From b44634caa129f1735d76462646a24f914e7fe54a Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 3 Feb 2026 19:45:38 +0800 Subject: [PATCH 01/22] sep e2e gomod Signed-off-by: zirain --- go.mod | 33 +- go.sum | 48 - .../infrastructure/host/proxy_infra_test.go | 84 +- test/e2e/e2e_test.go | 1 + test/e2e/tests/accesslog.go | 2 + test/go.mod | 308 +++++++ test/go.sum | 856 ++++++++++++++++++ tools/make/lint.mk | 3 +- 8 files changed, 1258 insertions(+), 77 deletions(-) create mode 100644 test/go.mod create mode 100644 test/go.sum diff --git a/go.mod b/go.mod index f4f15dedb3..44e3746fe1 100644 --- a/go.mod +++ b/go.mod @@ -3,10 +3,7 @@ module github.com/envoyproxy/gateway go 1.25.7 require ( - fortio.org/fortio v1.73.2 - fortio.org/log v1.18.3 github.com/Masterminds/semver/v3 v3.4.0 - github.com/andybalholm/brotli v1.2.0 github.com/avast/retry-go/v5 v5.0.0 github.com/cenkalti/backoff/v4 v4.3.0 github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e @@ -24,7 +21,6 @@ require ( github.com/evanphx/json-patch/v5 v5.9.11 github.com/fatih/color v1.18.0 github.com/fsnotify/fsnotify v1.9.0 - github.com/go-logfmt/logfmt v0.6.1 github.com/go-logr/logr v1.4.3 github.com/go-logr/zapr v1.3.0 github.com/go-openapi/spec v0.22.3 @@ -34,14 +30,9 @@ require ( github.com/google/cel-go v0.26.0 github.com/google/go-cmp v0.7.0 github.com/google/go-containerregistry v0.20.6 - github.com/klauspost/compress v1.18.3 - github.com/miekg/dns v1.1.72 github.com/ohler55/ojg v1.28.0 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.23.2 - github.com/prometheus/client_model v0.6.2 - github.com/prometheus/common v0.67.5 - github.com/quic-go/quic-go v0.59.0 github.com/replicatedhq/troubleshoot v0.123.17 github.com/shopspring/decimal v1.4.0 github.com/spf13/cobra v1.10.2 @@ -63,9 +54,7 @@ require ( go.opentelemetry.io/proto/otlp v1.9.0 go.uber.org/zap v1.27.1 golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 - golang.org/x/net v0.49.0 gomodules.xyz/jsonpatch/v2 v2.5.0 - gonum.org/v1/gonum v0.17.0 google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 google.golang.org/grpc v1.78.0 google.golang.org/grpc/security/advancedtls v1.0.0 @@ -94,14 +83,7 @@ require ( cyphar.com/go-pathrs v0.2.1 // indirect dario.cat/mergo v1.0.2 // indirect filippo.io/edwards25519 v1.1.0 // indirect - fortio.org/cli v1.12.3 // indirect - fortio.org/dflag v1.9.3 // indirect - fortio.org/duration v1.0.4 // indirect - fortio.org/safecast v1.2.0 // indirect - fortio.org/scli v1.19.0 // indirect - fortio.org/sets v1.3.0 // indirect - fortio.org/struct2env v0.4.2 // indirect - fortio.org/version v1.0.4 // indirect + github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/BurntSushi/toml v1.6.0 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect @@ -199,8 +181,8 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kelseyhightower/envconfig v1.4.0 // indirect + github.com/klauspost/compress v1.18.3 // indirect github.com/klauspost/pgzip v1.2.6 // indirect - github.com/kortschak/goroutine v1.1.3 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect @@ -214,20 +196,17 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect github.com/microsoft/go-mssqldb v1.9.5 // indirect + github.com/miekg/dns v1.1.72 // indirect github.com/mistifyio/go-zfs/v4 v4.0.0 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect - github.com/moby/go-archive v0.1.0 // indirect - github.com/moby/patternmatcher v0.6.0 // indirect github.com/moby/spdystream v0.5.0 // indirect github.com/moby/sys/capability v0.4.0 // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect - github.com/moby/sys/sequential v0.6.0 // indirect github.com/moby/sys/user v0.4.0 // indirect - github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect @@ -245,9 +224,10 @@ require ( github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect + github.com/prometheus/client_model v0.6.2 // indirect + github.com/prometheus/common v0.67.5 // indirect github.com/prometheus/otlptranslator v1.0.0 // indirect github.com/prometheus/procfs v0.19.2 // indirect - github.com/quic-go/qpack v0.6.0 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/rubenv/sql-migrate v1.8.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -290,8 +270,8 @@ require ( go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.47.0 // indirect - golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb // indirect golang.org/x/mod v0.32.0 // indirect + golang.org/x/net v0.49.0 // indirect golang.org/x/oauth2 v0.34.0 // indirect golang.org/x/sync v0.19.0 // indirect golang.org/x/sys v0.40.0 // indirect @@ -299,6 +279,7 @@ require ( golang.org/x/text v0.33.0 // indirect golang.org/x/time v0.14.0 // indirect golang.org/x/tools v0.40.0 // indirect + gonum.org/v1/gonum v0.17.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 3265482f09..6a8decb92f 100644 --- a/go.sum +++ b/go.sum @@ -6,28 +6,6 @@ dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= -fortio.org/assert v1.2.1 h1:48I39urpeDj65RP1KguF7akCjILNeu6vICiYMEysR7Q= -fortio.org/assert v1.2.1/go.mod h1:039mG+/iYDPO8Ibx8TrNuJCm2T2SuhwRI3uL9nHTTls= -fortio.org/cli v1.12.3 h1:PoqlAgkClqEv9Ztj4HK/J55UodnTc3Z+Ignm0ggyei4= -fortio.org/cli v1.12.3/go.mod h1:miR0uK+QAJLctpMGeeYvuS/8SldOVJ5jyDl8d+bes8Q= -fortio.org/dflag v1.9.3 h1:1E/flKspJ18H/RC6uqxUf8F1t0htpBS9XF5otT4iRwQ= -fortio.org/dflag v1.9.3/go.mod h1:+FrKhZpKDqRbcfFcS9P0sY2WN/kc231dXuwpzfsLjzc= -fortio.org/duration v1.0.4 h1:TB07ng4UsMZPDRujJRkTJIcNqMTLM283zob10nb9K24= -fortio.org/duration v1.0.4/go.mod h1:RuBVqdcCKRwMmI8WIdVq8kd7ngQPCIe6G7AU0NC0XDw= -fortio.org/fortio v1.73.2 h1:NrCg9++5y1dswTq7jQXCsXj7k7BoEj8L6SrLNnOYa8U= -fortio.org/fortio v1.73.2/go.mod h1:nQ0LsLqEXm/+L5stEy/fRdKdWlSsmWXClPSVdcEkVfw= -fortio.org/log v1.18.3 h1:2kwEUise3faY4OouueQ/1tC+75Y2YGJjJaX2/ECmu4I= -fortio.org/log v1.18.3/go.mod h1:vqpyEZd/TP4xO5eAHQaa4buDZDCn1AxCAV+wl3eaTec= -fortio.org/safecast v1.2.0 h1:ckQJNenMJHycqPsi/QrzA4EUX5WQkyd+hGO4mxt/a8w= -fortio.org/safecast v1.2.0/go.mod h1:xZmcPk3vi4kuUFf+tq4SvnlVdwViqf6ZSZl91Jr9Jdg= -fortio.org/scli v1.19.0 h1:3nr1BzCmKds6Ms7O33sjM0r/y9N4ZCEeFZ6kCzI/ii0= -fortio.org/scli v1.19.0/go.mod h1:cgaXS0ccxZl6i9pRn6rZQTtoRVeopu17XyvDdEeZpNE= -fortio.org/sets v1.3.0 h1:UiEtck/ndNM3Tg53mJu3I7Zz1ED8+YSQLtPKSjd8LTE= -fortio.org/sets v1.3.0/go.mod h1:y8fFzm4bPTk3Qfr/tF3Xz7oWwgzpy++QdkwURKhNbP4= -fortio.org/struct2env v0.4.2 h1:Xh7HlS9vf2ZdRvRfmoGIasNDO8t6z36M713utVODRCo= -fortio.org/struct2env v0.4.2/go.mod h1:lENUe70UwA1zDUCX+8AsO663QCFqYaprk5lnPhjD410= -fortio.org/version v1.0.4 h1:FWUMpJ+hVTNc4RhvvOJzb0xesrlRmG/a+D6bjbQ4+5U= -fortio.org/version v1.0.4/go.mod h1:2JQp9Ax+tm6QKiGuzR5nJY63kFeANcgrZ0osoQFDVm0= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U= @@ -62,8 +40,6 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= -github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ= -github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU= @@ -203,8 +179,6 @@ github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= -github.com/go-logfmt/logfmt v0.6.1 h1:4hvbpePJKnIzH1B+8OR/JPbTx37NktoI9LE2QZBBkvE= -github.com/go-logfmt/logfmt v0.6.1/go.mod h1:EV2pOAQoZaT1ZXZbqDl5hrymndi4SY9ED9/z6CO0XAk= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -365,8 +339,6 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= -github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= -github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM= github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -380,8 +352,6 @@ github.com/klauspost/compress v1.18.3/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxh github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kortschak/goroutine v1.1.3 h1:kELvAfi7jpVD7a+MPWjmIxuQVJVYo/RELaOeGJZBb88= -github.com/kortschak/goroutine v1.1.3/go.mod h1:zKpXs1FWN/6mXasDQzfl7g0LrGFIOiA6cLs9eXKyaMY= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= @@ -437,10 +407,6 @@ github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zx github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= -github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ= -github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo= -github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= -github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= @@ -453,8 +419,6 @@ github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7z github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs= github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= -github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= -github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -469,8 +433,6 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU= -github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= @@ -530,10 +492,6 @@ github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEo github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM= github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws= github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw= -github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8= -github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII= -github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw= -github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU= github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho= github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U= github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc= @@ -639,8 +597,6 @@ github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chq github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= -github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU= -github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M= @@ -717,8 +673,6 @@ go.podman.io/storage v1.61.1-0.20260113143440-ec033ce69f13 h1:31m5LHEH19ESCYFrvZ go.podman.io/storage v1.61.1-0.20260113143440-ec033ce69f13/go.mod h1:nkKllgCrEviIXYWZNGxWdzU02pUBIfH5oOSrB/QgwIQ= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko= -go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= @@ -733,8 +687,6 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= -golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb h1:Iu0p/klM0SM7atONioa/bPhLS7cjhnip99x1OIGibwg= -golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb/go.mod h1:lxN5T34bK4Z/i6cMaU7frUU57VkDXFD4Kamfl/cp9oU= golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4= golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= diff --git a/internal/infrastructure/host/proxy_infra_test.go b/internal/infrastructure/host/proxy_infra_test.go index fb4fe337cd..dc32d81309 100644 --- a/internal/infrastructure/host/proxy_infra_test.go +++ b/internal/infrastructure/host/proxy_infra_test.go @@ -6,11 +6,13 @@ package host import ( + "bytes" "context" "fmt" "io" "os" "path" + "sync" "testing" "testing/synctest" "time" @@ -29,7 +31,6 @@ import ( "github.com/envoyproxy/gateway/internal/utils" "github.com/envoyproxy/gateway/internal/utils/file" "github.com/envoyproxy/gateway/internal/xds/bootstrap" - testutils "github.com/envoyproxy/gateway/test/utils" ) // newMockInfra doesn't actually run Envoy @@ -291,7 +292,7 @@ func TestInfra_runEnvoy_integration(t *testing.T) { runtimeDir := path.Join(baseDir, "runtime") // Create separate buffers for stdout and stderr - buffers := testutils.DumpLogsOnFail(t, "stdout", "stderr") + buffers := DumpLogsOnFail(t, "stdout", "stderr") stdout := buffers[0] stderr := buffers[1] @@ -665,3 +666,82 @@ func TestUserConfiguredMetricSinksPreserved(t *testing.T) { }) } } + +// DumpLogsOnFail creates labeled OutBuffers in the same order as labels. +// The difference between this and CaptureOutput is that when the test fails, +// these are dumped for diagnosis +func DumpLogsOnFail(t testing.TB, labels ...string) OutBuffers { + buffers := CaptureOutput(labels...) + + t.Cleanup(func() { + if t.Failed() { + for i, label := range labels { + out := buffers[i].String() + if len(out) == 0 { + continue + } + t.Logf("=== %s ===\n%s", label, out) + } + } + }) + + return buffers +} + +// OutBuffer combines io.Writer with fmt.Stringer for buffer access +type OutBuffer interface { + io.Writer + fmt.Stringer + Reset() + Len() int +} + +// OutBuffers allows you to reset all the buffers easily. +type OutBuffers []OutBuffer + +func (s OutBuffers) Reset() { + for _, buf := range s { + buf.Reset() + } +} + +// outBuffer is a thread-safe buffer implementing OutBuffer +type outBuffer struct { + mu sync.RWMutex + b *bytes.Buffer +} + +func (s *outBuffer) Reset() { + s.mu.Lock() + defer s.mu.Unlock() + s.b.Reset() +} + +func (s *outBuffer) Write(p []byte) (n int, err error) { + s.mu.Lock() + defer s.mu.Unlock() + return s.b.Write(p) +} + +func (s *outBuffer) Len() int { + s.mu.RLock() + defer s.mu.RUnlock() + return s.b.Len() +} + +func (s *outBuffer) String() string { + s.mu.RLock() + defer s.mu.RUnlock() + return s.b.String() +} + +// CaptureOutput creates labeled OutBuffers in the same order as labels. +func CaptureOutput(labels ...string) OutBuffers { + buffers := make([]OutBuffer, len(labels)) + + for i := range labels { + buffers[i] = &outBuffer{b: bytes.NewBuffer(nil)} + } + + return buffers +} diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index b699e11ec1..434f38453f 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -92,6 +92,7 @@ func TestE2E(t *testing.T) { SkipTests: skipTests, AllowCRDsMismatch: *flags.AllowCRDsMismatch, Hook: Hook, + // FailFast: true, }) if err != nil { t.Fatalf("Failed to create ConformanceTestSuite: %v", err) diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index 18b0bc21e2..eab59dbbcd 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -39,6 +39,8 @@ var FileAccessLogTest = suite.ConformanceTest{ } match := "test-annotation-value" + // t.Fatalf("test fail fast") + t.Run("Positive", func(t *testing.T) { ns := "gateway-conformance-infra" routeNN := types.NamespacedName{Name: "accesslog-file", Namespace: ns} diff --git a/test/go.mod b/test/go.mod new file mode 100644 index 0000000000..6e29ddcc4a --- /dev/null +++ b/test/go.mod @@ -0,0 +1,308 @@ +module github.com/envoyproxy/gateway/test + +go 1.25.6 + +replace github.com/envoyproxy/gateway => ../ + +require ( + fortio.org/fortio v1.73.2 + fortio.org/log v1.18.3 + github.com/andybalholm/brotli v1.2.0 + github.com/docker/docker v28.5.1+incompatible + github.com/envoyproxy/gateway v0.0.0-000000000000-000000000000 + github.com/go-logfmt/logfmt v0.6.1 + github.com/google/go-cmp v0.7.0 + github.com/google/go-containerregistry v0.20.6 + github.com/klauspost/compress v1.18.3 + github.com/miekg/dns v1.1.72 + github.com/prometheus/client_golang v1.23.2 + github.com/prometheus/client_model v0.6.2 + github.com/prometheus/common v0.67.5 + github.com/quic-go/quic-go v0.59.0 + github.com/stretchr/testify v1.11.1 + go.opentelemetry.io/proto/otlp v1.9.0 + golang.org/x/net v0.49.0 + gonum.org/v1/gonum v0.17.0 + google.golang.org/grpc v1.78.0 + google.golang.org/protobuf v1.36.11 + helm.sh/helm/v3 v3.20.0 + k8s.io/api v0.35.0 + k8s.io/apiextensions-apiserver v0.35.0 + k8s.io/apimachinery v0.35.0 + k8s.io/cli-runtime v0.35.0 + k8s.io/client-go v0.35.0 + k8s.io/kubectl v0.35.0 + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 + sigs.k8s.io/controller-runtime v0.23.1 + sigs.k8s.io/gateway-api v1.4.1 + sigs.k8s.io/yaml v1.6.0 +) + +require ( + cel.dev/expr v0.24.0 // indirect + cyphar.com/go-pathrs v0.2.1 // indirect + dario.cat/mergo v1.0.2 // indirect + filippo.io/edwards25519 v1.1.0 // indirect + fortio.org/cli v1.12.3 // indirect + fortio.org/dflag v1.9.3 // indirect + fortio.org/duration v1.0.4 // indirect + fortio.org/safecast v1.2.0 // indirect + fortio.org/scli v1.19.0 // indirect + fortio.org/sets v1.3.0 // indirect + fortio.org/struct2env v0.4.2 // indirect + fortio.org/version v1.0.4 // indirect + github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect + github.com/BurntSushi/toml v1.6.0 // indirect + github.com/MakeNowJust/heredoc v1.0.0 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect + github.com/Masterminds/squirrel v1.5.4 // indirect + github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/NYTimes/gziphandler v1.1.1 // indirect + github.com/antlr4-go/antlr/v4 v4.13.1 // indirect + github.com/apparentlymart/go-cidr v1.1.0 // indirect + github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/avast/retry-go/v5 v5.0.0 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/c9s/goprocinfo v0.0.0-20170724085704-0010a05ce49f // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/cenkalti/backoff/v5 v5.0.3 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/chai2010/gettext-go v1.0.2 // indirect + github.com/cilium/ebpf v0.20.0 // indirect + github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e // indirect + github.com/containerd/cgroups/v3 v3.1.2 // indirect + github.com/containerd/containerd v1.7.30 // indirect + github.com/containerd/errdefs v1.0.0 // indirect + github.com/containerd/errdefs/pkg v0.3.0 // indirect + github.com/containerd/log v0.1.0 // indirect + github.com/containerd/platforms v0.2.1 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect + github.com/containers/image/v5 v5.36.2 // indirect + github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect + github.com/containers/ocicrypt v1.2.1 // indirect + github.com/containers/storage v1.59.1 // indirect + github.com/coreos/go-semver v0.3.1 // indirect + github.com/coreos/go-systemd/v22 v22.5.0 // indirect + github.com/cyphar/filepath-securejoin v0.6.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/distribution/distribution/v3 v3.0.0 // indirect + github.com/distribution/reference v0.6.0 // indirect + github.com/docker/cli v29.2.0+incompatible // indirect + github.com/docker/distribution v2.8.3+incompatible // indirect + github.com/docker/docker-credential-helpers v0.9.4 // indirect + github.com/docker/go-connections v0.6.0 // indirect + github.com/docker/go-units v0.5.0 // indirect + github.com/dominikbraun/graph v0.23.0 // indirect + github.com/ebitengine/purego v0.9.1 // indirect + github.com/emicklei/go-restful/v3 v3.13.0 // indirect + github.com/envoyproxy/go-control-plane v0.14.0 // indirect + github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 // indirect + github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260113062649-004b9ec70a46 // indirect + github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 // indirect + github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect + github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 // indirect + github.com/evanphx/json-patch v5.9.11+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.9.11 // indirect + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect + github.com/fatih/color v1.18.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/fsnotify/fsnotify v1.9.0 // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect + github.com/go-errors/errors v1.4.2 // indirect + github.com/go-gorp/gorp/v3 v3.1.0 // indirect + github.com/go-logr/logr v1.4.3 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-ole/go-ole v1.3.0 // indirect + github.com/go-openapi/analysis v0.24.1 // indirect + github.com/go-openapi/errors v0.22.4 // indirect + github.com/go-openapi/jsonpointer v0.22.4 // indirect + github.com/go-openapi/jsonreference v0.21.4 // indirect + github.com/go-openapi/loads v0.23.2 // indirect + github.com/go-openapi/spec v0.22.3 // indirect + github.com/go-openapi/strfmt v0.25.0 // indirect + github.com/go-openapi/swag v0.23.1 // indirect + github.com/go-openapi/swag/conv v0.25.4 // indirect + github.com/go-openapi/swag/fileutils v0.25.1 // indirect + github.com/go-openapi/swag/jsonname v0.25.4 // indirect + github.com/go-openapi/swag/jsonutils v0.25.4 // indirect + github.com/go-openapi/swag/loading v0.25.4 // indirect + github.com/go-openapi/swag/mangling v0.25.1 // indirect + github.com/go-openapi/swag/stringutils v0.25.4 // indirect + github.com/go-openapi/swag/typeutils v0.25.4 // indirect + github.com/go-openapi/swag/yamlutils v0.25.4 // indirect + github.com/go-openapi/validate v0.25.1 // indirect + github.com/go-redis/redis/v7 v7.4.1 // indirect + github.com/go-sql-driver/mysql v1.9.3 // indirect + github.com/go-viper/mapstructure/v2 v2.4.0 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/godbus/dbus/v5 v5.2.2 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect + github.com/golang-sql/sqlexp v0.1.0 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/btree v1.1.3 // indirect + github.com/google/cel-go v0.26.0 // indirect + github.com/google/gnostic-models v0.7.0 // indirect + github.com/google/go-intervals v0.0.2 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/gorilla/handlers v1.5.2 // indirect + github.com/gorilla/mux v1.8.1 // indirect + github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect + github.com/gosuri/uitable v0.0.4 // indirect + github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect + github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect + github.com/hashicorp/errwrap v1.1.0 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/huandu/xstrings v1.5.0 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/jackc/pgpassfile v1.0.0 // indirect + github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect + github.com/jackc/pgx/v5 v5.8.0 // indirect + github.com/jmoiron/sqlx v1.4.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/kelseyhightower/envconfig v1.4.0 // indirect + github.com/klauspost/pgzip v1.2.6 // indirect + github.com/kortschak/goroutine v1.1.3 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect + github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect + github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect + github.com/lib/pq v1.10.9 // indirect + github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect + github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e // indirect + github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect + github.com/lyft/gostats v0.4.1 // indirect + github.com/mailru/easyjson v0.9.0 // indirect + github.com/mattn/go-colorable v0.1.14 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mattn/go-runewidth v0.0.16 // indirect + github.com/microsoft/go-mssqldb v1.9.5 // indirect + github.com/mistifyio/go-zfs/v4 v4.0.0 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect + github.com/moby/docker-image-spec v1.3.1 // indirect + github.com/moby/go-archive v0.1.0 // indirect + github.com/moby/patternmatcher v0.6.0 // indirect + github.com/moby/spdystream v0.5.0 // indirect + github.com/moby/sys/capability v0.4.0 // indirect + github.com/moby/sys/mountinfo v0.7.2 // indirect + github.com/moby/sys/sequential v0.6.0 // indirect + github.com/moby/sys/user v0.4.0 // indirect + github.com/moby/sys/userns v0.1.0 // indirect + github.com/moby/term v0.5.2 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect + github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect + github.com/nxadm/tail v1.4.8 // indirect + github.com/ohler55/ojg v1.28.0 // indirect + github.com/oklog/ulid v1.3.1 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/opencontainers/image-spec v1.1.1 // indirect + github.com/opencontainers/runtime-spec v1.3.0 // indirect + github.com/opencontainers/selinux v1.13.1 // indirect + github.com/pelletier/go-toml/v2 v2.2.4 // indirect + github.com/peterbourgon/diskv v2.0.1+incompatible // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect + github.com/prometheus/otlptranslator v1.0.0 // indirect + github.com/prometheus/procfs v0.19.2 // indirect + github.com/quic-go/qpack v0.6.0 // indirect + github.com/replicatedhq/troubleshoot v0.123.17 // indirect + github.com/rivo/uniseg v0.4.7 // indirect + github.com/rubenv/sql-migrate v1.8.1 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/sagikazarmark/locafero v0.11.0 // indirect + github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect + github.com/segmentio/ksuid v1.0.4 // indirect + github.com/shirou/gopsutil/v4 v4.25.12 // indirect + github.com/shopspring/decimal v1.4.0 // indirect + github.com/sirupsen/logrus v1.9.4-0.20251023124752-b61f268f75b6 // indirect + github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect + github.com/spf13/afero v1.15.0 // indirect + github.com/spf13/cast v1.10.0 // indirect + github.com/spf13/cobra v1.10.2 // indirect + github.com/spf13/pflag v1.0.10 // indirect + github.com/spf13/viper v1.21.0 // indirect + github.com/stoewer/go-strcase v1.3.1 // indirect + github.com/subosito/gotenv v1.6.0 // indirect + github.com/sylabs/sif/v2 v2.22.0 // indirect + github.com/tchap/go-patricia/v2 v2.3.3 // indirect + github.com/tklauser/go-sysconf v0.3.16 // indirect + github.com/tklauser/numcpus v0.11.0 // indirect + github.com/ulikunitz/xz v0.5.15 // indirect + github.com/vbatts/tar-split v0.12.2 // indirect + github.com/vishvananda/netlink v1.3.1 // indirect + github.com/vishvananda/netns v0.0.5 // indirect + github.com/x448/float16 v0.8.4 // indirect + github.com/xlab/treeprint v1.2.0 // indirect + github.com/yuin/gopher-lua v1.1.1 // indirect + github.com/yusufpapurcu/wmi v1.2.4 // indirect + go.etcd.io/etcd/api/v3 v3.6.5 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect + go.etcd.io/etcd/client/v3 v3.6.5 // indirect + go.mongodb.org/mongo-driver v1.17.6 // indirect + go.opentelemetry.io/auto/sdk v1.2.1 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect + go.opentelemetry.io/otel v1.39.