule.
required:
- type
properties:
type:
type: string
description: Type of filter to apply.
enum:
- RequestHeaderModifier
- ResponseHeaderModifier
- RequestRedirect
- URLRewrite
- RequestMirror
- ExtensionRef
requestHeaderModifier:
type: object
description: Modifies request headers before forwarding.
properties:
set:
type: array
items:
type: object
properties:
name:
type: string
value:
type: string
add:
type: array
items:
type: object
properties:
name:
type: string
value:
type: string
remove:
type: array
items:
type: string
requestRedirect:
type: object
description: Redirects the request to a different URL.
properties:
scheme:
type: string
enum:
- http
- https
hostname:
type: string
path:
type: object
port:
type: integer
statusCode:
type: integer
enum:
- 301
- 302
HTTPBackendRef:
type: object
description: A backend service to route matching requests to.
required:
- name
- port
properties:
name:
type: string
description: Name of the Kubernetes Service.
namespace:
type: string
description: Namespace of the Service. Defaults to the route's namespace.
port:
type: integer
description: Port number on the Service.
minimum: 1
maximum: 65535
weight:
type: integer
description: Relative weight for traffic distribution among backends.
minimum: 0
filters:
type: array
description: Filters applied specifically to traffic routed to this backend.
items:
$ref: '#/components/schemas/HTTPRouteFilter'
HTTPRouteList:
type: object
description: List of HTTPRoute resources.
properties:
apiVersion:
type: string
kind:
type: string
items:
type: array
items:
$ref: '#/components/schemas/HTTPRoute'
TLSRoute:
type: object
description: >-
Namespace-scoped resource defining TLS routing rules for passthrough
connections, routing based on SNI hostname to backend services.
required:
- apiVersion
- kind
- metadata
- spec
properties:
apiVersion:
type: string
enum:
- gateway.networking.k8s.io/v1alpha2
kind:
type: string
enum:
- TLSRoute
metadata:
$ref: '#/components/schemas/ObjectMeta'
spec:
type: object
properties:
parentRefs:
type: array
items:
$ref: '#/components/schemas/ParentReference'
hostnames:
type: array
description: SNI hostnames this route matches.
items:
type: string
rules:
type: array
description: TLS routing rules.
items:
type: object
properties:
backendRefs:
type: array
items:
type: object
properties:
name:
type: string
namespace:
type: string
port:
type: integer
weight:
type: integer
status:
type: object
properties:
parents:
type: array
items:
type: object
TLSRouteList:
type: object
description: List of TLSRoute resources.
properties:
apiVersion:
type: string
kind:
type: string
items:
type: array
items:
$ref: '#/components/schemas/TLSRoute'
ParentReference:
type: object
description: A reference to a parent resource (typically a Gateway) to attach to.
required:
- name
properties:
group:
type: string
description: API group of the parent resource.
kind:
type: string
description: Kind of the parent resource.
namespace:
type: string
description: Namespace of the parent resource.
name:
type: string
description: Name of the parent resource.
sectionName:
type: string
description: Name of a specific listener section within the parent.
port:
type: integer
description: Port of a specific listener within the parent.
SecretObjectReference:
type: object
description: A reference to a Kubernetes Secret containing a TLS certificate.
required:
- name
properties:
group:
type: string
kind:
type: string
default: Secret
namespace:
type: string
name:
type: string
description: Name of the Secret.
Condition:
type: object
description: A standard Kubernetes condition indicating the state of a resource.
required:
- type
- status
properties:
type:
type: string
description: Type of the condition.
status:
type: string
enum:
- 'True'
- 'False'
- Unknown
description: Status of the condition.
observedGeneration:
type: integer
format: int64
lastTransitionTime:
type: string
format: date-time
description: Time when this condition last changed.
reason:
type: string
description: Short reason code for the condition.
message:
type: string
description: Human-readable details about this condition.
ObjectMeta:
# --- truncated at 32 KB (32 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/contour/refs/heads/main/openapi/contour-gateway-openapi.yml