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect + go.opentelemetry.io/otel/exporters/prometheus v0.61.0 // indirect + go.opentelemetry.io/otel/metric v1.39.0 // indirect + go.opentelemetry.io/otel/sdk v1.39.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect + go.opentelemetry.io/otel/trace v1.39.0 // indirect + go.podman.io/image/v5 v5.38.0 // indirect + go.podman.io/storage v1.61.1-0.20260113143440-ec033ce69f13 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.27.1 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect + golang.org/x/crypto v0.47.0 // indirect + golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb // indirect + golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect + golang.org/x/mod v0.32.0 // indirect + golang.org/x/oauth2 v0.34.0 // indirect + golang.org/x/sync v0.19.0 // indirect + golang.org/x/sys v0.40.0 // indirect + golang.org/x/term v0.39.0 // indirect + golang.org/x/text v0.33.0 // indirect + golang.org/x/time v0.14.0 // indirect + golang.org/x/tools v0.40.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/apiserver v0.35.0 // indirect + k8s.io/component-base v0.35.0 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect + k8s.io/metrics v0.35.0 // indirect + oras.land/oras-go/v2 v2.6.0 // indirect + periph.io/x/host/v3 v3.8.5 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect + sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect + sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 // indirect + sigs.k8s.io/kustomize/api v0.20.1 // indirect + sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect + sigs.k8s.io/mcs-api v0.3.0 // indirect + sigs.k8s.io/randfill v1.0.0 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect +) diff --git a/test/go.sum b/test/go.sum new file mode 100644 index 0000000000..fc4cc60194 --- /dev/null +++ b/test/go.sum @@ -0,0 +1,856 @@ +cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= +cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= +cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8= +cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc= +dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= +dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +fortio.org/assert v1.2.1 h1:48I39urpeDj65RP1KguF7akCjILNeu6vICiYMEysR7Q= +fortio.org/assert v1.2.1/go.mod h1:039mG+/iYDPO8Ibx8TrNuJCm2T2SuhwRI3uL9nHTTls= +fortio.org/cli v1.12.3 h1:PoqlAgkClqEv9Ztj4HK/J55UodnTc3Z+Ignm0ggyei4= +fortio.org/cli v1.12.3/go.mod h1:miR0uK+QAJLctpMGeeYvuS/8SldOVJ5jyDl8d+bes8Q= +fortio.org/dflag v1.9.3 h1:1E/flKspJ18H/RC6uqxUf8F1t0htpBS9XF5otT4iRwQ= +fortio.org/dflag v1.9.3/go.mod h1:+FrKhZpKDqRbcfFcS9P0sY2WN/kc231dXuwpzfsLjzc= +fortio.org/duration v1.0.4 h1:TB07ng4UsMZPDRujJRkTJIcNqMTLM283zob10nb9K24= +fortio.org/duration v1.0.4/go.mod h1:RuBVqdcCKRwMmI8WIdVq8kd7ngQPCIe6G7AU0NC0XDw= +fortio.org/fortio v1.73.2 h1:NrCg9++5y1dswTq7jQXCsXj7k7BoEj8L6SrLNnOYa8U= +fortio.org/fortio v1.73.2/go.mod h1:nQ0LsLqEXm/+L5stEy/fRdKdWlSsmWXClPSVdcEkVfw= +fortio.org/log v1.18.3 h1:2kwEUise3faY4OouueQ/1tC+75Y2YGJjJaX2/ECmu4I= +fortio.org/log v1.18.3/go.mod h1:vqpyEZd/TP4xO5eAHQaa4buDZDCn1AxCAV+wl3eaTec= +fortio.org/safecast v1.2.0 h1:ckQJNenMJHycqPsi/QrzA4EUX5WQkyd+hGO4mxt/a8w= +fortio.org/safecast v1.2.0/go.mod h1:xZmcPk3vi4kuUFf+tq4SvnlVdwViqf6ZSZl91Jr9Jdg= +fortio.org/scli v1.19.0 h1:3nr1BzCmKds6Ms7O33sjM0r/y9N4ZCEeFZ6kCzI/ii0= +fortio.org/scli v1.19.0/go.mod h1:cgaXS0ccxZl6i9pRn6rZQTtoRVeopu17XyvDdEeZpNE= +fortio.org/sets v1.3.0 h1:UiEtck/ndNM3Tg53mJu3I7Zz1ED8+YSQLtPKSjd8LTE= +fortio.org/sets v1.3.0/go.mod h1:y8fFzm4bPTk3Qfr/tF3Xz7oWwgzpy++QdkwURKhNbP4= +fortio.org/struct2env v0.4.2 h1:Xh7HlS9vf2ZdRvRfmoGIasNDO8t6z36M713utVODRCo= +fortio.org/struct2env v0.4.2/go.mod h1:lENUe70UwA1zDUCX+8AsO663QCFqYaprk5lnPhjD410= +fortio.org/version v1.0.4 h1:FWUMpJ+hVTNc4RhvvOJzb0xesrlRmG/a+D6bjbQ4+5U= +fortio.org/version v1.0.4/go.mod h1:2JQp9Ax+tm6QKiGuzR5nJY63kFeANcgrZ0osoQFDVm0= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZba3YZqeTNJPtvqZoBu1sBN/L4sry+u2U3Y75w= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs= +github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= +github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= +github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= +github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= +github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= +github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= +github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= +github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= +github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ= +github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY= +github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= +github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= +github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU= +github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/avast/retry-go/v5 v5.0.0 h1:kf1Qc2UsTZ4qq8elDymqfbISvkyMuhgRxuJqX2NHP7k= +github.com/avast/retry-go/v5 v5.0.0/go.mod h1://d+usmKWio1agtZfS1H/ltTqwtIfBnRq9zEwjc3eH8= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= +github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= +github.com/c9s/goprocinfo v0.0.0-20170724085704-0010a05ce49f h1:tRk+aBit+q3oqnj/1mF5HHhP2yxJM2lSa0afOJxQ3nE= +github.com/c9s/goprocinfo v0.0.0-20170724085704-0010a05ce49f/go.mod h1:uEyr4WpAH4hio6LFriaPkL938XnrvLpNPmQHBdrmbIE= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= +github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= +github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/cilium/ebpf v0.20.0 h1:atwWj9d3NffHyPZzVlx3hmw1on5CLe9eljR8VuHTwhM= +github.com/cilium/ebpf v0.20.0/go.mod h1:pzLjFymM+uZPLk/IXZUL63xdx5VXEo+enTzxkZXdycw= +github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e h1:gt7U1Igw0xbJdyaCM5H2CnlAlPSkzrhsebQB6WQWjLA= +github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI= +github.com/containerd/cgroups/v3 v3.1.2 h1:OSosXMtkhI6Qove637tg1XgK4q+DhR0mX8Wi8EhrHa4= +github.com/containerd/cgroups/v3 v3.1.2/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw= +github.com/containerd/containerd v1.7.30 h1:/2vezDpLDVGGmkUXmlNPLCCNKHJ5BbC5tJB5JNzQhqE= +github.com/containerd/containerd v1.7.30/go.mod h1:fek494vwJClULlTpExsmOyKCMUAbuVjlFsJQc4/j44M= +github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= +github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= +github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= +github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= +github.com/containerd/stargz-snapshotter/estargz v0.18.1 h1:cy2/lpgBXDA3cDKSyEfNOFMA/c10O1axL69EU7iirO8= +github.com/containerd/stargz-snapshotter/estargz v0.18.1/go.mod h1:ALIEqa7B6oVDsrF37GkGN20SuvG/pIMm7FwP7ZmRb0Q= +github.com/containers/image/v5 v5.36.2 h1:GcxYQyAHRF/pLqR4p4RpvKllnNL8mOBn0eZnqJbfTwk= +github.com/containers/image/v5 v5.36.2/go.mod h1:b4GMKH2z/5t6/09utbse2ZiLK/c72GuGLFdp7K69eA4= +github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= +github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= +github.com/containers/ocicrypt v1.2.1 h1:0qIOTT9DoYwcKmxSt8QJt+VzMY18onl9jUXsxpVhSmM= +github.com/containers/ocicrypt v1.2.1/go.mod h1:aD0AAqfMp0MtwqWgHM1bUwe1anx0VazI108CRrSKINQ= +github.com/containers/storage v1.59.1 h1:11Zu68MXsEQGBBd+GadPrHPpWeqjKS8hJDGiAHgIqDs= +github.com/containers/storage v1.59.1/go.mod h1:KoAYHnAjP3/cTsRS+mmWZGkufSY2GACiKQ4V3ZLQnR0= +github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= +github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= +github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE= +github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= +github.com/distribution/distribution/v3 v3.0.0 h1:q4R8wemdRQDClzoNNStftB2ZAfqOiN6UX90KJc4HjyM= +github.com/distribution/distribution/v3 v3.0.0/go.mod h1:tRNuFoZsUdyRVegq8xGNeds4KLjwLCRin/tTo6i1DhU= +github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= +github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= +github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= +github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM= +github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= +github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM= +github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.9.4 h1:76ItO69/AP/V4yT9V4uuuItG0B1N8hvt0T0c0NN/DzI= +github.com/docker/docker-credential-helpers v0.9.4/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c= +github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= +github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= +github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= +github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/dominikbraun/graph v0.23.0 h1:TdZB4pPqCLFxYhdyMFb1TBdFxp8XLcJfTTBQucVPgCo= +github.com/dominikbraun/graph v0.23.0/go.mod h1:yOjYyogZLY1LSG9E33JWZJiq5k83Qy2C6POAuiViluc= +github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A= +github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ= +github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= +github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA= +github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU= +github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 h1:KTd1TJym7dgV1L1XlxXeJNct7rJI3xTV+iuArq40wm0= +github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989/go.mod h1:+fG/snSdlOxU+5RWuuKSYxF9zusT3Duy1MDbETA44Bo= +github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260113062649-004b9ec70a46 h1:Uy4mh3OJl7dCpO0feVB887innhX51w9Utpe5X9SYW4w= +github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260113062649-004b9ec70a46/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 h1:8tBwE+GI3IWMywGVrJjc2grm7SCpPMydVu+HiBYb4+E= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989/go.mod h1:buWyXJdrI6ayYbeGm3upu3Qf/qHHrdWfUHKnVrTD+vM= +github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4= +github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA= +github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 h1:yz9/p/8QVPuEjPqRfZDXJmRaURKpKkxCZXUhl22i+cU= +github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7/go.mod h1:NmJBO+gDMvSQWvcSWq8wmlgkDmHHAkx1SCxEGva5hKU= +github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= +github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= +github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= +github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= +github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/foxcpp/go-mockdns v1.2.0 h1:omK3OrHRD1IWJz1FuFBCFquhXslXoF17OvBS6JPzZF0= +github.com/foxcpp/go-mockdns v1.2.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= +github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= +github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= +github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= +github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= +github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= +github.com/go-logfmt/logfmt v0.6.1 h1:4hvbpePJKnIzH1B+8OR/JPbTx37NktoI9LE2QZBBkvE= +github.com/go-logfmt/logfmt v0.6.1/go.mod h1:EV2pOAQoZaT1ZXZbqDl5hrymndi4SY9ED9/z6CO0XAk= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE= +github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78= +github.com/go-openapi/analysis v0.24.1 h1:Xp+7Yn/KOnVWYG8d+hPksOYnCYImE3TieBa7rBOesYM= +github.com/go-openapi/analysis v0.24.1/go.mod h1:dU+qxX7QGU1rl7IYhBC8bIfmWQdX4Buoea4TGtxXY84= +github.com/go-openapi/errors v0.22.4 h1:oi2K9mHTOb5DPW2Zjdzs/NIvwi2N3fARKaTJLdNabaM= +github.com/go-openapi/errors v0.22.4/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk= +github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4= +github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80= +github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8= +github.com/go-openapi/jsonreference v0.21.4/go.mod h1:rIENPTjDbLpzQmQWCj5kKj3ZlmEh+EFVbz3RTUh30/4= +github.com/go-openapi/loads v0.23.2 h1:rJXAcP7g1+lWyBHC7iTY+WAF0rprtM+pm8Jxv1uQJp4= +github.com/go-openapi/loads v0.23.2/go.mod h1:IEVw1GfRt/P2Pplkelxzj9BYFajiWOtY2nHZNj4UnWY= +github.com/go-openapi/spec v0.22.3 h1:qRSmj6Smz2rEBxMnLRBMeBWxbbOvuOoElvSvObIgwQc= +github.com/go-openapi/spec v0.22.3/go.mod h1:iIImLODL2loCh3Vnox8TY2YWYJZjMAKYyLH2Mu8lOZs= +github.com/go-openapi/strfmt v0.25.0 h1:7R0RX7mbKLa9EYCTHRcCuIPcaqlyQiWNPTXwClK0saQ= +github.com/go-openapi/strfmt v0.25.0/go.mod h1:nNXct7OzbwrMY9+5tLX4I21pzcmE6ccMGXl3jFdPfn8= +github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU= +github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0= +github.com/go-openapi/swag/conv v0.25.4 h1:/Dd7p0LZXczgUcC/Ikm1+YqVzkEeCc9LnOWjfkpkfe4= +github.com/go-openapi/swag/conv v0.25.4/go.mod h1:3LXfie/lwoAv0NHoEuY1hjoFAYkvlqI/Bn5EQDD3PPU= +github.com/go-openapi/swag/fileutils v0.25.1 h1:rSRXapjQequt7kqalKXdcpIegIShhTPXx7yw0kek2uU= +github.com/go-openapi/swag/fileutils v0.25.1/go.mod h1:+NXtt5xNZZqmpIpjqcujqojGFek9/w55b3ecmOdtg8M= +github.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ9869Vye1bNHI= +github.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag= +github.com/go-openapi/swag/jsonutils v0.25.4 h1:VSchfbGhD4UTf4vCdR2F4TLBdLwHyUDTd1/q4i+jGZA= +github.com/go-openapi/swag/jsonutils v0.25.4/go.mod h1:7OYGXpvVFPn4PpaSdPHJBtF0iGnbEaTk8AvBkoWnaAY= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4 h1:IACsSvBhiNJwlDix7wq39SS2Fh7lUOCJRmx/4SN4sVo= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4/go.mod h1:Mt0Ost9l3cUzVv4OEZG+WSeoHwjWLnarzMePNDAOBiM= +github.com/go-openapi/swag/loading v0.25.4 h1:jN4MvLj0X6yhCDduRsxDDw1aHe+ZWoLjW+9ZQWIKn2s= +github.com/go-openapi/swag/loading v0.25.4/go.mod h1:rpUM1ZiyEP9+mNLIQUdMiD7dCETXvkkC30z53i+ftTE= +github.com/go-openapi/swag/mangling v0.25.1 h1:XzILnLzhZPZNtmxKaz/2xIGPQsBsvmCjrJOWGNz/ync= +github.com/go-openapi/swag/mangling v0.25.1/go.mod h1:CdiMQ6pnfAgyQGSOIYnZkXvqhnnwOn997uXZMAd/7mQ= +github.com/go-openapi/swag/stringutils v0.25.4 h1:O6dU1Rd8bej4HPA3/CLPciNBBDwZj9HiEpdVsb8B5A8= +github.com/go-openapi/swag/stringutils v0.25.4/go.mod h1:GTsRvhJW5xM5gkgiFe0fV3PUlFm0dr8vki6/VSRaZK0= +github.com/go-openapi/swag/typeutils v0.25.4 h1:1/fbZOUN472NTc39zpa+YGHn3jzHWhv42wAJSN91wRw= +github.com/go-openapi/swag/typeutils v0.25.4/go.mod h1:Ou7g//Wx8tTLS9vG0UmzfCsjZjKhpjxayRKTHXf2pTE= +github.com/go-openapi/swag/yamlutils v0.25.4 h1:6jdaeSItEUb7ioS9lFoCZ65Cne1/RZtPBZ9A56h92Sw= +github.com/go-openapi/swag/yamlutils v0.25.4/go.mod h1:MNzq1ulQu+yd8Kl7wPOut/YHAAU/H6hL91fF+E2RFwc= +github.com/go-openapi/testify/enable/yaml/v2 v2.0.2 h1:0+Y41Pz1NkbTHz8NngxTuAXxEodtNSI1WG1c/m5Akw4= +github.com/go-openapi/testify/enable/yaml/v2 v2.0.2/go.mod h1:kme83333GCtJQHXQ8UKX3IBZu6z8T5Dvy5+CW3NLUUg= +github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls= +github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54= +github.com/go-openapi/validate v0.25.1 h1:sSACUI6Jcnbo5IWqbYHgjibrhhmt3vR6lCzKZnmAgBw= +github.com/go-openapi/validate v0.25.1/go.mod h1:RMVyVFYte0gbSTaZ0N4KmTn6u/kClvAFp+mAVfS/DQc= +github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6 h1:teYtXy9B7y5lHTp8V9KPxpYRAVA7dozigQcMiBust1s= +github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6/go.mod h1:p4lGIVX+8Wa6ZPNDvqcxq36XpUDLh42FLetFU7odllI= +github.com/go-redis/redis/v7 v7.4.1 h1:PASvf36gyUpr2zdOUS/9Zqc80GbM+9BDyiJSJDDOrTI= +github.com/go-redis/redis/v7 v7.4.1/go.mod h1:JDNMw23GTyLNC4GZu9njt15ctBQVn7xjRfnwdHj/Dcg= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= +github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo= +github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= +github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ= +github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= +github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= +github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA= +github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= +github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A= +github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= +github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= +github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU= +github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y= +github.com/google/go-intervals v0.0.2 h1:FGrVEiUnTRKR8yE04qzXYaJMtnIYqobR5QbblK3ixcM= +github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCjbbr4TQlcT6Y= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18= +github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= +github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= +github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= +github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= +github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= +github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= +github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 h1:qnpSQwGEnkcRpTqNOIR6bJbR0gAorgP9CSALpRcKoAA= +github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1/go.mod h1:lXGCsh6c22WGtjr+qGHj1otzZpV/1kwTMAqkwZsnWRU= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.0 h1:FbSCl+KggFl+Ocym490i/EyXF4lPgLoUtcSWquBM0Rs= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.0/go.mod h1:qOchhhIlmRcqk/O9uCo/puJlyo07YINaIqdZfZG3Jkc= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw= +github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU= +github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= +github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= +github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo= +github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw= +github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= +github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= +github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= +github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= +github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I= +github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= +github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= +github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= +github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM= +github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8= +github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.18.3 h1:9PJRvfbmTabkOX8moIpXPbMMbYN60bWImDDU7L+/6zw= +github.com/klauspost/compress v1.18.3/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4= +github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= +github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kortschak/goroutine v1.1.3 h1:kELvAfi7jpVD7a+MPWjmIxuQVJVYo/RELaOeGJZBb88= +github.com/kortschak/goroutine v1.1.3/go.mod h1:zKpXs1FWN/6mXasDQzfl7g0LrGFIOiA6cLs9eXKyaMY= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= +github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= +github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e h1:hz4quJkaJWDo+xW+G6wTF6d6/95QvJ+o2D0+bB/tJ1U= +github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e/go.mod h1:9z/y9glKmWEdV50tjlUPxFwi1goQfIrrsoZbnMyIZbY= +github.com/longhorn/nsfilelock v0.0.0-20200723175406-fa7c83ad0003/go.mod h1:0CLeXlf59Lg6C0kjLSDf47ft73Dh37CwymYRKWwAn04= +github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIiZhtifTV5OUqqiP82UAl0h87xj/l9k= +github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg= +github.com/lyft/gostats v0.4.1 h1:oR6p4HRCGxt0nUntmZIWmYMgyothBi3eZH2A71vRjsc= +github.com/lyft/gostats v0.4.1/go.mod h1:Tpx2xRzz4t+T2Tx0xdVgIoBdR2UMVz+dKnE3X01XSd8= +github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= +github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= +github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= +github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs= +github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g= +github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= +github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U= +github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA= +github.com/microsoft/go-mssqldb v1.9.5 h1:orwya0X/5bsL1o+KasupTkk2eNTNFkTQG0BEe/HxCn0= +github.com/microsoft/go-mssqldb v1.9.5/go.mod h1:VCP2a0KEZZtGLRHd1PsLavLFYy/3xX2yJUPycv3Sr2Q= +github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI= +github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs= +github.com/mistifyio/go-zfs/v4 v4.0.0 h1:sU0+5dX45tdDK5xNZ3HBi95nxUc48FS92qbIZEvpAg4= +github.com/mistifyio/go-zfs/v4 v4.0.0/go.mod h1:weotFtXTHvBwhr9Mv96KYnDkTPBOHFUbm9cBmQpesL0= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ= +github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo= +github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= +github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= +github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= +github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= +github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= +github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk= +github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I= +github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= +github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= +github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= +github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= +github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs= +github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= +github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= +github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= +github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= +github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= +github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/ohler55/ojg v1.28.0 h1:8xClBgMIRRJGDUC9xNe7NprP4kD2C3mQMeon3wY4KXA= +github.com/ohler55/ojg v1.28.0/go.mod h1:/Y5dGWkekv9ocnUixuETqiL58f+5pAsUfg5P8e7Pa2o= +github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= +github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg= +github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE= +github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg= +github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= +github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY= +github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU= +github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= +github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= +github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= +github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= +github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= +github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4= +github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw= +github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos= +github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM= +github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws= +github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw= +github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8= +github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII= +github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw= +github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU= +github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho= +github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U= +github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc= +github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= +github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM= +github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA= +github.com/replicatedhq/troubleshoot v0.123.17 h1:rwG7bKbquqtgv5sxSQIoxQVz0hvsvvWdwkI/VgmCFq0= +github.com/replicatedhq/troubleshoot v0.123.17/go.mod h1:r+Yc2qWgOMv3HkFvITHSoOgTn4CvhlzhGnDw31HmEmY= +github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= +github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= +github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= +github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= +github.com/rubenv/sql-migrate v1.8.1 h1:EPNwCvjAowHI3TnZ+4fQu3a915OpnQoPAjTXCGOy2U0= +github.com/rubenv/sql-migrate v1.8.1/go.mod h1:BTIKBORjzyxZDS6dzoiw6eAFYJ1iNlGAtjn4LGeVjS8= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc= +github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik= +github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ= +github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU= +github.com/sebdah/goldie/v2 v2.7.1 h1:PkBHymaYdtvEkZV7TmyqKxdmn5/Vcj+8TpATWZjnG5E= +github.com/sebdah/goldie/v2 v2.7.1/go.mod h1:oZ9fp0+se1eapSRjfYbsV/0Hqhbuu3bJVvKI/NNtssI= +github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= +github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= +github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= +github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= +github.com/shirou/gopsutil/v4 v4.25.12 h1:e7PvW/0RmJ8p8vPGJH4jvNkOyLmbkXgXW4m6ZPic6CY= +github.com/shirou/gopsutil/v4 v4.25.12/go.mod h1:EivAfP5x2EhLp2ovdpKSozecVXn1TmuG7SMzs/Wh4PU= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= +github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.9.4-0.20251023124752-b61f268f75b6 h1:JEH4GlfEqachL/BWMxNEqYZGst5AGInBdLF/bEx+dZY= +github.com/sirupsen/logrus v1.9.4-0.20251023124752-b61f268f75b6/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g= +github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= +github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw= +github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U= +github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I= +github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg= +github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY= +github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo= +github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= +github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU= +github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY= +github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= +github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs= +github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs= +github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= +github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= +github.com/sylabs/sif/v2 v2.22.0 h1:Y+xXufp4RdgZe02SR3nWEg7S6q4tPWN237WHYzkDSKA= +github.com/sylabs/sif/v2 v2.22.0/go.mod h1:W1XhWTmG1KcG7j5a3KSYdMcUIFvbs240w/MMVW627hs= +github.com/tchap/go-patricia/v2 v2.3.3 h1:xfNEsODumaEcCcY3gI0hYPZ/PcpVv5ju6RMAhgwZDDc= +github.com/tchap/go-patricia/v2 v2.3.3/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/tklauser/go-sysconf v0.3.16 h1:frioLaCQSsF5Cy1jgRBrzr6t502KIIwQ0MArYICU0nA= +github.com/tklauser/go-sysconf v0.3.16/go.mod h1:/qNL9xxDhc7tx3HSRsLWNnuzbVfh3e7gh/BmM179nYI= +github.com/tklauser/numcpus v0.11.0 h1:nSTwhKH5e1dMNsCdVBukSZrURJRoHbSEQjdEbY+9RXw= +github.com/tklauser/numcpus v0.11.0/go.mod h1:z+LwcLq54uWZTX0u/bGobaV34u6V7KNlTZejzM6/3MQ= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= +github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4= +github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= +github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0= +github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4= +github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY= +github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk= +github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= +github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU= +github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M= +github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= +github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= +github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo= +go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E= +go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA= +go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ= +go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8= +go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk= +go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U= +go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo= +go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM= +go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU= +go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0= +go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0= +go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ= +go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo= +go.mongodb.org/mongo-driver v1.17.6 h1:87JUG1wZfWsr6rIz3ZmpH90rL5tea7O3IHuSwHUpsss= +go.mongodb.org/mongo-driver v1.17.6/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w= +go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk= +go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4= +go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= +go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= +go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls= +go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs= +go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8= +go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0 h1:nKP4Z2ejtHn3yShBb+2KawiXgpn8In5cT7aO2wXuOTE= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0/go.mod h1:NwjeBbNigsO4Aj9WgM0C+cKIrxsZUaRmZUO7A8I7u8o= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk= +go.opentelemetry.io/otel/exporters/prometheus v0.61.0 h1:cCyZS4dr67d30uDyh8etKM2QyDsQ4zC9ds3bdbrVoD0= +go.opentelemetry.io/otel/exporters/prometheus v0.61.0/go.mod h1:iivMuj3xpR2DkUrUya3TPS/Z9h3dz7h01GxU+fQBRNg= +go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU= +go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 h1:5gn2urDL/FBnK8OkCfD1j3/ER79rUuTYmCvlXBKeYL8= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0/go.mod h1:0fBG6ZJxhqByfFZDwSwpZGzJU671HkwpWaNe2t4VUPI= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s= +go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk= +go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8= +go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= +go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= +go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= +go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs= +go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo= +go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= +go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= +go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= +go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= +go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= +go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= +go.podman.io/image/v5 v5.38.0 h1:aUKrCANkPvze1bnhLJsaubcfz0d9v/bSDLnwsXJm6G4= +go.podman.io/image/v5 v5.38.0/go.mod h1:hSIoIUzgBnmc4DjoIdzk63aloqVbD7QXDMkSE/cvG90= +go.podman.io/storage v1.61.1-0.20260113143440-ec033ce69f13 h1:31m5LHEH19ESCYFrvZh4YX1kkfa7sQSapHg9/NHzpok= +go.podman.io/storage v1.61.1-0.20260113143440-ec033ce69f13/go.mod h1:nkKllgCrEviIXYWZNGxWdzU02pUBIfH5oOSrB/QgwIQ= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko= +go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= +go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= +golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= +golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb h1:Iu0p/klM0SM7atONioa/bPhLS7cjhnip99x1OIGibwg= +golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb/go.mod h1:lxN5T34bK4Z/i6cMaU7frUU57VkDXFD4Kamfl/cp9oU= +golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4= +golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= +golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= +golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= +golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= +golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= +golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190524152521-dbbf3f1254d4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= +golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY= +golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= +golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= +golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= +golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA= +golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0= +gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= +gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= +google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= +google.golang.org/grpc/security/advancedtls v1.0.0 h1:/KQ7VP/1bs53/aopk9QhuPyFAp9Dm9Ejix3lzYkCrDA= +google.golang.org/grpc/security/advancedtls v1.0.0/go.mod h1:o+s4go+e1PJ2AjuQMY5hU82W7lDlefjJA6FqEHRVHWk= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20160105164936-4f90aeace3a2/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= +gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= +helm.sh/helm/v3 v3.20.0 h1:2M+0qQwnbI1a2CxN7dbmfsWHg/MloeaFMnZCY56as50= +helm.sh/helm/v3 v3.20.0/go.mod h1:rTavWa0lagZOxGfdhu4vgk1OjH2UYCnrDKE2PVC4N0o= +k8s.io/api v0.35.0 h1:iBAU5LTyBI9vw3L5glmat1njFK34srdLmktWwLTprlY= +k8s.io/api v0.35.0/go.mod h1:AQ0SNTzm4ZAczM03QH42c7l3bih1TbAXYo0DkF8ktnA= +k8s.io/apiextensions-apiserver v0.35.0 h1:3xHk2rTOdWXXJM+RDQZJvdx0yEOgC0FgQ1PlJatA5T4= +k8s.io/apiextensions-apiserver v0.35.0/go.mod h1:E1Ahk9SADaLQ4qtzYFkwUqusXTcaV2uw3l14aqpL2LU= +k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8= +k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= +k8s.io/apiserver v0.35.0 h1:CUGo5o+7hW9GcAEF3x3usT3fX4f9r8xmgQeCBDaOgX4= +k8s.io/apiserver v0.35.0/go.mod h1:QUy1U4+PrzbJaM3XGu2tQ7U9A4udRRo5cyxkFX0GEds= +k8s.io/cli-runtime v0.35.0 h1:PEJtYS/Zr4p20PfZSLCbY6YvaoLrfByd6THQzPworUE= +k8s.io/cli-runtime v0.35.0/go.mod h1:VBRvHzosVAoVdP3XwUQn1Oqkvaa8facnokNkD7jOTMY= +k8s.io/client-go v0.35.0 h1:IAW0ifFbfQQwQmga0UdoH0yvdqrbwMdq9vIFEhRpxBE= +k8s.io/client-go v0.35.0/go.mod h1:q2E5AAyqcbeLGPdoRB+Nxe3KYTfPce1Dnu1myQdqz9o= +k8s.io/component-base v0.35.0 h1:+yBrOhzri2S1BVqyVSvcM3PtPyx5GUxCK2tinZz1G94= +k8s.io/component-base v0.35.0/go.mod h1:85SCX4UCa6SCFt6p3IKAPej7jSnF3L8EbfSyMZayJR0= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kms v0.35.0 h1:/x87FED2kDSo66csKtcYCEHsxF/DBlNl7LfJ1fVQs1o= +k8s.io/kms v0.35.0/go.mod h1:VT+4ekZAdrZDMgShK37vvlyHUVhwI9t/9tvh0AyCWmQ= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= +k8s.io/kubectl v0.35.0 h1:cL/wJKHDe8E8+rP3G7avnymcMg6bH6JEcR5w5uo06wc= +k8s.io/kubectl v0.35.0/go.mod h1:VR5/TSkYyxZwrRwY5I5dDq6l5KXmiCb+9w8IKplk3Qo= +k8s.io/metrics v0.35.0 h1:xVFoqtAGm2dMNJAcB5TFZJPCen0uEqqNt52wW7ABbX8= +k8s.io/metrics v0.35.0/go.mod h1:g2Up4dcBygZi2kQSEQVDByFs+VUwepJMzzQLJJLpq4M= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= +oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= +periph.io/x/host/v3 v3.8.5 h1:g4g5xE1XZtDiGl1UAJaUur1aT7uNiFLMkyMEiZ7IHII= +periph.io/x/host/v3 v3.8.5/go.mod h1:hPq8dISZIc+UNfWoRj+bPH3XEBQqJPdFdx218W92mdc= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= +sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE= +sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= +sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8= +sigs.k8s.io/gateway-api v1.4.1/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= +sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 h1:JQbPOwLjSztom+aSDQIi6UZq8V0Gbv7BjAlYQSgycCI= +sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09/go.mod h1:n5AZlk9qPlp2JHChA4a4N/+lU3bJJ3X1Cig6VGQeqwE= +sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I= +sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM= +sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78= +sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po= +sigs.k8s.io/mcs-api v0.3.0 h1:LjRvgzjMrvO1904GP6XBJSnIX221DJMyQlZOYt9LAnM= +sigs.k8s.io/mcs-api v0.3.0/go.mod h1:zZ5CK8uS6HaLkxY4HqsmcBHfzHuNMrY2uJy8T7jffK4= +sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= +sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 h1:2WOzJpHUBVrrkDjU4KBT8n5LDcj824eX0I5UKcgeRUs= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/tools/make/lint.mk b/tools/make/lint.mk index 4cbfa90bd1..c4380e780d 100644 --- a/tools/make/lint.mk +++ b/tools/make/lint.mk @@ -20,7 +20,8 @@ GOLANGCI_LINT_FLAGS ?= lint: lint.golint lint.golint: @$(LOG_TARGET) - $(GO_TOOL) golangci-lint run $(GOLANGCI_LINT_FLAGS) --build-tags=$(LINT_BUILD_TAGS) --config=tools/linter/golangci-lint/.golangci.yml + $(GO_TOOL) golangci-lint run $(GOLANGCI_LINT_FLAGS) --build-tags=$(LINT_BUILD_TAGS) --config=$(ROOT_DIR)/tools/linter/golangci-lint/.golangci.yml + cd test && $(GO_TOOL) golangci-lint run $(GOLANGCI_LINT_FLAGS) --build-tags=$(LINT_BUILD_TAGS) --config=$(ROOT_DIR)/tools/linter/golangci-lint/.golangci.yml .PHONY: lint.kube-api-linter lint: lint.kube-api-linter From 14608dd3e50084a292462e3a1b60a91653eeacf8 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 3 Feb 2026 20:41:52 +0800 Subject: [PATCH 02/22] fix cel test Signed-off-by: zirain --- tools/make/golang.mk | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/make/golang.mk b/tools/make/golang.mk index 8a5e5ff748..0b906e3c83 100644 --- a/tools/make/golang.mk +++ b/tools/make/golang.mk @@ -76,9 +76,10 @@ go.test.cel: manifests # Run the CEL validation tests @$(LOG_TARGET) @for ver in $(ENVTEST_K8S_VERSIONS); do \ echo "Run CEL Validation on k8s $$ver"; \ - go clean -testcache; \ + pushd test; go clean -testcache; \ KUBEBUILDER_ASSETS="$$($(GO_TOOL) setup-envtest use $$ver -p path)" \ - go test ./test/cel-validation --tags celvalidation -race || exit 1; \ + go test ./cel-validation --tags celvalidation -race || exit 1; \ + popd; \ done .PHONY: go.test.benchmark From 17dd60bcb1d1aa1c0ac44c460418f13efb1236eb Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 10:31:58 +0800 Subject: [PATCH 03/22] fix e2e Signed-off-by: zirain --- internal/gatewayapi/xlistenerset.go | 3 +- test/e2e/tests/client_mtls.go | 71 ++++++----------- test/e2e/tests/http3.go | 8 +- test/e2e/tests/tlsroute_tls_termination.go | 88 +++------------------- test/e2e/tests/tlsroute_with_backend.go | 19 ++--- test/e2e/tests/xlistenerset.go | 27 ++----- test/e2e/utils/quic.go | 35 ++++----- test/go.mod | 10 ++- test/go.sum | 16 ++-- tools/make/kube.mk | 25 +++--- 10 files changed, 97 insertions(+), 205 deletions(-) diff --git a/internal/gatewayapi/xlistenerset.go b/internal/gatewayapi/xlistenerset.go index b0ca688627..fad84a5036 100644 --- a/internal/gatewayapi/xlistenerset.go +++ b/internal/gatewayapi/xlistenerset.go @@ -71,7 +71,6 @@ func (t *Translator) processXListenerSet(xls *gwapixv1a1.XListenerSet, gatewayMa // Initialize listener status conditions xls.Status.Listeners = append(xls.Status.Listeners, gwapixv1a1.ListenerEntryStatus{ Name: listener.Name, - Port: listener.Port, SupportedKinds: []gwapixv1a1.RouteGroupKind{}, AttachedRoutes: 0, Conditions: []metav1.Condition{}, @@ -80,7 +79,7 @@ func (t *Translator) processXListenerSet(xls *gwapixv1a1.XListenerSet, gatewayMa // Convert XListenerSet listener to Gateway listener for internal processing gwListener := &gwapiv1.Listener{ Name: listener.Name, - Port: listener.Port, + Port: gwapiv1.PortNumber(listener.Port), Protocol: listener.Protocol, TLS: listener.TLS, AllowedRoutes: listener.AllowedRoutes, diff --git a/test/e2e/tests/client_mtls.go b/test/e2e/tests/client_mtls.go index 6b25846561..4cb6f1002b 100644 --- a/test/e2e/tests/client_mtls.go +++ b/test/e2e/tests/client_mtls.go @@ -23,9 +23,8 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" - "sigs.k8s.io/gateway-api/conformance/utils/roundtripper" "sigs.k8s.io/gateway-api/conformance/utils/suite" - "sigs.k8s.io/gateway-api/conformance/utils/tlog" + tlsutils "sigs.k8s.io/gateway-api/conformance/utils/tls" "sigs.k8s.io/gateway-api/pkg/features" ) @@ -45,7 +44,6 @@ var ClientMTLSTest = suite.ConformanceTest{ gwNN := types.NamespacedName{Name: "client-mtls-gateway", Namespace: ns} gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gwapiv1.HTTPRoute{}, false, routeNN) kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{depNS}) - certNN := types.NamespacedName{Name: "client-mtls-certificate", Namespace: ns} expected := http.ExpectedResponse{ Request: http.Request{ @@ -67,16 +65,15 @@ var ClientMTLSTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") - // This test uses the same key/cert pair as both a client cert and server cert // Both backend and client treat the self-signed cert as a trusted CA - cPem, keyPem, _, err := GetTLSSecret(suite.Client, certNN) + clientCertificate, clientCertificateKey, _, err := GetTLSSecret(suite.Client, types.NamespacedName{Name: "client-mtls-certificate", Namespace: ns}) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } - WaitForConsistentMTLSResponse(t, suite.RoundTripper, &req, &expected, suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, cPem, keyPem, "mtls.example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + gwAddr, clientCertificate, clientCertificate, clientCertificateKey, "mtls.example.com", expected) }) t.Run("Client TLS Settings Enforced", func(t *testing.T) { @@ -109,18 +106,17 @@ var ClientMTLSTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") - // added but not used, as these are required by test utils when for SNI to be added - cPem, keyPem, _, err := GetTLSSecret(suite.Client, certNN) + clientCertificate, clientCertificateKey, _, err := GetTLSSecret(suite.Client, certNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } - WaitForConsistentMTLSResponse(t, suite.RoundTripper, &req, &expected, suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, cPem, keyPem, serverName) + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + gwAddr, clientCertificate, clientCertificate, clientCertificateKey, serverName, expected) certPool := x509.NewCertPool() - if !certPool.AppendCertsFromPEM(cPem) { + if !certPool.AppendCertsFromPEM(clientCertificate) { t.Errorf("Error setting Root CAs: %v", err) } @@ -167,7 +163,6 @@ var ClientMTLSClusterTrustBundleTest = suite.ConformanceTest{ routeNN := types.NamespacedName{Name: "client-mtls-clustertrustbundle", Namespace: ns} gwNN := types.NamespacedName{Name: "client-mtls-clustertrustbundle", Namespace: ns} gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gwapiv1.HTTPRoute{}, false, routeNN) - certNN := types.NamespacedName{Name: "client-example-com", Namespace: ns} expected := http.ExpectedResponse{ Request: http.Request{ @@ -189,53 +184,29 @@ var ClientMTLSClusterTrustBundleTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") - + serverCertificate, _, _, err := GetTLSSecret(suite.Client, types.NamespacedName{ + Name: "example-com-tls", + Namespace: ns, + }) + if err != nil { + t.Fatalf("unexpected error finding TLS secret: %v", err) + } // This test uses the same key/cert pair as both a client cert and server cert // Both backend and client treat the self-signed cert as a trusted CA - cPem, keyPem, caPem, err := GetTLSSecret(suite.Client, certNN) + clientCertificate, clientCertificateKey, _, err := GetTLSSecret(suite.Client, types.NamespacedName{ + Name: "client-example-com", + Namespace: ns, + }) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } - combined := string(cPem) + "\n" + string(caPem) - - WaitForConsistentMTLSResponse(t, suite.RoundTripper, &req, &expected, suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, - []byte(combined), keyPem, "www.example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + gwAddr, serverCertificate, clientCertificate, clientCertificateKey, "www.example.com", expected) }) }, } -func WaitForConsistentMTLSResponse(t *testing.T, r roundtripper.RoundTripper, req *roundtripper.Request, expected *http.ExpectedResponse, threshold int, maxTimeToConsistency time.Duration, cPem, keyPem []byte, server string) { - if req == nil { - t.Fatalf("request cannot be nil") - } - if expected == nil { - t.Fatalf("expected response cannot be nil") - } - - http.AwaitConvergence(t, threshold, maxTimeToConsistency, func(elapsed time.Duration) bool { - updatedReq := *req - updatedReq.KeyPem = keyPem - updatedReq.CertPem = cPem - updatedReq.Server = server - - cReq, cRes, err := r.CaptureRoundTrip(updatedReq) - if err != nil { - tlog.Logf(t, "Request failed, not ready yet: %v (after %v)", err.Error(), elapsed) - return false - } - - if err := http.CompareRoundTrip(t, &updatedReq, cReq, cRes, *expected); err != nil { - tlog.Logf(t, "Response expectation failed for request: %+v not ready yet: %v (after %v)", updatedReq, err, elapsed) - return false - } - - return true - }) - tlog.Logf(t, "Request passed") -} - // GetTLSSecret fetches the named Secret and converts both cert and key to []byte func GetTLSSecret(client client.Client, secretName types.NamespacedName) ([]byte, []byte, []byte, error) { var cert, key, ca []byte diff --git a/test/e2e/tests/http3.go b/test/e2e/tests/http3.go index f90e8b56f5..58f529e5d4 100644 --- a/test/e2e/tests/http3.go +++ b/test/e2e/tests/http3.go @@ -15,6 +15,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" + tlsutils "sigs.k8s.io/gateway-api/conformance/utils/tls" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -61,14 +62,13 @@ var HTTP3Test = suite.ConformanceTest{ Namespace: ConformanceInfraNamespace, } - cPem, keyPem, _, err := GetTLSSecret(suite.Client, types.NamespacedName{Name: secretName, Namespace: ConformanceInfraNamespace}) + serverCertificate, _, _, err := GetTLSSecret(suite.Client, types.NamespacedName{Name: secretName, Namespace: ConformanceInfraNamespace}) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } - req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") - WaitForConsistentMTLSResponse(t, quicRoundTripper, &req, &expected, suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, - cPem, keyPem, host) + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, quicRoundTripper, suite.TimeoutConfig, + gwAddr, serverCertificate, nil, nil, host, expected) } testHTTP3("foo.example.com", "foo-com-tls") diff --git a/test/e2e/tests/tlsroute_tls_termination.go b/test/e2e/tests/tlsroute_tls_termination.go index 3fea3fb2e9..b02a802b62 100644 --- a/test/e2e/tests/tlsroute_tls_termination.go +++ b/test/e2e/tests/tlsroute_tls_termination.go @@ -9,14 +9,12 @@ package tests import ( "testing" - "time" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" - "sigs.k8s.io/gateway-api/conformance/utils/roundtripper" "sigs.k8s.io/gateway-api/conformance/utils/suite" - "sigs.k8s.io/gateway-api/conformance/utils/tlog" + tlsutils "sigs.k8s.io/gateway-api/conformance/utils/tls" ) func init() { @@ -38,7 +36,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} - cPem, keyPem, caCertPem, err := GetTLSSecret(suite.Client, certNN) + serverCertificate, _, _, err := GetTLSSecret(suite.Client, certNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } @@ -54,20 +52,8 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") - - // Use the CA cert to verify server certificate, cert is self-signed so it's also the CA - WaitForConsistentResponseWithCA( - t, - suite.RoundTripper, - &req, - &expected, - suite.TimeoutConfig.RequiredConsecutiveSuccesses, - suite.TimeoutConfig.MaxTimeToConsistency, - cPem, - keyPem, - caCertPem, - "foo.example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + gwAddr, serverCertificate, nil, nil, "foo.example.com", expected) }) t.Run("TLSRoute with TLS termination - route 2 (bar.example.com)", func(t *testing.T) { @@ -75,7 +61,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} - cPem, keyPem, caCertPem, err := GetTLSSecret(suite.Client, certNN) + serverCertificate, _, _, err := GetTLSSecret(suite.Client, certNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } @@ -91,19 +77,8 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") - - WaitForConsistentResponseWithCA( - t, - suite.RoundTripper, - &req, - &expected, - suite.TimeoutConfig.RequiredConsecutiveSuccesses, - suite.TimeoutConfig.MaxTimeToConsistency, - cPem, - keyPem, - caCertPem, - "bar.example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + gwAddr, serverCertificate, nil, nil, "baz.example.com", expected) }) t.Run("TLSRoute with TLS termination - route 3 (baz.example.com)", func(t *testing.T) { @@ -111,7 +86,7 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) certNN := types.NamespacedName{Name: "tls-termination-certificate", Namespace: ns} - cPem, keyPem, caCertPem, err := GetTLSSecret(suite.Client, certNN) + serverCertificate, _, _, err := GetTLSSecret(suite.Client, certNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } @@ -127,51 +102,8 @@ var TLSRouteTLSTerminationTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") - - WaitForConsistentResponseWithCA( - t, - suite.RoundTripper, - &req, - &expected, - suite.TimeoutConfig.RequiredConsecutiveSuccesses, - suite.TimeoutConfig.MaxTimeToConsistency, - cPem, - keyPem, - caCertPem, - "baz.example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + gwAddr, serverCertificate, nil, nil, "baz.example.com", expected) }) }, } - -// WaitForConsistentResponseWithCA makes requests with TLS using a CA certificate to verify the server -func WaitForConsistentResponseWithCA(t *testing.T, r roundtripper.RoundTripper, req *roundtripper.Request, expected *http.ExpectedResponse, threshold int, maxTimeToConsistency time.Duration, _, keyPem, caCertPem []byte, serverName string) { - if req == nil { - t.Fatalf("request cannot be nil") - } - if expected == nil { - t.Fatalf("expected response cannot be nil") - } - - http.AwaitConvergence(t, threshold, maxTimeToConsistency, func(elapsed time.Duration) bool { - updatedReq := *req - updatedReq.Server = serverName - // Use the certificate and key for TLS setup, CA cert for validation (self-signed cert) - updatedReq.CertPem = caCertPem - updatedReq.KeyPem = keyPem - - cReq, cRes, err := r.CaptureRoundTrip(updatedReq) - if err != nil { - tlog.Logf(t, "Request failed, not ready yet: %v (after %v)", err.Error(), elapsed) - return false - } - - if err := http.CompareRoundTrip(t, &updatedReq, cReq, cRes, *expected); err != nil { - tlog.Logf(t, "Response expectation failed for request: %+v not ready yet: %v (after %v)", updatedReq, err, elapsed) - return false - } - - return true - }) - tlog.Logf(t, "Request passed") -} diff --git a/test/e2e/tests/tlsroute_with_backend.go b/test/e2e/tests/tlsroute_with_backend.go index 2ca0821d7d..0a7866bdfd 100644 --- a/test/e2e/tests/tlsroute_with_backend.go +++ b/test/e2e/tests/tlsroute_with_backend.go @@ -14,6 +14,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" + tlsutils "sigs.k8s.io/gateway-api/conformance/utils/tls" ) func init() { @@ -21,7 +22,7 @@ func init() { } var TLSRouteBackendFQDNTest = suite.ConformanceTest{ - ShortName: "TLSRouteBackendFQDNTest", + ShortName: "TLSRouteBackendFQDN", Description: "TLSRoutes with a backend ref to a Backend", Manifests: []string{ "testdata/tlsroute-to-backend-fqdn.yaml", @@ -86,23 +87,13 @@ func testTLSRouteWithBackend(t *testing.T, suite *suite.ConformanceTestSuite, ro Namespace: ns, } - req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") - // This test uses the same key/cert pair as both a client cert and server cert // Both backend and client treat the self-signed cert as a trusted CA - cPem, keyPem, _, err := GetTLSSecret(suite.Client, certNN) + serverCertificate, _, _, err := GetTLSSecret(suite.Client, certNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } - WaitForConsistentMTLSResponse( - t, - suite.RoundTripper, - &req, - &expected, - suite.TimeoutConfig.RequiredConsecutiveSuccesses, - suite.TimeoutConfig.MaxTimeToConsistency, - cPem, - keyPem, - "example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + gwAddr, serverCertificate, nil, nil, "example.com", expected) } diff --git a/test/e2e/tests/xlistenerset.go b/test/e2e/tests/xlistenerset.go index 7333b9ede3..28c79887da 100644 --- a/test/e2e/tests/xlistenerset.go +++ b/test/e2e/tests/xlistenerset.go @@ -30,6 +30,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" + tlsutils "sigs.k8s.io/gateway-api/conformance/utils/tls" gatewayapi "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -145,19 +146,17 @@ var XListenerSetHTTPSTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, listenerAddr, "HTTPS", "https") - certNN := types.NamespacedName{Name: "xlistener-https-certificate", Namespace: ns} - cPem, keyPem, caPem, err := GetTLSSecret(suite.Client, certNN) + serverCertificate, _, caPem, err := GetTLSSecret(suite.Client, certNN) require.NoError(t, err) - combined := string(cPem) + combined := string(serverCertificate) if len(caPem) > 0 { combined += "\n" + string(caPem) } - WaitForConsistentMTLSResponse(t, suite.RoundTripper, &req, &expected, suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, - []byte(combined), keyPem, "www.example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + listenerAddr, serverCertificate, nil, nil, "www.example.com", expected) }, } @@ -304,22 +303,12 @@ var XListenerSetTLSPassthroughTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, listenerAddr, "HTTPS", "https") - certNN := types.NamespacedName{Name: "backend-tls-certificate", Namespace: ns} - cPem, keyPem, _, err := GetTLSSecret(suite.Client, certNN) + serverCertificate, _, _, err := GetTLSSecret(suite.Client, certNN) require.NoError(t, err) - WaitForConsistentMTLSResponse( - t, - suite.RoundTripper, - &req, - &expected, - suite.TimeoutConfig.RequiredConsecutiveSuccesses, - suite.TimeoutConfig.MaxTimeToConsistency, - cPem, - keyPem, - "example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + listenerAddr, serverCertificate, nil, nil, "example.com", expected) }, } diff --git a/test/e2e/utils/quic.go b/test/e2e/utils/quic.go index b7dc8469e1..9dc9166f37 100644 --- a/test/e2e/utils/quic.go +++ b/test/e2e/utils/quic.go @@ -14,6 +14,7 @@ import ( "crypto/tls" "crypto/x509" "encoding/json" + "errors" "fmt" "io" "net/http" @@ -47,42 +48,38 @@ func (q *QuicRoundTripper) CaptureRoundTrip(request roundtripper.Request) (*roun transport := &http3.Transport{ TLSClientConfig: tlsConfig, } - if request.Server != "" && len(request.CertPem) != 0 && len(request.KeyPem) != 0 { - clientTLS, err := tlsClientConfig(request.Server, request.CertPem, request.KeyPem) + if request.Protocol == roundtripper.HTTPSProtocol { + tlsConfig, err := createTLSClientConfig(&request) if err != nil { return nil, nil, err } - transport.TLSClientConfig = clientTLS + transport.TLSClientConfig = tlsConfig } return q.defaultRoundTrip(&request, transport) } -func tlsClientConfig(server string, certPem, keyPem []byte) (*tls.Config, error) { - // Create a certificate from the provided cert and key - cert, err := tls.X509KeyPair(certPem, keyPem) - if err != nil { - return nil, fmt.Errorf("unexpected error creating cert: %w", err) +func createTLSClientConfig(request *roundtripper.Request) (*tls.Config, error) { + if request.ServerName == "" { + return nil, errors.New("https request has no server name configured") } - - // Add the provided cert as a trusted CA - certPool := x509.NewCertPool() - if !certPool.AppendCertsFromPEM(certPem) { - return nil, fmt.Errorf("unexpected error adding trusted CA: %w", err) + if len(request.ServerCertificate) == 0 { + return nil, errors.New("https request has no trusted certificates configured") } - if server == "" { - return nil, fmt.Errorf("unexpected error, server name required for TLS") + rootCAs := x509.NewCertPool() + if !rootCAs.AppendCertsFromPEM(request.ServerCertificate) { + return nil, errors.New("unexpected error adding trusted certificates failed") } // Create the tls Config for this provided host, cert, and trusted CA // Disable G402: TLS MinVersion too low. (gosec) + // Use GetClientCertificate hook for testing purposes. // #nosec G402 return &tls.Config{ - Certificates: []tls.Certificate{cert}, - ServerName: server, - RootCAs: certPool, - NextProtos: []string{"h3"}, // Required for HTTP/3 + ServerName: request.ServerName, + RootCAs: rootCAs, + GetClientCertificate: request.GetClientCertificateHook, }, nil } diff --git a/test/go.mod b/test/go.mod index 6e29ddcc4a..a383f5a16c 100644 --- a/test/go.mod +++ b/test/go.mod @@ -4,12 +4,18 @@ go 1.25.6 replace github.com/envoyproxy/gateway => ../ +// TODO: remove this when https://github.com/kubernetes-sigs/gateway-api/pull/4479 merged +replace sigs.k8s.io/gateway-api/conformance => github.com/zirain-dev/gateway-api/conformance v0.0.0-20260203110540-f9f400104e9c + +// TODO: remove this when v1.5.0 is released +replace sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378 + require ( fortio.org/fortio v1.73.2 fortio.org/log v1.18.3 github.com/andybalholm/brotli v1.2.0 github.com/docker/docker v28.5.1+incompatible - github.com/envoyproxy/gateway v0.0.0-000000000000-000000000000 + github.com/envoyproxy/gateway v0.0.0-00010101000000-000000000000 github.com/go-logfmt/logfmt v0.6.1 github.com/google/go-cmp v0.7.0 github.com/google/go-containerregistry v0.20.6 @@ -35,6 +41,7 @@ require ( k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 sigs.k8s.io/controller-runtime v0.23.1 sigs.k8s.io/gateway-api v1.4.1 + sigs.k8s.io/gateway-api/conformance v0.0.0-20260203001228-5643ebfba378 sigs.k8s.io/yaml v1.6.0 ) @@ -97,6 +104,7 @@ require ( github.com/docker/go-units v0.5.0 // indirect github.com/dominikbraun/graph v0.23.0 // indirect github.com/ebitengine/purego v0.9.1 // indirect + github.com/eclipse/paho.mqtt.golang v1.5.1 // indirect github.com/emicklei/go-restful/v3 v3.13.0 // indirect github.com/envoyproxy/go-control-plane v0.14.0 // indirect github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 // indirect diff --git a/test/go.sum b/test/go.sum index fc4cc60194..cfa2eebc34 100644 --- a/test/go.sum +++ b/test/go.sum @@ -159,6 +159,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A= github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ= +github.com/eclipse/paho.mqtt.golang v1.5.1 h1:/VSOv3oDLlpqR2Epjn1Q7b2bSTplJIeV2ISgCl2W7nE= +github.com/eclipse/paho.mqtt.golang v1.5.1/go.mod h1:1/yJCneuyOoCOzKSsOTUc0AJfpsItBGWvYpBLimhArU= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA= @@ -296,8 +298,8 @@ github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCj github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18= -github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= +github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY= +github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -471,8 +473,8 @@ github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042 github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= -github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= +github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM= +github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -617,6 +619,8 @@ github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +github.com/zirain-dev/gateway-api/conformance v0.0.0-20260203110540-f9f400104e9c h1:Zo3jFrFE1ORYERW81IU9dK5sEMxRylvrgewmcAi+OSA= +github.com/zirain-dev/gateway-api/conformance v0.0.0-20260203110540-f9f400104e9c/go.mod h1:AHlHi1iWaoOQvo+ASsW2tuBknnXqnlM+zGObXprAymQ= go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo= go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E= go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA= @@ -836,8 +840,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUo sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE= sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= -sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8= -sigs.k8s.io/gateway-api v1.4.1/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378 h1:N/4i0wNDIPE57e0pBKBm5HH3BQfa1q1N1qvkfutDPsk= +sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378/go.mod h1:Y5zI1i67c8iSB6AqTCJSvPgKC0xf1Qt0/akYEh4OwRI= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 h1:JQbPOwLjSztom+aSDQIi6UZq8V0Gbv7BjAlYQSgycCI= diff --git a/tools/make/kube.mk b/tools/make/kube.mk index dc54dfd726..973eb272e5 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -293,23 +293,24 @@ setup-mac-net-connect: .PHONY: run-e2e run-e2e: ## Run e2e tests @$(LOG_TARGET) + ifeq ($(E2E_RUN_TEST),) - go test $(E2E_TEST_ARGS) ./test/e2e $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway --cleanup-base-resources=false $(E2E_REDIRECT) - go test $(E2E_TEST_ARGS) ./test/e2e/merge_gateways $(E2E_TEST_SUITE_ARGS) --gateway-class=merge-gateways --cleanup-base-resources=false - go test $(E2E_TEST_ARGS) ./test/e2e/multiple_gc $(E2E_TEST_SUITE_ARGS) --cleanup-base-resources=true - LAST_VERSION_TAG=$(shell cat VERSION) go test $(E2E_TEST_ARGS) ./test/e2e/upgrade $(E2E_TEST_SUITE_ARGS) --gateway-class=upgrade --cleanup-base-resources=$(E2E_CLEANUP) + cd test/ && go test $(E2E_TEST_ARGS) ./e2e $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway --cleanup-base-resources=false $(E2E_REDIRECT) + cd test/ && go test $(E2E_TEST_ARGS) ./e2e/merge_gateways $(E2E_TEST_SUITE_ARGS) --gateway-class=merge-gateways --cleanup-base-resources=false + cd test/ && go test $(E2E_TEST_ARGS) ./e2e/multiple_gc $(E2E_TEST_SUITE_ARGS) --cleanup-base-resources=true + cd test/ && LAST_VERSION_TAG=$(shell cat VERSION) go test $(E2E_TEST_ARGS) ./e2e/upgrade $(E2E_TEST_SUITE_ARGS) --gateway-class=upgrade --cleanup-base-resources=$(E2E_CLEANUP) else - go test $(E2E_TEST_ARGS) ./test/e2e $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway --cleanup-base-resources=$(E2E_CLEANUP) \ + cd test/ && go test $(E2E_TEST_ARGS) ./e2e $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway --cleanup-base-resources=$(E2E_CLEANUP) \ --run-test $(E2E_RUN_TEST) $(E2E_REDIRECT) endif run-e2e-upgrade: - go test $(E2E_TEST_ARGS) ./test/e2e/upgrade $(E2E_TEST_SUITE_ARGS) --gateway-class=upgrade --cleanup-base-resources=$(E2E_CLEANUP) + cd test && go test $(E2E_TEST_ARGS) ./e2e/upgrade $(E2E_TEST_SUITE_ARGS) --gateway-class=upgrade --cleanup-base-resources=$(E2E_CLEANUP) .PHONY: run-resilience run-resilience: ## Run resilience tests @$(LOG_TARGET) - go test -v -tags resilience ./test/resilience --gateway-class=envoy-gateway + cd test && go test -v -tags resilience ./resilience --gateway-class=envoy-gateway .PHONY: run-benchmark run-benchmark: install-benchmark-server prepare-ip-family ## Run benchmark tests @@ -318,7 +319,7 @@ run-benchmark: install-benchmark-server prepare-ip-family ## Run benchmark tests kubectl wait --timeout=$(WAIT_TIMEOUT) -n benchmark-test deployment/nighthawk-test-server --for=condition=Available kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available kubectl apply -f test/benchmark/config/gatewayclass.yaml - go test -v -tags benchmark -timeout $(BENCHMARK_TIMEOUT) ./test/benchmark --baseline-rps=$(BENCHMARK_BASELINE_RPS) --connections=$(BENCHMARK_CONNECTIONS) --duration=$(BENCHMARK_DURATION) --report-save-dir=$(BENCHMARK_REPORT_DIR) + cd test && go test -v -tags benchmark -timeout $(BENCHMARK_TIMEOUT) ./benchmark --baseline-rps=$(BENCHMARK_BASELINE_RPS) --connections=$(BENCHMARK_CONNECTIONS) --duration=$(BENCHMARK_DURATION) --report-save-dir=$(BENCHMARK_REPORT_DIR) # render benchmark profiles into image @if [ "$(BENCHMARK_RENDER_PNG)" != "false" ]; then dot -V; fi @if [ "$(BENCHMARK_RENDER_PNG)" != "false" ]; then find test/benchmark/$(BENCHMARK_REPORT_DIR)/profiles -name "*.pprof" -type f -exec sh -c 'go tool pprof -png "$$1" > "$$${1%.pprof}.png"' _ {} \; ; fi @@ -373,9 +374,9 @@ run-conformance: prepare-ip-family ## Run Gateway API conformance. kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available kubectl apply -f test/config/gatewayclass.yaml ifeq ($(CONFORMANCE_RUN_TEST),) - go test $(CONFORMANCE_TEST_ARGS) ./test/conformance $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway $(E2E_REDIRECT) + cd test && go test $(CONFORMANCE_TEST_ARGS) ./conformance $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway $(E2E_REDIRECT) else - go test $(CONFORMANCE_TEST_ARGS) ./test/conformance $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway --run-test $(CONFORMANCE_RUN_TEST) $(E2E_REDIRECT) + cd test && go test $(CONFORMANCE_TEST_ARGS) ./conformance $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway --run-test $(CONFORMANCE_RUN_TEST) $(E2E_REDIRECT) endif CONFORMANCE_REPORT_PATH ?= @@ -386,13 +387,13 @@ run-experimental-conformance: prepare-ip-family ## Run Experimental Gateway API kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available kubectl apply -f test/config/gatewayclass.yaml ifeq ($(CONFORMANCE_RUN_TEST),) - go test $(EXPERIMENTAL_CONFORMANCE_TEST_ARGS) ./test/conformance -run TestExperimentalConformance $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway \ + cd test && go test $(EXPERIMENTAL_CONFORMANCE_TEST_ARGS) ./conformance -run TestExperimentalConformance $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway \ --organization=envoyproxy --project=envoy-gateway --url=https://github.com/envoyproxy/gateway --version=latest \ --report-output="$(CONFORMANCE_REPORT_PATH)" --contact=https://github.com/envoyproxy/gateway/blob/main/GOVERNANCE.md \ --mode="$(KUBE_DEPLOY_PROFILE)" --version=$(TAG) else # we didn't care about output when running single test - go test $(EXPERIMENTAL_CONFORMANCE_TEST_ARGS) ./test/conformance -run TestExperimentalConformance $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway --run-test $(CONFORMANCE_RUN_TEST) + cd test && go test $(EXPERIMENTAL_CONFORMANCE_TEST_ARGS) ./conformance -run TestExperimentalConformance $(E2E_TEST_SUITE_ARGS) --gateway-class=envoy-gateway --run-test $(CONFORMANCE_RUN_TEST) endif From 8dba4de56279605e9a4c1fee670e3072e143761e Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 10:58:01 +0800 Subject: [PATCH 04/22] fix gen Signed-off-by: zirain --- .../xlistenerset-conflict-listeners.out.yaml | 12 ++++++------ .../testdata/xlistenerset-cross-namespace.out.yaml | 2 +- .../testdata/xlistenerset-grpcroute.out.yaml | 4 ++-- .../testdata/xlistenerset-httproute.out.yaml | 4 ++-- .../testdata/xlistenerset-invalid.out.yaml | 8 ++++---- .../xlistenerset-no-maching-listener.out.yaml | 2 +- .../testdata/xlistenerset-tcproute.out.yaml | 2 +- .../testdata/xlistenerset-tlsroute.out.yaml | 4 ++-- .../testdata/xlistenerset-udproute.out.yaml | 2 +- internal/gatewayapi/xlistenerset.go | 2 +- 10 files changed, 21 insertions(+), 21 deletions(-) diff --git a/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml b/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml index 3e789adc66..92a1d49369 100644 --- a/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml @@ -159,7 +159,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: conflict-listener-1 - port: 8089 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -183,7 +183,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: conflict-listener-2 - port: 8089 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -243,7 +243,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: conflict-listener - port: 8089 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -267,7 +267,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: good-listener - port: 8090 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -327,7 +327,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: conflict-listener - port: 8888 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -351,7 +351,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: good-listener - port: 8091 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-cross-namespace.out.yaml b/internal/gatewayapi/testdata/xlistenerset-cross-namespace.out.yaml index 832850bc80..2c4953143f 100644 --- a/internal/gatewayapi/testdata/xlistenerset-cross-namespace.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-cross-namespace.out.yaml @@ -199,7 +199,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: cross-http-allowed - port: 8083 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-grpcroute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-grpcroute.out.yaml index 796d1225c7..305f190236 100644 --- a/internal/gatewayapi/testdata/xlistenerset-grpcroute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-grpcroute.out.yaml @@ -227,7 +227,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: grpc-listener - port: 8081 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -281,7 +281,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: grpc-listener - port: 8082 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-httproute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-httproute.out.yaml index 740bf889b0..4100cc1373 100644 --- a/internal/gatewayapi/testdata/xlistenerset-httproute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-httproute.out.yaml @@ -269,7 +269,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-http-one - port: 8081 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -293,7 +293,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-http-two - port: 8082 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml b/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml index 99b8af9ccf..224ef50568 100644 --- a/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml @@ -269,7 +269,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: invalid-one - port: 8085 + port: 0 supportedKinds: [] - attachedRoutes: 0 conditions: @@ -289,7 +289,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: invalid-two - port: 8086 + port: 0 supportedKinds: [] - apiVersion: gateway.networking.x-k8s.io/v1alpha1 kind: XListenerSet @@ -345,7 +345,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: mixed-valid - port: 8087 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -369,7 +369,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: mixed-invalid - port: 8088 + port: 0 supportedKinds: [] xdsIR: gateway-xls/composite-gateway: diff --git a/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.out.yaml b/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.out.yaml index 3d41e02130..7211e369df 100644 --- a/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.out.yaml @@ -222,7 +222,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: listener-1 - port: 8089 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-tcproute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-tcproute.out.yaml index 010aeb7904..c4c6fcb193 100644 --- a/internal/gatewayapi/testdata/xlistenerset-tcproute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-tcproute.out.yaml @@ -159,7 +159,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-tcp - port: 8089 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-tlsroute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-tlsroute.out.yaml index 3de58fdc97..1ec7983522 100644 --- a/internal/gatewayapi/testdata/xlistenerset-tlsroute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-tlsroute.out.yaml @@ -220,7 +220,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-tls-passthrough - port: 8443 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: TLSRoute @@ -242,7 +242,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-tls-terminate - port: 9443 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: TLSRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-udproute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-udproute.out.yaml index 862e70b27d..8316a7b197 100644 --- a/internal/gatewayapi/testdata/xlistenerset-udproute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-udproute.out.yaml @@ -159,7 +159,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-udp - port: 8162 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: UDPRoute diff --git a/internal/gatewayapi/xlistenerset.go b/internal/gatewayapi/xlistenerset.go index fad84a5036..c01f0248f8 100644 --- a/internal/gatewayapi/xlistenerset.go +++ b/internal/gatewayapi/xlistenerset.go @@ -79,7 +79,7 @@ func (t *Translator) processXListenerSet(xls *gwapixv1a1.XListenerSet, gatewayMa // Convert XListenerSet listener to Gateway listener for internal processing gwListener := &gwapiv1.Listener{ Name: listener.Name, - Port: gwapiv1.PortNumber(listener.Port), + Port: listener.Port, Protocol: listener.Protocol, TLS: listener.TLS, AllowedRoutes: listener.AllowedRoutes, From 0b10f57024e8d338153b3e503182ad5300655572 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 11:15:07 +0800 Subject: [PATCH 05/22] fix lint and gen Signed-off-by: zirain --- internal/gatewayapi/xlistenerset.go | 2 +- test/e2e/tests/xlistenerset.go | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/internal/gatewayapi/xlistenerset.go b/internal/gatewayapi/xlistenerset.go index c01f0248f8..65466b4c7f 100644 --- a/internal/gatewayapi/xlistenerset.go +++ b/internal/gatewayapi/xlistenerset.go @@ -79,7 +79,7 @@ func (t *Translator) processXListenerSet(xls *gwapixv1a1.XListenerSet, gatewayMa // Convert XListenerSet listener to Gateway listener for internal processing gwListener := &gwapiv1.Listener{ Name: listener.Name, - Port: listener.Port, + Port: gwapiv1.PortNumber(listener.Port), //nolint Protocol: listener.Protocol, TLS: listener.TLS, AllowedRoutes: listener.AllowedRoutes, diff --git a/test/e2e/tests/xlistenerset.go b/test/e2e/tests/xlistenerset.go index 28c79887da..8550f506e5 100644 --- a/test/e2e/tests/xlistenerset.go +++ b/test/e2e/tests/xlistenerset.go @@ -147,14 +147,9 @@ var XListenerSetHTTPSTest = suite.ConformanceTest{ } certNN := types.NamespacedName{Name: "xlistener-https-certificate", Namespace: ns} - serverCertificate, _, caPem, err := GetTLSSecret(suite.Client, certNN) + serverCertificate, _, _, err := GetTLSSecret(suite.Client, certNN) require.NoError(t, err) - combined := string(serverCertificate) - if len(caPem) > 0 { - combined += "\n" + string(caPem) - } - tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, listenerAddr, serverCertificate, nil, nil, "www.example.com", expected) }, From d763576895d8946be41e113086abeefe162bd516 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 14:02:52 +0800 Subject: [PATCH 06/22] fix test Signed-off-by: zirain --- internal/gatewayapi/status/gatewayclass.go | 43 --------- .../gatewayapi/status/gatewayclass_test.go | 95 ------------------- test/conformance/conformance_test.go | 3 +- .../experimental_conformance_test.go | 3 +- .../gatewayapi => test}/conformance/suite.go | 1 + .../conformance/support_level.go | 0 test/e2e/tests/client_mtls.go | 5 +- 7 files changed, 5 insertions(+), 145 deletions(-) rename {internal/gatewayapi => test}/conformance/suite.go (98%) rename {internal/gatewayapi => test}/conformance/support_level.go (100%) diff --git a/internal/gatewayapi/status/gatewayclass.go b/internal/gatewayapi/status/gatewayclass.go index 28e2e7b6b7..2571ee0acc 100644 --- a/internal/gatewayapi/status/gatewayclass.go +++ b/internal/gatewayapi/status/gatewayclass.go @@ -15,12 +15,7 @@ package status import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/sets" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - "sigs.k8s.io/gateway-api/conformance/utils/suite" - "sigs.k8s.io/gateway-api/pkg/features" - - "github.com/envoyproxy/gateway/internal/gatewayapi/conformance" ) const ( @@ -65,41 +60,3 @@ func computeGatewayClassAcceptedCondition(gatewayClass *gwapiv1.GatewayClass, } } } - -func getSupportedFeatures(gatewaySuite *suite.ConformanceOptions, skippedTests []suite.ConformanceTest) []gwapiv1.SupportedFeature { - supportedFeatures := gatewaySuite.SupportedFeatures.Clone() - unsupportedFeatures := getUnsupportedFeatures(gatewaySuite, skippedTests) - supportedFeatures.Delete(unsupportedFeatures...) - - ret := sets.New[gwapiv1.SupportedFeature]() - for _, feature := range supportedFeatures.UnsortedList() { - ret.Insert(gwapiv1.SupportedFeature{ - Name: gwapiv1.FeatureName(feature), - }) - } - - featureList := make([]gwapiv1.SupportedFeature, 0, len(ret)) - for feature := range ret { - featureList = append(featureList, feature) - } - return featureList -} - -func getUnsupportedFeatures(gatewaySuite *suite.ConformanceOptions, skippedTests []suite.ConformanceTest) []features.FeatureName { - unsupportedFeatures := gatewaySuite.ExemptFeatures.UnsortedList() - - for _, skippedTest := range skippedTests { - switch conformance.GetTestSupportLevel(&skippedTest) { - case conformance.Core: - unsupportedFeatures = append(unsupportedFeatures, skippedTest.Features...) - case conformance.Extended: - for _, feature := range skippedTest.Features { - if conformance.GetFeatureSupportLevel(feature) == conformance.Extended { - unsupportedFeatures = append(unsupportedFeatures, feature) - } - } - } - } - - return unsupportedFeatures -} diff --git a/internal/gatewayapi/status/gatewayclass_test.go b/internal/gatewayapi/status/gatewayclass_test.go index 5aa7412ac1..7b845408ec 100644 --- a/internal/gatewayapi/status/gatewayclass_test.go +++ b/internal/gatewayapi/status/gatewayclass_test.go @@ -10,10 +10,7 @@ import ( "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/sets" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - "sigs.k8s.io/gateway-api/conformance/utils/suite" - "sigs.k8s.io/gateway-api/pkg/features" ) func TestComputeGatewayClassAcceptedCondition(t *testing.T) { @@ -69,95 +66,3 @@ func TestComputeGatewayClassAcceptedCondition(t *testing.T) { assert.Equal(t, gc.Generation, got.ObservedGeneration) } } - -func TestGetSupportedFeatures(t *testing.T) { - testCases := []struct { - name string - gatewaySuite suite.ConformanceOptions - skippedTests []suite.ConformanceTest - expectedResult []gwapiv1.SupportedFeature - }{ - { - name: "No exempt features", - gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), - ExemptFeatures: sets.New[features.FeatureName](), - }, - expectedResult: []gwapiv1.SupportedFeature{ - {Name: "Gateway"}, - {Name: "HTTPRoute"}, - }, - }, - { - name: "All features exempt", - gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), - ExemptFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), - }, - expectedResult: []gwapiv1.SupportedFeature{}, - }, - { - name: "Some features exempt", - gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GRPCRoute"), - ExemptFeatures: sets.New[features.FeatureName]("GRPCRoute"), - }, - expectedResult: []gwapiv1.SupportedFeature{ - {Name: "Gateway"}, - {Name: "HTTPRoute"}, - }, - }, - { - name: "Some features exempt with skipped tests", - gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GRPCRoute"), - ExemptFeatures: sets.New[features.FeatureName]("GRPCRoute"), - }, - skippedTests: []suite.ConformanceTest{ - { - Features: []features.FeatureName{"HTTPRoute"}, - }, - }, - expectedResult: []gwapiv1.SupportedFeature{ - {Name: "Gateway"}, - }, - }, - { - name: "Core features remain supported with skipped extended tests", - gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GatewayHTTPListenerIsolation"), - }, - skippedTests: []suite.ConformanceTest{ - { - Features: []features.FeatureName{"Gateway", "GatewayHTTPListenerIsolation", "HTTPRoute"}, - }, - }, - expectedResult: []gwapiv1.SupportedFeature{ - {Name: "Gateway"}, - {Name: "HTTPRoute"}, - }, - }, - { - name: "Core feature removed when skipping core test", - gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), - }, - skippedTests: []suite.ConformanceTest{ - { - Features: []features.FeatureName{"HTTPRoute"}, - }, - }, - expectedResult: []gwapiv1.SupportedFeature{ - {Name: "Gateway"}, - }, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - result := getSupportedFeatures(&tc.gatewaySuite, tc.skippedTests) - - assert.ElementsMatch(t, tc.expectedResult, result, "The result should match the expected output for the test case.") - }) - } -} diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index e68f548bae..8dfd4a999f 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -20,7 +20,6 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" - internalconf "github.com/envoyproxy/gateway/internal/gatewayapi/conformance" "github.com/envoyproxy/gateway/test/e2e" ege2etest "github.com/envoyproxy/gateway/test/e2e/tests" ) @@ -38,7 +37,7 @@ func TestGatewayAPIConformance(t *testing.T) { } gatewayNamespaceMode := ege2etest.IsGatewayNamespaceMode() - internalSuite := internalconf.EnvoyGatewaySuite(gatewayNamespaceMode) + internalSuite := EnvoyGatewaySuite(gatewayNamespaceMode) opts := conformance.DefaultOptions(t) opts.SkipTests = internalSuite.SkipTests diff --git a/test/conformance/experimental_conformance_test.go b/test/conformance/experimental_conformance_test.go index f42fc3be39..ad836d7b1c 100644 --- a/test/conformance/experimental_conformance_test.go +++ b/test/conformance/experimental_conformance_test.go @@ -23,7 +23,6 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/yaml" - internalconf "github.com/envoyproxy/gateway/internal/gatewayapi/conformance" "github.com/envoyproxy/gateway/test/e2e" ege2etest "github.com/envoyproxy/gateway/test/e2e/tests" ) @@ -32,7 +31,7 @@ func TestExperimentalConformance(t *testing.T) { flag.Parse() log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) - internalSuite := internalconf.EnvoyGatewaySuite(ege2etest.IsGatewayNamespaceMode()) + internalSuite := EnvoyGatewaySuite(ege2etest.IsGatewayNamespaceMode()) opts := conformance.DefaultOptions(t) opts.SkipTests = internalSuite.SkipTests diff --git a/internal/gatewayapi/conformance/suite.go b/test/conformance/suite.go similarity index 98% rename from internal/gatewayapi/conformance/suite.go rename to test/conformance/suite.go index e5e0b28d6d..79074ef77d 100644 --- a/internal/gatewayapi/conformance/suite.go +++ b/test/conformance/suite.go @@ -36,6 +36,7 @@ func SkipFeatures(gatewayNamespaceMode bool) sets.Set[features.FeatureName] { return sets.New( features.GatewayStaticAddressesFeature.Name, features.GatewayInfrastructurePropagationFeature.Name, + features.GatewayListenerSetFeature.Name, ) } diff --git a/internal/gatewayapi/conformance/support_level.go b/test/conformance/support_level.go similarity index 100% rename from internal/gatewayapi/conformance/support_level.go rename to test/conformance/support_level.go diff --git a/test/e2e/tests/client_mtls.go b/test/e2e/tests/client_mtls.go index 4cb6f1002b..bdcbdb49b1 100644 --- a/test/e2e/tests/client_mtls.go +++ b/test/e2e/tests/client_mtls.go @@ -82,7 +82,6 @@ var ClientMTLSTest = suite.ConformanceTest{ routeNN := types.NamespacedName{Name: "http-client-tls-settings", Namespace: ns} gwNN := types.NamespacedName{Name: "client-mtls-gateway", Namespace: ns} gwHost := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gwapiv1.HTTPRoute{}, false, routeNN) - certNN := types.NamespacedName{Name: "client-tls-settings-certificate", Namespace: ns} kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{depNS}) gwAddr := net.JoinHostPort(gwHost, "443") @@ -107,13 +106,13 @@ var ClientMTLSTest = suite.ConformanceTest{ } // added but not used, as these are required by test utils when for SNI to be added - clientCertificate, clientCertificateKey, _, err := GetTLSSecret(suite.Client, certNN) + clientCertificate, _, _, err := GetTLSSecret(suite.Client, types.NamespacedName{Name: "client-tls-settings-certificate", Namespace: ns}) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, - gwAddr, clientCertificate, clientCertificate, clientCertificateKey, serverName, expected) + gwAddr, clientCertificate, nil, nil, serverName, expected) certPool := x509.NewCertPool() if !certPool.AppendCertsFromPEM(clientCertificate) { From 988acaab28a9f71787cb89119892ad66bb69956e Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 14:22:02 +0800 Subject: [PATCH 07/22] revert Signed-off-by: zirain --- test/e2e/e2e_test.go | 1 - test/e2e/tests/accesslog.go | 2 -- test/go.mod | 3 --- test/go.sum | 4 ++-- 4 files changed, 2 insertions(+), 8 deletions(-) diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 434f38453f..b699e11ec1 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -92,7 +92,6 @@ func TestE2E(t *testing.T) { SkipTests: skipTests, AllowCRDsMismatch: *flags.AllowCRDsMismatch, Hook: Hook, - // FailFast: true, }) if err != nil { t.Fatalf("Failed to create ConformanceTestSuite: %v", err) diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index eab59dbbcd..18b0bc21e2 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -39,8 +39,6 @@ var FileAccessLogTest = suite.ConformanceTest{ } match := "test-annotation-value" - // t.Fatalf("test fail fast") - t.Run("Positive", func(t *testing.T) { ns := "gateway-conformance-infra" routeNN := types.NamespacedName{Name: "accesslog-file", Namespace: ns} diff --git a/test/go.mod b/test/go.mod index a383f5a16c..e5565a447e 100644 --- a/test/go.mod +++ b/test/go.mod @@ -4,9 +4,6 @@ go 1.25.6 replace github.com/envoyproxy/gateway => ../ -// TODO: remove this when https://github.com/kubernetes-sigs/gateway-api/pull/4479 merged -replace sigs.k8s.io/gateway-api/conformance => github.com/zirain-dev/gateway-api/conformance v0.0.0-20260203110540-f9f400104e9c - // TODO: remove this when v1.5.0 is released replace sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378 diff --git a/test/go.sum b/test/go.sum index cfa2eebc34..e8f1f19518 100644 --- a/test/go.sum +++ b/test/go.sum @@ -619,8 +619,6 @@ github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= -github.com/zirain-dev/gateway-api/conformance v0.0.0-20260203110540-f9f400104e9c h1:Zo3jFrFE1ORYERW81IU9dK5sEMxRylvrgewmcAi+OSA= -github.com/zirain-dev/gateway-api/conformance v0.0.0-20260203110540-f9f400104e9c/go.mod h1:AHlHi1iWaoOQvo+ASsW2tuBknnXqnlM+zGObXprAymQ= go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo= go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E= go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA= @@ -842,6 +840,8 @@ sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378 h1:N/4i0wNDIPE57e0pBKBm5HH3BQfa1q1N1qvkfutDPsk= sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378/go.mod h1:Y5zI1i67c8iSB6AqTCJSvPgKC0xf1Qt0/akYEh4OwRI= +sigs.k8s.io/gateway-api/conformance v0.0.0-20260203001228-5643ebfba378 h1:2vorxizmv80iVLpZOokcbAbOkglOtLeIRIMf9NNS548= +sigs.k8s.io/gateway-api/conformance v0.0.0-20260203001228-5643ebfba378/go.mod h1:AHlHi1iWaoOQvo+ASsW2tuBknnXqnlM+zGObXprAymQ= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 h1:JQbPOwLjSztom+aSDQIi6UZq8V0Gbv7BjAlYQSgycCI= From 37ca6427c2bcbe7702a3130693482985074f2c0f Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 15:39:24 +0800 Subject: [PATCH 08/22] skip ListenerSet Signed-off-by: zirain --- test/conformance/suite.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/conformance/suite.go b/test/conformance/suite.go index 79074ef77d..2f8843acb0 100644 --- a/test/conformance/suite.go +++ b/test/conformance/suite.go @@ -16,6 +16,11 @@ import ( func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { skipTests := []suite.ConformanceTest{ tests.GatewayStaticAddresses, + tests.ListenerSetCrossNamespace, + tests.ListenerSetHostnameConflict, + tests.ListenerSetNotAllowed, + tests.ListenerSetProtocolConflict, + tests.ListenerSetSameNamespace, } if gatewayNamespaceMode { From add951779fcf47120dac571ae7f4b50d15f807b1 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 16:09:07 +0800 Subject: [PATCH 09/22] skip more Signed-off-by: zirain --- test/conformance/suite.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/conformance/suite.go b/test/conformance/suite.go index 2f8843acb0..be86d37f07 100644 --- a/test/conformance/suite.go +++ b/test/conformance/suite.go @@ -21,6 +21,7 @@ func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { tests.ListenerSetNotAllowed, tests.ListenerSetProtocolConflict, tests.ListenerSetSameNamespace, + tests.TLSRouteHostnameIntersection, } if gatewayNamespaceMode { From 0dca82c8a462ae384ea55db9e86e5f4f5c5b951c Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 17:49:20 +0800 Subject: [PATCH 10/22] skip tlsroute Signed-off-by: zirain --- test/conformance/suite.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/conformance/suite.go b/test/conformance/suite.go index be86d37f07..edb4922e30 100644 --- a/test/conformance/suite.go +++ b/test/conformance/suite.go @@ -22,6 +22,12 @@ func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { tests.ListenerSetProtocolConflict, tests.ListenerSetSameNamespace, tests.TLSRouteHostnameIntersection, + tests.TLSRouteInvalidNoMatchingListener, + tests.TLSRouteInvalidNoMatchingListenerHostname, + tests.TLSRouteInvalidReferenceGrant, + tests.TLSRouteListenerTerminateSupportedKinds, + tests.TLSRouteSimpleSameNamespace, + tests.TLSRouteTerminateSimpleSameNamespace, } if gatewayNamespaceMode { From 72a1fe936f9921acc6e324a729e554c76ea3eb49 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 19:44:48 +0800 Subject: [PATCH 11/22] skip more test Signed-off-by: zirain --- test/conformance/suite.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/conformance/suite.go b/test/conformance/suite.go index edb4922e30..e4e505294d 100644 --- a/test/conformance/suite.go +++ b/test/conformance/suite.go @@ -16,6 +16,7 @@ import ( func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { skipTests := []suite.ConformanceTest{ tests.GatewayStaticAddresses, + // TODO: fix following conformance tests tests.ListenerSetCrossNamespace, tests.ListenerSetHostnameConflict, tests.ListenerSetNotAllowed, @@ -28,6 +29,15 @@ func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { tests.TLSRouteListenerTerminateSupportedKinds, tests.TLSRouteSimpleSameNamespace, tests.TLSRouteTerminateSimpleSameNamespace, + tests.GatewayInvalidTLSBackendConfiguration, + tests.GatewayWithAttachedRoutes, + tests.GatewayTLSBackendClientCertificate, + tests.GatewayFrontendClientCertificateValidation, + tests.GatewayInvalidFrontendClientCertificateValidation, + tests.HTTPRoute303Redirect, + tests.HTTPRoute307Redirect, + tests.HTTPRoute308Redirect, + tests.HTTPRouteHostnameIntersection, } if gatewayNamespaceMode { From d424560d372b3c899bf644717fc5c2062668d1c2 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Feb 2026 20:27:02 +0800 Subject: [PATCH 12/22] fix RunTest Signed-off-by: zirain --- test/conformance/conformance_test.go | 5 +++++ test/conformance/experimental_conformance_test.go | 5 +++++ test/e2e/e2e_test.go | 4 ++++ 3 files changed, 14 insertions(+) diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index 8dfd4a999f..244aaff8f1 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -56,6 +56,11 @@ func TestGatewayAPIConformance(t *testing.T) { ) } + // If focusing on a single test, clear the skip list to ensure it runs. + if opts.RunTest != "" { + opts.SkipTests = nil + } + cSuite, err := suite.NewConformanceTestSuite(opts) if err != nil { t.Fatalf("Error creating conformance test suite: %v", err) diff --git a/test/conformance/experimental_conformance_test.go b/test/conformance/experimental_conformance_test.go index ad836d7b1c..64c6378078 100644 --- a/test/conformance/experimental_conformance_test.go +++ b/test/conformance/experimental_conformance_test.go @@ -55,6 +55,11 @@ func TestExperimentalConformance(t *testing.T) { ) } + // If focusing on a single test, clear the skip list to ensure it runs. + if opts.RunTest != "" { + opts.SkipTests = nil + } + t.Logf("Running experimental conformance tests with %s GatewayClass\n cleanup: %t\n debug: %t\n enable all features: %t \n conformance profiles: [%v]", *flags.GatewayClassName, *flags.CleanupBaseResources, *flags.ShowDebug, *flags.EnableAllSupportedFeatures, opts.ConformanceProfiles) diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index b699e11ec1..f72f8b9a48 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -77,6 +77,10 @@ func TestE2E(t *testing.T) { tlog.Logf(t, "ClusterTrustBundle feature is enabled") enabledFeatures.Insert(tests.ClusterTrustBundleFeature) } + // If focusing on a single test, clear the skip list to ensure it runs. + if *flags.RunTest != "" { + skipTests = nil + } cSuite, err := suite.NewConformanceTestSuite(suite.ConformanceOptions{ Client: c, From 4ab3c99f165319aaa8b20e0d1fffd26c5175eb91 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 6 Feb 2026 09:20:18 +0800 Subject: [PATCH 13/22] support FailFast Signed-off-by: zirain --- test/conformance/conformance_test.go | 1 + .../experimental_conformance_test.go | 1 + test/e2e/e2e_test.go | 1 + test/go.mod | 11 +++--- test/go.sum | 34 +++++++++---------- 5 files changed, 24 insertions(+), 24 deletions(-) diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index 244aaff8f1..4c17f9805c 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -45,6 +45,7 @@ func TestGatewayAPIConformance(t *testing.T) { opts.ExemptFeatures = internalSuite.ExemptFeatures opts.RunTest = *flags.RunTest opts.Hook = e2e.Hook + opts.FailFast = true // I don't know why this happens, but the UDPRoute test failed on dual stack // because on some VM(e.g. Ubuntu 22.04), the ipv4 address for UDP gateway is not diff --git a/test/conformance/experimental_conformance_test.go b/test/conformance/experimental_conformance_test.go index 64c6378078..8c5907d472 100644 --- a/test/conformance/experimental_conformance_test.go +++ b/test/conformance/experimental_conformance_test.go @@ -37,6 +37,7 @@ func TestExperimentalConformance(t *testing.T) { opts.SkipTests = internalSuite.SkipTests opts.SupportedFeatures = internalSuite.SupportedFeatures opts.ExemptFeatures = internalSuite.ExemptFeatures + opts.FailFast = true opts.ConformanceProfiles = sets.New( suite.GatewayHTTPConformanceProfileName, diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index f72f8b9a48..ce62df06d7 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -96,6 +96,7 @@ func TestE2E(t *testing.T) { SkipTests: skipTests, AllowCRDsMismatch: *flags.AllowCRDsMismatch, Hook: Hook, + FailFast: true, }) if err != nil { t.Fatalf("Failed to create ConformanceTestSuite: %v", err) diff --git a/test/go.mod b/test/go.mod index e5565a447e..d31377f1c2 100644 --- a/test/go.mod +++ b/test/go.mod @@ -5,7 +5,7 @@ go 1.25.6 replace github.com/envoyproxy/gateway => ../ // TODO: remove this when v1.5.0 is released -replace sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378 +replace sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.3.1-0.20260206000630-dbb66e4adbec require ( fortio.org/fortio v1.73.2 @@ -35,10 +35,10 @@ require ( k8s.io/cli-runtime v0.35.0 k8s.io/client-go v0.35.0 k8s.io/kubectl v0.35.0 - k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 + k8s.io/utils v0.0.0-20260108192941-914a6e750570 sigs.k8s.io/controller-runtime v0.23.1 sigs.k8s.io/gateway-api v1.4.1 - sigs.k8s.io/gateway-api/conformance v0.0.0-20260203001228-5643ebfba378 + sigs.k8s.io/gateway-api/conformance v0.0.0-20260206000630-dbb66e4adbec sigs.k8s.io/yaml v1.6.0 ) @@ -101,7 +101,6 @@ require ( github.com/docker/go-units v0.5.0 // indirect github.com/dominikbraun/graph v0.23.0 // indirect github.com/ebitengine/purego v0.9.1 // indirect - github.com/eclipse/paho.mqtt.golang v1.5.1 // indirect github.com/emicklei/go-restful/v3 v3.13.0 // indirect github.com/envoyproxy/go-control-plane v0.14.0 // indirect github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 // indirect @@ -183,7 +182,7 @@ require ( github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e // indirect github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect github.com/lyft/gostats v0.4.1 // indirect - github.com/mailru/easyjson v0.9.0 // indirect + github.com/mailru/easyjson v0.9.1 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect @@ -287,7 +286,7 @@ require ( golang.org/x/term v0.39.0 // indirect golang.org/x/text v0.33.0 // indirect golang.org/x/time v0.14.0 // indirect - golang.org/x/tools v0.40.0 // indirect + golang.org/x/tools v0.41.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect diff --git a/test/go.sum b/test/go.sum index e8f1f19518..46a587d41e 100644 --- a/test/go.sum +++ b/test/go.sum @@ -159,8 +159,6 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A= github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ= -github.com/eclipse/paho.mqtt.golang v1.5.1 h1:/VSOv3oDLlpqR2Epjn1Q7b2bSTplJIeV2ISgCl2W7nE= -github.com/eclipse/paho.mqtt.golang v1.5.1/go.mod h1:1/yJCneuyOoCOzKSsOTUc0AJfpsItBGWvYpBLimhArU= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA= @@ -298,8 +296,8 @@ github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCj github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY= -github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= +github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc= +github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -393,8 +391,8 @@ github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIi github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg= github.com/lyft/gostats v0.4.1 h1:oR6p4HRCGxt0nUntmZIWmYMgyothBi3eZH2A71vRjsc= github.com/lyft/gostats v0.4.1/go.mod h1:Tpx2xRzz4t+T2Tx0xdVgIoBdR2UMVz+dKnE3X01XSd8= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8= +github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= @@ -470,11 +468,11 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= -github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/ginkgo/v2 v2.28.0 h1:Rrf+lVLmtlBIKv6KrIGJCjyY8N36vDVcutbGJkyqjJc= +github.com/onsi/ginkgo/v2 v2.28.0/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM= -github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= +github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= +github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -759,8 +757,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA= -golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc= +golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= +golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -828,8 +826,8 @@ k8s.io/kubectl v0.35.0 h1:cL/wJKHDe8E8+rP3G7avnymcMg6bH6JEcR5w5uo06wc= k8s.io/kubectl v0.35.0/go.mod h1:VR5/TSkYyxZwrRwY5I5dDq6l5KXmiCb+9w8IKplk3Qo= k8s.io/metrics v0.35.0 h1:xVFoqtAGm2dMNJAcB5TFZJPCen0uEqqNt52wW7ABbX8= k8s.io/metrics v0.35.0/go.mod h1:g2Up4dcBygZi2kQSEQVDByFs+VUwepJMzzQLJJLpq4M= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY= +k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= periph.io/x/host/v3 v3.8.5 h1:g4g5xE1XZtDiGl1UAJaUur1aT7uNiFLMkyMEiZ7IHII= @@ -838,10 +836,10 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUo sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE= sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= -sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378 h1:N/4i0wNDIPE57e0pBKBm5HH3BQfa1q1N1qvkfutDPsk= -sigs.k8s.io/gateway-api v1.3.1-0.20260203001228-5643ebfba378/go.mod h1:Y5zI1i67c8iSB6AqTCJSvPgKC0xf1Qt0/akYEh4OwRI= -sigs.k8s.io/gateway-api/conformance v0.0.0-20260203001228-5643ebfba378 h1:2vorxizmv80iVLpZOokcbAbOkglOtLeIRIMf9NNS548= -sigs.k8s.io/gateway-api/conformance v0.0.0-20260203001228-5643ebfba378/go.mod h1:AHlHi1iWaoOQvo+ASsW2tuBknnXqnlM+zGObXprAymQ= +sigs.k8s.io/gateway-api v1.3.1-0.20260206000630-dbb66e4adbec h1:638uDvLs7jcWGu6VsPi8ubSw7YwOg4oj6vN92ztyRj0= +sigs.k8s.io/gateway-api v1.3.1-0.20260206000630-dbb66e4adbec/go.mod h1:GpMCTueMQOF6+p7aEvFMdQK97F0kG35whYyziGj5Lrg= +sigs.k8s.io/gateway-api/conformance v0.0.0-20260206000630-dbb66e4adbec h1:ml4s8b/qI9OVv0l7dT079LIamuZGQV7SCKHZCk4yhZk= +sigs.k8s.io/gateway-api/conformance v0.0.0-20260206000630-dbb66e4adbec/go.mod h1:y0mg+INX3KFShJpbtmlieVVG+taRrxk5ZxEwUzTTbRM= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 h1:JQbPOwLjSztom+aSDQIi6UZq8V0Gbv7BjAlYQSgycCI= From 015d419825faed093f70190d951a3736f97938af Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 6 Feb 2026 09:24:00 +0800 Subject: [PATCH 14/22] bump golang 1.25.7 Signed-off-by: zirain --- test/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/go.mod b/test/go.mod index d31377f1c2..93576ed09a 100644 --- a/test/go.mod +++ b/test/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/test -go 1.25.6 +go 1.25.7 replace github.com/envoyproxy/gateway => ../ From 30f44a75ceb4c46e97343c3274dc7f97dc889969 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 6 Feb 2026 09:49:55 +0800 Subject: [PATCH 15/22] fix Signed-off-by: zirain --- ...set-https-tls-misuses-gateway-namespace.out.yaml | 2 +- .../xlistenerset-https-tls-same-namespace.out.yaml | 2 +- test/e2e/tests/xlistenerset.go | 13 +++---------- test/go.mod | 4 ++-- test/go.sum | 8 ++++---- 5 files changed, 11 insertions(+), 18 deletions(-) diff --git a/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml b/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml index 6b4e1bc695..34613d0aae 100644 --- a/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml @@ -153,7 +153,7 @@ xListenerSets: status: "False" type: Programmed name: extra-https-same-ns - port: 8443 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.out.yaml b/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.out.yaml index d170b01b8e..ecc11efea8 100644 --- a/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.out.yaml @@ -163,7 +163,7 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-https-same-ns - port: 8443 + port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/test/e2e/tests/xlistenerset.go b/test/e2e/tests/xlistenerset.go index 8550f506e5..f83b732a38 100644 --- a/test/e2e/tests/xlistenerset.go +++ b/test/e2e/tests/xlistenerset.go @@ -340,19 +340,12 @@ var XListenerSetTLSTerminationTest = suite.ConformanceTest{ Namespace: ns, } - req := http.MakeRequest(t, &expected, listenerAddr, "HTTPS", "https") - certNN := types.NamespacedName{Name: "xlistener-https-certificate", Namespace: "xlistenerset-tls-termination-secret"} - cPem, keyPem, caPem, err := GetTLSSecret(suite.Client, certNN) + serverCertificate, _, _, err := GetTLSSecret(suite.Client, certNN) require.NoError(t, err) - combined := string(cPem) - if len(caPem) > 0 { - combined += "\n" + string(caPem) - } - - WaitForConsistentMTLSResponse(t, suite.RoundTripper, &req, &expected, suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency, - []byte(combined), keyPem, "www.example.com") + tlsutils.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, + listenerAddr, serverCertificate, nil, nil, "www.example.com", expected) }, } diff --git a/test/go.mod b/test/go.mod index 93576ed09a..83d04c15da 100644 --- a/test/go.mod +++ b/test/go.mod @@ -5,7 +5,7 @@ go 1.25.7 replace github.com/envoyproxy/gateway => ../ // TODO: remove this when v1.5.0 is released -replace sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.3.1-0.20260206000630-dbb66e4adbec +replace sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.3.1-0.20260205205831-a8c4b5edbcde require ( fortio.org/fortio v1.73.2 @@ -38,7 +38,7 @@ require ( k8s.io/utils v0.0.0-20260108192941-914a6e750570 sigs.k8s.io/controller-runtime v0.23.1 sigs.k8s.io/gateway-api v1.4.1 - sigs.k8s.io/gateway-api/conformance v0.0.0-20260206000630-dbb66e4adbec + sigs.k8s.io/gateway-api/conformance v0.0.0-20260205205831-a8c4b5edbcde sigs.k8s.io/yaml v1.6.0 ) diff --git a/test/go.sum b/test/go.sum index 46a587d41e..46e2677ea2 100644 --- a/test/go.sum +++ b/test/go.sum @@ -836,10 +836,10 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUo sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE= sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= -sigs.k8s.io/gateway-api v1.3.1-0.20260206000630-dbb66e4adbec h1:638uDvLs7jcWGu6VsPi8ubSw7YwOg4oj6vN92ztyRj0= -sigs.k8s.io/gateway-api v1.3.1-0.20260206000630-dbb66e4adbec/go.mod h1:GpMCTueMQOF6+p7aEvFMdQK97F0kG35whYyziGj5Lrg= -sigs.k8s.io/gateway-api/conformance v0.0.0-20260206000630-dbb66e4adbec h1:ml4s8b/qI9OVv0l7dT079LIamuZGQV7SCKHZCk4yhZk= -sigs.k8s.io/gateway-api/conformance v0.0.0-20260206000630-dbb66e4adbec/go.mod h1:y0mg+INX3KFShJpbtmlieVVG+taRrxk5ZxEwUzTTbRM= +sigs.k8s.io/gateway-api v1.3.1-0.20260205205831-a8c4b5edbcde h1:ru5uqLzzkgfmyWiJKXguUioStN4/GZq97eoGWswGITA= +sigs.k8s.io/gateway-api v1.3.1-0.20260205205831-a8c4b5edbcde/go.mod h1:GpMCTueMQOF6+p7aEvFMdQK97F0kG35whYyziGj5Lrg= +sigs.k8s.io/gateway-api/conformance v0.0.0-20260205205831-a8c4b5edbcde h1:C1XGGRkQCbmAtD2EGM6vYKMpN6pJFPIUqwl9h/mmpwg= +sigs.k8s.io/gateway-api/conformance v0.0.0-20260205205831-a8c4b5edbcde/go.mod h1:y0mg+INX3KFShJpbtmlieVVG+taRrxk5ZxEwUzTTbRM= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 h1:JQbPOwLjSztom+aSDQIi6UZq8V0Gbv7BjAlYQSgycCI= From 096a191788b4d365f81e0167970ae0ace825d7c8 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 13 Feb 2026 19:56:25 +0800 Subject: [PATCH 16/22] bump Gateway API v1.5.0-rc.1 Signed-off-by: zirain --- .../workflows/experimental_conformance.yaml | 14 +- api/v1alpha1/envoygateway_types.go | 7 +- .../experimental-gatewayapi-crds.yaml | 6018 +++++++----- .../gateway.envoyproxy.io_backends.yaml | 5 +- ....envoyproxy.io_backendtrafficpolicies.yaml | 20 +- ...y.envoyproxy.io_clienttrafficpolicies.yaml | 60 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 30 +- ...ateway.envoyproxy.io_httproutefilters.yaml | 20 +- .../templates/standard-gatewayapi-crds.yaml | 5878 +++++++++++- .../gateway.envoyproxy.io_backends.yaml | 5 +- ....envoyproxy.io_backendtrafficpolicies.yaml | 20 +- ...y.envoyproxy.io_clienttrafficpolicies.yaml | 60 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 30 +- ...ateway.envoyproxy.io_httproutefilters.yaml | 20 +- charts/gateway-helm/templates/_rbac.tpl | 18 +- embed.go | 2 +- examples/extension-server/go.mod | 6 +- examples/extension-server/go.sum | 20 +- ...tewayapi-crds.yaml => gatewayapi-crds.yaml | 6018 +++++++----- go.mod | 6 +- go.sum | 20 +- .../translate/in/rejected-http-route.yaml | 37 - .../translate/out/quickstart.all.yaml | 1 - .../out/rejected-http-route.route.yaml | 90 - internal/cmd/egctl/translate_test.go | 8 - internal/gatewayapi/backendtrafficpolicy.go | 2 +- internal/gatewayapi/contexts.go | 57 +- internal/gatewayapi/helpers.go | 29 +- internal/gatewayapi/resource/load.go | 2 +- internal/gatewayapi/resource/resource.go | 19 +- .../gatewayapi/resource/supported_kind.go | 2 +- .../resource/testdata/all-resources.out.yaml | 2 - .../resource/testdata/all-resources2.out.yaml | 2 - .../resource/zz_generated.deepcopy.go | 9 +- internal/gatewayapi/runner/runner.go | 38 +- internal/gatewayapi/runner/runner_test.go | 2 +- internal/gatewayapi/status/gateway.go | 2 +- internal/gatewayapi/status/xlistenerset.go | 20 +- ...nttrafficpolicy-for-tcp-listeners.out.yaml | 4 +- .../clienttrafficpolicy-http3.out.yaml | 12 +- ...enttrafficpolicy-invalid-settings.out.yaml | 25 +- ...icy-mtls-cert-bundle-both-invalid.out.yaml | 5 +- ...olicy-mtls-cert-bundle-both-valid.out.yaml | 5 +- ...enttrafficpolicy-mtls-cert-bundle.out.yaml | 5 +- ...s-client-verification-expired-crl.out.yaml | 33 +- ...icpolicy-mtls-client-verification.out.yaml | 29 +- ...ficpolicy-mtls-clustertrustbundle.out.yaml | 36 +- ...s-forward-client-cert-custom-data.out.yaml | 36 +- ...icpolicy-mtls-forward-client-cert.out.yaml | 36 +- .../clienttrafficpolicy-mtls.out.yaml | 15 +- ...ttrafficpolicy-tls-invalid-cipher.out.yaml | 4 +- .../clienttrafficpolicy-tls-settings.out.yaml | 12 +- .../testdata/custom-filter-order.out.yaml | 2 - ...xtensionpolicy-with-wasm-env-vars.out.yaml | 2 - ...y-with-wasm-invalid-configuration.out.yaml | 14 - .../envoyextensionpolicy-with-wasm.out.yaml | 2 - .../testdata/gateway-infrastructure.out.yaml | 4 +- ...with-invalid-allowed-routes-group.out.yaml | 1 - ...-with-invalid-allowed-routes-kind.out.yaml | 1 - ...th-invalid-allowed-tls-route-kind.out.yaml | 1 - ...nvalid-multiple-tls-configuration.out.yaml | 20 +- ...id-tls-configuration-invalid-mode.out.yaml | 4 +- ...nfiguration-secret-does-not-exist.out.yaml | 4 +- ...uration-secret-in-other-namespace.out.yaml | 4 +- ...configuration-secret-is-not-valid.out.yaml | 4 +- ...guration-sni-san-mismatch-allowed.out.yaml | 4 +- ...her-namespace-allowed-by-refgrant.out.yaml | 4 +- ...ith-tls-terminate-and-passthrough.out.yaml | 4 +- ...istener-with-unsupported-protocol.out.yaml | 1 - ...ith-same-algorithm-different-fqdn.out.yaml | 8 +- ...-valid-multiple-tls-configuration.out.yaml | 8 +- ...ener-with-valid-tls-configuration.out.yaml | 4 +- ...-listeners-with-overlapping-certs.out.yaml | 12 +- ...stnames-and-certs-merged-gateways.out.yaml | 8 +- ...h-overlapping-hostnames-and-certs.out.yaml | 8 +- ...lapping-hostnames-merged-gateways.out.yaml | 12 +- ...teners-with-overlapping-hostnames.out.yaml | 12 +- ...teway-with-stale-status-condition.out.yaml | 4 +- ...wo-listeners-with-different-ports.out.yaml | 4 +- ...h-api-key-auth-duplicated-api-key.out.yaml | 4 +- .../securitypolicy-with-basic-auth.out.yaml | 4 - ...y-with-extauth-invalid-no-service.out.yaml | 4 - ...ypolicy-with-jwt-and-invalid-oidc.out.yaml | 4 - ...icy-with-oidc-and-jwt-passthrough.out.yaml | 2 - ...typolicy-with-oidc-backendcluster.out.yaml | 2 - ...uritypolicy-with-oidc-backendrefs.out.yaml | 2 - ...ypolicy-with-oidc-backendsettings.out.yaml | 2 - ...with-oidc-custom-cookies-samesite.out.yaml | 2 - ...typolicy-with-oidc-custom-cookies.out.yaml | 2 - ...itypolicy-with-oidc-deny-redirect.out.yaml | 2 - ...typolicy-with-oidc-invalid-issuer.out.yaml | 2 - ...olicy-with-oidc-invalid-secretref.out.yaml | 6 - ...itypolicy-with-oidc-serviceimport.out.yaml | 2 - .../securitypolicy-with-oidc.out.yaml | 8 - ...er-both-passthrough-and-cert-data.out.yaml | 4 +- .../xlistenerset-conflict-listeners.in.yaml | 14 +- .../xlistenerset-conflict-listeners.out.yaml | 26 +- .../xlistenerset-cross-namespace.in.yaml | 26 +- .../xlistenerset-cross-namespace.out.yaml | 42 +- .../testdata/xlistenerset-grpcroute.in.yaml | 18 +- .../testdata/xlistenerset-grpcroute.out.yaml | 32 +- .../testdata/xlistenerset-httproute.in.yaml | 18 +- .../testdata/xlistenerset-httproute.out.yaml | 34 +- ...ttps-tls-misuses-gateway-namespace.in.yaml | 10 +- ...tps-tls-misuses-gateway-namespace.out.yaml | 17 +- ...stenerset-https-tls-same-namespace.in.yaml | 10 +- ...tenerset-https-tls-same-namespace.out.yaml | 17 +- .../testdata/xlistenerset-invalid.in.yaml | 26 +- .../testdata/xlistenerset-invalid.out.yaml | 53 +- .../xlistenerset-no-maching-listener.in.yaml | 10 +- .../xlistenerset-no-maching-listener.out.yaml | 17 +- .../testdata/xlistenerset-tcproute.in.yaml | 10 +- .../testdata/xlistenerset-tcproute.out.yaml | 85 +- .../testdata/xlistenerset-tlsroute.in.yaml | 18 +- .../testdata/xlistenerset-tlsroute.out.yaml | 160 +- .../testdata/xlistenerset-udproute.in.yaml | 10 +- .../testdata/xlistenerset-udproute.out.yaml | 85 +- internal/gatewayapi/translator.go | 17 +- internal/gatewayapi/validate.go | 7 +- internal/gatewayapi/xlistenerset.go | 115 +- internal/message/types.go | 11 +- internal/provider/kubernetes/controller.go | 99 +- .../provider/kubernetes/controller_test.go | 105 +- internal/provider/kubernetes/helpers.go | 3 +- internal/provider/kubernetes/indexers.go | 93 +- .../provider/kubernetes/kubernetes_test.go | 10 +- .../provider/kubernetes/predicates_test.go | 4 +- internal/provider/kubernetes/resource.go | 12 +- internal/provider/kubernetes/routes.go | 42 +- internal/provider/kubernetes/routes_test.go | 39 +- internal/provider/kubernetes/status.go | 21 +- internal/provider/kubernetes/test/utils.go | 4 +- site/content/en/latest/api/extension_types.md | 3 - test/conformance/suite.go | 5 +- test/e2e/testdata/xlistenerset-base.yaml | 8 +- test/e2e/testdata/xlistenerset-grpc.yaml | 4 +- test/e2e/testdata/xlistenerset-http.yaml | 4 +- test/e2e/testdata/xlistenerset-https.yaml | 4 +- test/e2e/testdata/xlistenerset-tcp.yaml | 8 +- .../xlistenerset-tls-passthrough.yaml | 8 +- .../xlistenerset-tls-termination.yaml | 12 +- test/e2e/testdata/xlistenerset-udp.yaml | 8 +- test/e2e/tests/xlistenerset.go | 5 +- test/go.mod | 33 +- test/go.sum | 64 +- test/helm/gateway-crds-helm/all.out.yaml | 8277 ++++++++++------- .../envoy-gateway-crds.out.yaml | 135 +- .../gateway-api-crds.out.yaml | 6008 +++++++----- .../gateway-api-experimental-crds.out.yaml | 6008 +++++++----- .../gateway-api-standard-crds.out.yaml | 5880 +++++++++++- .../gateway-helm/certgen-annotations.out.yaml | 16 +- test/helm/gateway-helm/certgen-args.out.yaml | 16 +- .../helm/gateway-helm/certgen-labels.out.yaml | 16 +- .../certjen-custom-scheduling.out.yaml | 16 +- test/helm/gateway-helm/common-labels.out.yaml | 16 +- .../control-plane-with-pdb.out.yaml | 16 +- .../helm/gateway-helm/default-config.out.yaml | 16 +- .../deployment-annotations.out.yaml | 16 +- .../deployment-custom-topology.out.yaml | 16 +- .../deployment-images-config.out.yaml | 16 +- .../deployment-priorityclass.out.yaml | 16 +- .../deployment-repo-no-registry.out.yaml | 16 +- .../deployment-securitycontext.out.yaml | 16 +- .../envoy-gateway-config.out.yaml | 16 +- ...ay-gateway-namespace-config-watch.out.yaml | 32 +- ...-gateway-gateway-namespace-config.out.yaml | 16 +- ...teway-namespace-namespaceselector.out.yaml | 16 +- .../global-images-config.out.yaml | 16 +- ...l-pullsecrets-override-deployment.out.yaml | 16 +- ...lobal-pullsecrets-override-global.out.yaml | 16 +- ...obal-registry-override-deployment.out.yaml | 16 +- .../global-registry-override-global.out.yaml | 16 +- ...orizontal-pod-autoscaler-disabled.out.yaml | 16 +- .../horizontal-pod-autoscaler.out.yaml | 16 +- .../service-customization.out.yaml | 16 +- .../gateway-helm/webhook-disabled.out.yaml | 16 +- tools/linter/codespell/.codespell.skip | 1 + tools/linter/yamllint/.yamllint | 1 + tools/make/helm.mk | 3 +- tools/make/kube.mk | 12 +- 180 files changed, 32379 insertions(+), 14928 deletions(-) rename charts/gateway-helm/crds/gatewayapi-crds.yaml => gatewayapi-crds.yaml (91%) delete mode 100644 internal/cmd/egctl/testdata/translate/in/rejected-http-route.yaml delete mode 100644 internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 0ff71fb363..600758e462 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -5,12 +5,12 @@ on: tags: - "v*.*.*" paths: - - "charts/gateway-helm/crds/gatewayapi-crds.yaml" + - "charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml" - "test/conformance/experimental_conformance_test.go" - "internal/gatewayapi/conformance/suite.go" pull_request: paths: - - "charts/gateway-helm/crds/gatewayapi-crds.yaml" + - "charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml" - "test/conformance/experimental_conformance_test.go" - "internal/gatewayapi/conformance/suite.go" # Add workflow_dispatch to trigger this workflow manually by maintainers. @@ -26,22 +26,22 @@ jobs: fail-fast: false matrix: target: - - version: v1.30.13 + - version: v1.32.11 ipFamily: ipv4 profile: default - - version: v1.31.9 + - version: v1.33.7 ipFamily: ipv4 profile: default - - version: v1.32.5 + - version: v1.34.3 # only run ipv6 test on this version to save time ipFamily: ipv6 profile: default # TODO: this's IPv4 first, need a way to test IPv6 first. - - version: v1.33.1 + - version: v1.35.0 # only run dual test on latest version to save time ipFamily: dual profile: default - - version: v1.33.1 + - version: v1.35.0 # only run dual test on latest version to save time ipFamily: dual profile: gateway-namespace-mode diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go index b77e3ce401..7ec1baedc3 100644 --- a/api/v1alpha1/envoygateway_types.go +++ b/api/v1alpha1/envoygateway_types.go @@ -134,14 +134,9 @@ type EnvoyGatewaySpec struct { // GatewayAPI defines an experimental Gateway API resource that can be enabled. // +enum -// +kubebuilder:validation:Enum=XListenerSet;XBackendTrafficPolicy +// +kubebuilder:validation:Enum=XBackendTrafficPolicy type GatewayAPI string -const ( - // XListenerSet enables the Gateway API XListenerSet resource. - XListenerSet GatewayAPI = "XListenerSet" -) - // GatewayAPISettings provides a mechanism to opt into experimental Gateway API resources. // These APIs are experimental today and are subject to change or removal as they mature. type GatewayAPISettings struct { diff --git a/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml b/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml index 3ca2945b02..e2feec39fe 100644 --- a/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +++ b/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml @@ -1,5 +1,5 @@ {{- if and .Values.crds.gatewayAPI.enabled (or (eq .Values.crds.gatewayAPI.channel "experimental") (eq .Values.crds.gatewayAPI.channel "")) }} -# Copyright 2025 The Kubernetes Authors. +# Copyright 2026 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +25,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -100,8 +100,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -122,9 +120,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -136,9 +134,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: - Support: Implementation-specific for any other resource + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -377,8 +394,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -388,9 +405,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -769,8 +794,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -791,9 +814,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -805,9 +828,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. - Support: Implementation-specific for any other resource + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -1046,8 +1088,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -1057,9 +1099,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1397,7 +1447,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1916,7 +1966,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2051,14 +2101,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -2071,7 +2121,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -2620,7 +2670,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2831,6 +2881,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -2860,19 +2913,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -2939,27 +3003,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3082,27 +3168,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3276,6 +3384,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3380,8 +3502,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -3460,7 +3585,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -3494,7 +3619,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -3628,14 +3752,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -3648,7 +3772,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -4197,7 +4321,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -4408,6 +4532,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -4437,19 +4564,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4516,27 +4654,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4659,27 +4819,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4853,6 +5035,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -4957,8 +5153,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -5037,7 +5236,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -5071,7 +5270,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -5101,7 +5299,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5643,10 +5841,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5718,10 +5920,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5926,10 +6132,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6001,10 +6211,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6295,10 +6509,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6369,10 +6587,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6576,10 +6798,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6650,10 +6876,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6804,8 +7034,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -6992,7 +7222,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -7008,6 +7238,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' type: object maxItems: 16 type: array @@ -7099,7 +7331,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -7350,7 +7582,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -7830,7 +8062,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -7849,18 +8081,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -7884,6 +8119,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -7892,7 +8131,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -7912,18 +8151,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -7990,10 +8232,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -8041,14 +8292,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -8084,6 +8339,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -8262,6 +8520,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8300,6 +8559,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8311,6 +8571,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8415,10 +8676,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8490,10 +8755,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8804,6 +9073,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8851,10 +9123,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8926,10 +9202,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9073,6 +9353,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -9116,11 +9401,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -9310,7 +9590,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -9329,18 +9609,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -9364,6 +9647,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -9372,7 +9659,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -9392,18 +9679,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -9470,10 +9760,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -9521,14 +9820,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -9564,6 +9867,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -9742,6 +10048,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9780,6 +10087,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9791,6 +10099,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9892,10 +10201,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9966,10 +10279,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10280,6 +10597,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10326,10 +10646,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10400,10 +10724,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10547,6 +10875,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -10587,11 +10920,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -10737,10 +11065,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10949,7 +11281,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -10992,7 +11324,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -11083,7 +11415,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -11099,6 +11431,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -11203,6 +11537,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -11286,7 +11621,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -11988,7 +12323,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -12007,18 +12342,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -12042,6 +12380,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -12050,7 +12392,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -12070,18 +12412,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -12148,10 +12493,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -12199,14 +12553,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -12242,6 +12600,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -12420,6 +12781,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12458,6 +12820,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12469,6 +12832,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12573,10 +12937,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12648,10 +13016,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12962,6 +13334,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -13009,10 +13384,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13084,10 +13463,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13231,6 +13614,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -13274,11 +13662,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -13468,7 +13851,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -13487,18 +13870,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -13522,6 +13908,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -13530,7 +13920,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -13550,18 +13940,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -13628,10 +14021,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -13679,14 +14081,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -13722,6 +14128,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -13900,6 +14309,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13938,6 +14348,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13949,6 +14360,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14050,10 +14462,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14124,10 +14540,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14438,6 +14858,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14484,10 +14907,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14558,10 +14985,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14705,6 +15136,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -14745,11 +15181,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -14895,10 +15326,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15107,7 +15542,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -15150,7 +15585,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -15241,7 +15676,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -15257,6 +15692,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -15361,6 +15798,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -15444,7 +15882,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -15688,53 +16126,71 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: referencegrants.gateway.networking.k8s.io + name: listenersets.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - - refgrant - singular: referencegrant + - lset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1 schema: openAPIV3Schema: description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -15754,931 +16210,918 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferenceGrant. + description: Spec defines the desired state of ListenerSet. properties: - from: + listeners: description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. + Listeners associated with this ListenerSet. Listeners define + logical endpoints that are bound on this referenced parent Gateway's addresses. - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Listeners in a `Gateway` and their attached `ListenerSets` are concatenated + as a list when programming the underlying infrastructure. Each listener + name does not need to be unique across the Gateway and ListenerSets. + See ListenerEntry.Name for more details. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. + Implementations MUST treat the parent Gateway as having the merged + list of all listeners from itself and attached ListenerSets using + the following precedence: - When used to permit a SecretObjectReference: + 1. "parent" Gateway + 2. ListenerSet ordered by creation time (oldest first) + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * Gateway + An implementation MAY reject listeners by setting the ListenerEntryStatus + `Accepted` condition to False with the Reason `TooManyListeners` - When used to permit a BackendObjectReference: + If a listener has a conflict, this will be reported in the + Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: + Implementations SHOULD be cautious about what information from the + parent or siblings are reported to avoid accidentally leaking + sensitive information that the child would not otherwise have access + to. This can include contents of secrets etc. + items: + properties: + allowedRoutes: + default: + namespaces: + from: Same description: |- - Namespace is the namespace of the referent. + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. - Support: Core + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - kind: + name: description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: + Name is the name of the Listener. This name MUST be unique within a + ListenerSet. - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 + Name is not required to be unique across a Gateway and ListenerSets. + Routes can attach to a Listener by having a ListenerSet as a parentRef + and setting the SectionName + maxLength: 253 minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - name: + port: description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - required: - - from - - to - type: object - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tcproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TCPRoute - listKind: TCPRouteList - plural: tcproutes - singular: tcproute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - TCPRoute provides a way to route TCP requests. When combined with a Gateway - listener, it can be used to forward connections on the port specified by the - listener to a set of backends specified by the TCPRoute. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of TCPRoute. - properties: - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". - There are two kinds of parent resources with "Core" support: + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. - This API may be extended in the future to support additional kinds of parent - resources. + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. - ParentRefs must be _distinct_. This means either that: + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. - Some examples: + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. - This API may be extended in the future to support additional kinds of parent - resources. + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) + && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) + && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) + && !has(l2.hostname))))' + parentRef: + description: ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. If not present, + the namespace of the referent is assumed to be the same as + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the ListenerSet. - There are two kinds of parent resources with "Core" support: + Implementations MUST express ListenerSet conditions using the + `ListenerSetConditionType` and `ListenerSetConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe ListenerSet state. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Known condition types are: - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + * "Accepted" + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - name: + message: description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - namespace: + observedGeneration: description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string - port: + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. - Support: Extended + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. format: int32 - maximum: 65535 - minimum: 1 type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of TCP matchers and actions. - items: - description: TCPRouteRule is the configuration for a given rule. - properties: - backendRefs: + supportedKinds: description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Connection rejections must - respect weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. - - Support: Core for Kubernetes Service - - Support: Extended for Kubernetes ServiceImport - - Support: Implementation-specific for any other resource + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds supported by an implementation for + that Listener configuration. - Support for weight: Extended + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. items: - description: |- - BackendRef defines how a Route should forward a request to a Kubernetes - resource. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. - - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. - - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. - - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - - Note that when the BackendTLSPolicy object is enabled by the implementation, - there are some extra rules about validity to consider here. See the fields - where this struct is used for more information about the exact behavior. + description: RouteGroupKind indicates the group and kind of + a Route resource. properties: group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. + default: gateway.networking.k8s.io + description: Group is the group of the Route. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) + description: Kind is the kind of the Route. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer required: - - name + - kind type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - minItems: 1 + maxItems: 8 type: array x-kubernetes-list-type: atomic - name: + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - Support: Extended + Support: Core maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - - backendRefs + - group + - kind + - namespace type: object maxItems: 16 minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) - useDefaultGateways: - description: |- - UseDefaultGateways indicates the default Gateway scope to use for this - Route. If unset (the default) or set to None, the Route will not be - attached to any default Gateway; if set, it will be attached to any - default Gateway supporting the named scope, subject to the usual rules - about which Routes a Gateway is allowed to claim. - - Think carefully before using this functionality! The set of default - Gateways supporting the requested scope can change over time without - any notice to the Route author, and in many situations it will not be - appropriate to request a default Gateway for a given Route -- for - example, a Route with specific security requirements should almost - certainly not use a default Gateway. - enum: - - All - - None - type: string - required: - - rules - type: object - status: - description: Status defines the current state of TCPRoute. - properties: - parents: + to: description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. + Support: Core items: description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. properties: - conditions: + group: description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object required: - - conditions - - controllerName - - parentRef + - group + - kind type: object - maxItems: 32 + maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic required: - - parents + - from + - to type: object - required: - - spec type: object served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tlsroutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TLSRoute - listKind: TLSRouteList - plural: tlsroutes - singular: tlsroute - scope: Namespaced - versions: + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1beta1 schema: openAPIV3Schema: description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. - If you need to forward traffic to a single target for a TLS listener, you - could choose to use a TCPRoute with a TLS listener. - properties: - apiVersion: + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and @@ -16696,66 +17139,187 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of TLSRoute. + description: Spec defines the desired state of ReferenceGrant. properties: - hostnames: + from: description: |- - Hostnames defines a set of SNI names that should match against the - SNI attribute of TLS ClientHello message in TLS handshake. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. - 1. IPs are not allowed in SNI names per RFC 6066. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. + When used to permit a SecretObjectReference: - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. + * Gateway - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. Support: Core items: description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + TCPRoute provides a way to route TCP requests. When combined with a Gateway + listener, it can be used to forward connections on the port specified by the + listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -16993,21 +17557,18 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: Rules are a list of TCP matchers and actions. items: - description: TLSRouteRule is the configuration for a given rule. + description: TCPRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or - a Service with no endpoints), the rule performs no forwarding; if no - filters are specified that would result in a response being sent, the - underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Connection rejections must + respect weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. Support: Core for Kubernetes Service @@ -17179,7 +17740,7 @@ spec: - rules type: object status: - description: Status defines the current state of TLSRoute. + description: Status defines the current state of TCPRoute. properties: parents: description: |- @@ -17222,7 +17783,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -17455,22 +18016,51 @@ spec: - spec type: object served: true - storage: false + storage: true subresources: status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. - - If you need to forward traffic to a single target for a TLS listener, you +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener. properties: apiVersion: @@ -17502,32 +18092,6 @@ spec: 1. IPs are not allowed in SNI hostnames per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have specified at least one of `test.example.com` or - `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have specified at least one hostname that matches the Listener - hostname. For example, `test.example.com` and `*.example.com` would both - match. On the other hand, `example.com` and `test.example.net` would not - match. - - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches @@ -17552,6 +18116,17 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -17934,10 +18509,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17949,10 +18522,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) useDefaultGateways: description: |- UseDefaultGateways indicates the default Gateway scope to use for this @@ -18019,7 +18588,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -18255,46 +18824,20 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: udproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: UDPRoute - listKind: UDPRouteList - plural: udproutes - singular: udproute - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. name: v1alpha2 schema: openAPIV3Schema: description: |- - UDPRoute provides a way to route UDP traffic. When combined with a Gateway - listener, it can be used to forward traffic on the port specified by the - listener to a set of backends specified by the UDPRoute. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. properties: apiVersion: description: |- @@ -18314,8 +18857,66 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of UDPRoute. + description: Spec defines the desired state of TLSRoute. properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -18553,18 +19154,21 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of UDP matchers and actions. + description: Rules are a list of TLS matchers and actions. items: - description: UDPRouteRule is the configuration for a given rule. + description: TLSRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Packet drops must - respect weight; if an invalid backend is requested to have 80% of - the packets, then 80% of packets must be dropped instead. + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. Support: Core for Kubernetes Service @@ -18695,10 +19299,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -18736,7 +19338,7 @@ spec: - rules type: object status: - description: Status defines the current state of UDPRoute. + description: Status defines the current state of TLSRoute. properties: parents: description: |- @@ -18779,7 +19381,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -19012,52 +19614,26 @@ spec: - spec type: object served: true - storage: true + storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - labels: - gateway.networking.k8s.io/policy: Direct - name: xbackendtrafficpolicies.gateway.networking.x-k8s.io -spec: - group: gateway.networking.x-k8s.io - names: - categories: - - gateway-api - kind: XBackendTrafficPolicy - listKind: XBackendTrafficPolicyList - plural: xbackendtrafficpolicies - shortNames: - - xbtrafficpolicy - singular: xbackendtrafficpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 schema: openAPIV3Schema: description: |- - XBackendTrafficPolicy defines the configuration for how traffic to a - target backend should be handled. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. properties: apiVersion: description: |- @@ -19077,320 +19653,1358 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of BackendTrafficPolicy. + description: Spec defines the desired state of TLSRoute. properties: - retryConstraint: + hostnames: description: |- - RetryConstraint defines the configuration for when to allow or prevent - further retries to a target backend, by dynamically calculating a 'retry - budget'. This budget is calculated based on the percentage of incoming - traffic composed of retries over a given time interval. Once the budget - is exceeded, additional retries will be rejected. - - For example, if the retry budget interval is 10 seconds, there have been - 1000 active requests in the past 10 seconds, and the allowed percentage - of requests that can be retried is 20% (the default), then 200 of those - requests may be composed of retries. Active requests will only be - considered for the duration of the interval when calculating the retry - budget. Retrying the same original request multiple times within the - retry budget interval will lead to each retry being counted towards - calculating the budget. + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - HTTPRoute Retry settings for each HTTPRouteRule that targets the same - backend. While the HTTPRouteRule Retry stanza can specify whether a - request will be retried, and the number of retry attempts each client - may perform, RetryConstraint helps prevent cascading failures such as - retry storms during periods of consistent failures. + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + UDPRoute provides a way to route UDP traffic. When combined with a Gateway + listener, it can be used to forward traffic on the port specified by the + listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - After the retry budget has been exceeded, additional retries to the - backend MUST return a 503 response to the client. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Additional configurations for defining a constraint on retries MAY be - defined in the future. + There are two kinds of parent resources with "Core" support: - Support: Extended - properties: - budget: - default: - interval: 10s - percent: 20 - description: Budget holds the details of the retry budget configuration. - properties: - interval: - default: 10s - description: |- - Interval defines the duration in which requests will be considered - for calculating the budget for retries. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour or less - than one second - rule: '!(duration(self) < duration(''1s'') || duration(self) - > duration(''1h''))' - percent: - default: 20 - description: |- - Percent defines the maximum percentage of active requests that may - be made up of retries. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Support: Extended - maximum: 100 - minimum: 0 - type: integer - type: object - minRetryRate: - default: - count: 10 - interval: 1s - description: |- - MinRetryRate defines the minimum rate of retries that will be allowable - over a specified duration of time. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - The effective overall minimum rate of retries targeting the backend - service may be much higher, as there can be any number of clients which - are applying this setting locally. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - This ensures that requests can still be retried during periods of low - traffic, where the budget for retries may be calculated as a very low - value. - Support: Extended - properties: - count: - description: |- - Count specifies the number of requests per time interval. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Support: Extended - maximum: 1000000 - minimum: 1 - type: integer - interval: - description: |- - Interval specifies the divisor of the rate of requests, the amount of - time during which the given count of requests occur. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour - rule: '!(duration(self) == duration(''0s'') || duration(self) - > duration(''1h''))' - type: object - type: object - sessionPersistence: - description: |- - SessionPersistence defines and configures session persistence - for the backend. - Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Packet drops must + respect weight; if an invalid backend is requested to have 80% of + the packets, then 80% of packets must be dropped instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. - Defaults to "Session". + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - Support: Core for "Session" type - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + Defaults to "Service" when not specified. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - Support: Core for "Cookie" type + Support: Core (Services with a type other than ExternalName) - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - targetRefs: - description: |- - TargetRefs identifies API object(s) to apply this policy to. - Currently, Backends (A grouping of like endpoints such as Service, - ServiceImport, or any implementation-specific backendRef) are the only - valid API target references. + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - Currently, a TargetRef can not be scoped to a specific port on a - Service. - items: - description: |- - LocalPolicyTargetReference identifies an API object to apply a direct or - inherited policy to. This should be used as part of Policy resources - that can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer to - the policy attachment documentation for Gateway API. - properties: - group: - description: Group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic name: - description: Name is the name of the target resource. + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - - group - - kind - - name + - backendRefs type: object maxItems: 16 minItems: 1 type: array - x-kubernetes-list-map-keys: - - group - - kind - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string required: - - targetRefs + - rules type: object status: - description: Status defines the current state of BackendTrafficPolicy. + description: Status defines the current state of UDPRoute. properties: - ancestors: + parents: description: |- - Ancestors is a list of ancestor resources (usually Gateways) that are - associated with the policy, and the status of the policy with respect to - each ancestor. When this policy attaches to a parent, the controller that - manages the parent and the ancestors MUST add an entry to this list when - the controller first sees the policy and SHOULD update the entry as - appropriate when the relevant ancestor is modified. - - Note that choosing the relevant ancestor is left to the Policy designers; - an important part of Policy design is designing the right object level at - which to namespace this status. - - Note also that implementations MUST ONLY populate ancestor status for - the Ancestor resources they are responsible for. Implementations MUST - use the ControllerName field to uniquely identify the entries in this list - that they are responsible for. - - Note that to achieve this, the list of PolicyAncestorStatus structs - MUST be treated as a map with a composite key, made up of the AncestorRef - and ControllerName fields combined. + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. - A maximum of 16 ancestors will be represented in this list. An empty list - means the Policy is not relevant for any ancestors. + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. - If this slice is full, implementations MUST NOT add further entries. - Instead they MUST consider the policy unimplementable and signal that - on any related resources such as the ancestor that would be referenced - here. For example, if this list was full on BackendTLSPolicy, no - additional Gateways would be able to reference the Service targeted by - the BackendTLSPolicy. + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. items: description: |- - PolicyAncestorStatus describes the status of a route with respect to an - associated Ancestor. + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. - Ancestors refer to objects that are either the Target of a policy or above it - in terms of object hierarchy. For example, if a policy targets a Service, the - Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - useful object to place Policy status on, so we recommend that implementations - SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - have a _very_ good reason otherwise. + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. - In the context of policy attachment, the Ancestor is used to distinguish which - resource results in a distinct application of this policy. For example, if a policy - targets a Service, it may have a distinct result per attached Gateway. + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. - Policies targeting the same resource may have different effects depending on the - ancestors of those resources. For example, different Gateways targeting the same - Service may have different capabilities, especially if they have different underlying - implementations. + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: - For example, in BackendTLSPolicy, the Policy attaches to a Service that is - used as a backend in a HTTPRoute that is itself attached to a Gateway. - In this case, the relevant object for status is the Gateway, and that is the - ancestor object referred to in this status. + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Note that a parent is also an ancestor, so for objects where the parent is the - relevant object for status, this struct SHOULD still be used. + Example: "example.net/gateway-controller". - This struct is intended to be used in a slice that's effectively a map, - with a composite key made up of the AncestorRef and the ControllerName. - properties: - ancestorRef: + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: description: |- - AncestorRef corresponds with a ParentRef in the spec that this - PolicyAncestorStatus struct describes the status of. + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. properties: group: default: gateway.networking.k8s.io @@ -19524,99 +21138,16 @@ spec: required: - name type: object - conditions: - description: Conditions describes the status of the Policy with - respect to the given Ancestor. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string required: - - ancestorRef - conditions - controllerName + - parentRef type: object - maxItems: 16 + maxItems: 32 type: array x-kubernetes-list-type: atomic required: - - ancestors + - parents type: object required: - spec @@ -19633,36 +21164,82 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml +# config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: "safe-upgrades.gateway.networking.k8s.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + validations: + - expression: "object.spec.group != 'gateway.networking.k8s.io' || ( + has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' )" + message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." + reason: Invalid + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library + message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + reason: Invalid + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: [Deny] + matchResources: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + resources: ["customresourcedefinitions"] + operations: ["CREATE", "UPDATE"] +--- +# +# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: xlistenersets.gateway.networking.x-k8s.io + labels: + gateway.networking.k8s.io/policy: Direct + name: xbackendtrafficpolicies.gateway.networking.x-k8s.io spec: group: gateway.networking.x-k8s.io names: categories: - gateway-api - kind: XListenerSet - listKind: XListenerSetList - plural: xlistenersets + kind: XBackendTrafficPolicy + listKind: XBackendTrafficPolicyList + plural: xbackendtrafficpolicies shortNames: - - lset - singular: xlistenerset + - xbtrafficpolicy + singular: xbackendtrafficpolicy scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed - type: string - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -19670,33 +21247,8 @@ spec: schema: openAPIV3Schema: description: |- - XListenerSet defines a set of additional listeners to attach to an existing Gateway. - This resource provides a mechanism to merge multiple listeners into a single Gateway. - - The parent Gateway must explicitly allow ListenerSet attachment through its - AllowedListeners configuration. By default, Gateways do not allow ListenerSet - attachment. - - Routes can attach to a ListenerSet by specifying it as a parentRef, and can - optionally target specific listeners using the sectionName field. - - Policy Attachment: - - Policies that attach to a ListenerSet apply to all listeners defined in that resource - - Policies do not impact listeners in the parent Gateway - - Different ListenerSets attached to the same Gateway can have different policies - - If an implementation cannot apply a policy to specific listeners, it should reject the policy - - ReferenceGrant Semantics: - - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - - Gateway Integration: - - The parent Gateway's status will include an "AttachedListenerSets" condition - - This condition will be: - - True: when AllowedListeners is set and at least one child ListenerSet is attached - - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - - Unknown: when no AllowedListeners config is present + XBackendTrafficPolicy defines the configuration for how traffic to a + target backend should be handled. properties: apiVersion: description: |- @@ -19716,579 +21268,458 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ListenerSet. + description: Spec defines the desired state of BackendTrafficPolicy. properties: - listeners: + retryConstraint: description: |- - Listeners associated with this ListenerSet. Listeners define - logical endpoints that are bound on this referenced parent Gateway's addresses. - - Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - as a list when programming the underlying infrastructure. Each listener - name does not need to be unique across the Gateway and ListenerSets. - See ListenerEntry.Name for more details. - - Implementations MUST treat the parent Gateway as having the merged - list of all listeners from itself and attached ListenerSets using - the following precedence: - - 1. "parent" Gateway - 2. ListenerSet ordered by creation time (oldest first) - 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - - An implementation MAY reject listeners by setting the ListenerEntryStatus - `Accepted` condition to False with the Reason `TooManyListeners` - - If a listener has a conflict, this will be reported in the - Status.ListenerEntryStatus setting the `Conflicted` condition to True. - - Implementations SHOULD be cautious about what information from the - parent or siblings are reported to avoid accidentally leaking - sensitive information that the child would not otherwise have access - to. This can include contents of secrets etc. - items: - properties: - allowedRoutes: - default: - namespaces: - from: Same - description: |- - AllowedRoutes defines the types of routes that MAY be attached to a - Listener and the trusted namespaces where those Route resources MAY be - present. - - Although a client request may match multiple route rules, only one rule - may ultimately receive the request. Matching precedence MUST be - determined in order of the following criteria: - - * The most specific match as defined by the Route type. - * The oldest Route based on creation timestamp. For example, a Route with - a creation timestamp of "2020-09-08 01:02:03" is given precedence over - a Route with a creation timestamp of "2020-09-08 01:02:04". - * If everything else is equivalent, the Route appearing first in - alphabetical order (namespace/name) should be given precedence. For - example, foo/bar is given precedence over foo/baz. - - All valid rules within a Route attached to this Listener should be - implemented. Invalid Route rules can be ignored (sometimes that will mean - the full Route). If a Route rule transitions from valid to invalid, - support for that Route rule should be dropped to ensure consistency. For - example, even if a filter specified by a Route rule is invalid, the rest - of the rules within that Route should still be supported. - properties: - kinds: - description: |- - Kinds specifies the groups and kinds of Routes that are allowed to bind - to this Gateway Listener. When unspecified or empty, the kinds of Routes - selected are determined using the Listener protocol. - - A RouteGroupKind MUST correspond to kinds of Routes that are compatible - with the application protocol specified in the Listener's Protocol field. - If an implementation does not support or recognize this resource type, it - MUST set the "ResolvedRefs" condition to False for this Listener with the - "InvalidRouteKinds" reason. - - Support: Core - items: - description: RouteGroupKind indicates the group and kind - of a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - namespaces: - default: - from: Same - description: |- - Namespaces indicates namespaces from which Routes may be attached to this - Listener. This is restricted to the namespace of this Gateway by default. - - Support: Core - properties: - from: - default: Same - description: |- - From indicates where Routes will be selected for this Gateway. Possible - values are: - - * All: Routes in all namespaces may be used by this Gateway. - * Selector: Routes in namespaces selected by the selector may be used by - this Gateway. - * Same: Only Routes in the same namespace may be used by this Gateway. + RetryConstraint defines the configuration for when to allow or prevent + further retries to a target backend, by dynamically calculating a 'retry + budget'. This budget is calculated based on the percentage of incoming + traffic composed of retries over a given time interval. Once the budget + is exceeded, additional retries will be rejected. - Support: Core - enum: - - All - - Selector - - Same - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only Routes in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". + For example, if the retry budget interval is 10 seconds, there have been + 1000 active requests in the past 10 seconds, and the allowed percentage + of requests that can be retried is 20% (the default), then 200 of those + requests may be composed of retries. Active requests will only be + considered for the duration of the interval when calculating the retry + budget. Retrying the same original request multiple times within the + retry budget interval will lead to each retry being counted towards + calculating the budget. - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - hostname: - description: |- - Hostname specifies the virtual hostname to match for protocol types that - define this concept. When unspecified, all hostnames are matched. This - field is ignored for protocols that don't require hostname based - matching. + Configuring a RetryConstraint in BackendTrafficPolicy is compatible with + HTTPRoute Retry settings for each HTTPRouteRule that targets the same + backend. While the HTTPRouteRule Retry stanza can specify whether a + request will be retried, and the number of retry attempts each client + may perform, RetryConstraint helps prevent cascading failures such as + retry storms during periods of consistent failures. - Implementations MUST apply Hostname matching appropriately for each of - the following protocols: + After the retry budget has been exceeded, additional retries to the + backend MUST return a 503 response to the client. - * TLS: The Listener Hostname MUST match the SNI. - * HTTP: The Listener Hostname MUST match the Host header of the request. - * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - protocol layers as described above. If an implementation does not - ensure that both the SNI and Host header match the Listener hostname, - it MUST clearly document that. + Additional configurations for defining a constraint on retries MAY be + defined in the future. - For HTTPRoute and TLSRoute resources, there is an interaction with the - `spec.hostnames` array. When both listener and route specify hostnames, - there MUST be an intersection between the values for a Route to be - accepted. For more information, refer to the Route specific Hostnames - documentation. + Support: Extended + properties: + budget: + default: + interval: 10s + percent: 20 + description: Budget holds the details of the retry budget configuration. + properties: + interval: + default: 10s + description: |- + Interval defines the duration in which requests will be considered + for calculating the budget for retries. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - name: - description: |- - Name is the name of the Listener. This name MUST be unique within a - ListenerSet. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour or less + than one second + rule: '!(duration(self) < duration(''1s'') || duration(self) + > duration(''1h''))' + percent: + default: 20 + description: |- + Percent defines the maximum percentage of active requests that may + be made up of retries. - Name is not required to be unique across a Gateway and ListenerSets. - Routes can attach to a Listener by having a ListenerSet as a parentRef - and setting the SectionName - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - port: - default: 0 - description: |- - Port is the network port. Multiple listeners may use the - same port, subject to the Listener compatibility rules. + Support: Extended + maximum: 100 + minimum: 0 + type: integer + type: object + minRetryRate: + default: + count: 10 + interval: 1s + description: |- + MinRetryRate defines the minimum rate of retries that will be allowable + over a specified duration of time. - If the port is not set or specified as zero, the implementation will assign - a unique port. If the implementation does not support dynamic port - assignment, it MUST set `Accepted` condition to `False` with the - `UnsupportedPort` reason. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - protocol: - description: Protocol specifies the network protocol this listener - expects to receive. - maxLength: 255 - minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ - type: string - tls: - description: |- - TLS is the TLS configuration for the Listener. This field is required if - the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - if the Protocol field is "HTTP", "TCP", or "UDP". + The effective overall minimum rate of retries targeting the backend + service may be much higher, as there can be any number of clients which + are applying this setting locally. - The association of SNIs to Certificate defined in ListenerTLSConfig is - defined based on the Hostname field for this listener. + This ensures that requests can still be retried during periods of low + traffic, where the budget for retries may be calculated as a very low + value. - The GatewayClass MUST use the longest matching SNI out of all - available certificates for any TLS handshake. - properties: - certificateRefs: - description: |- - CertificateRefs contains a series of references to Kubernetes objects that - contains TLS certificates and private keys. These certificates are used to - establish a TLS handshake for requests that match the hostname of the - associated listener. + Support: Extended + properties: + count: + description: |- + Count specifies the number of requests per time interval. - A single CertificateRef to a Kubernetes Secret has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a Listener, but this behavior is implementation-specific. + Support: Extended + maximum: 1000000 + minimum: 1 + type: integer + interval: + description: |- + Interval specifies the divisor of the rate of requests, the amount of + time during which the given count of requests occur. - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour + rule: '!(duration(self) == duration(''0s'') || duration(self) + > duration(''1h''))' + type: object + type: object + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the backend. - This field is required to have at least one element when the mode is set - to "Terminate" (default) and is optional otherwise. + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. - CertificateRefs can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. - Support: Implementation-specific (More than one reference or other resource types) - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + Defaults to "Session". - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + Support: Core for "Session" type - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - mode: - default: Terminate - description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. - Support: Core - enum: - - Terminate - - Passthrough - type: string - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use of a header or cookie. Defaults to cookie based session + persistence. - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. + Support: Core for "Cookie" type - Support: Implementation-specific - maxProperties: 16 - type: object - type: object - x-kubernetes-validations: - - message: certificateRefs or options must be specified when - mode is Terminate - rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) - > 0 || size(self.options) > 0 : true' + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' + targetRefs: + description: |- + TargetRefs identifies API object(s) to apply this policy to. + Currently, Backends (A grouping of like endpoints such as Service, + ServiceImport, or any implementation-specific backendRef) are the only + valid API target references. + + Currently, a TargetRef cannot be scoped to a specific port on a + Service. + items: + description: |- + LocalPolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string required: + - group + - kind - name - - protocol type: object - maxItems: 64 + maxItems: 16 minItems: 1 type: array x-kubernetes-list-map-keys: + - group + - kind - name x-kubernetes-list-type: map - x-kubernetes-validations: - - message: tls must not be specified for protocols ['HTTP', 'TCP', - 'UDP'] - rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? - !has(l.tls) : true)' - - message: tls mode must be Terminate for protocol HTTPS - rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode - == '''' || l.tls.mode == ''Terminate'') : true)' - - message: hostname must not be specified for protocols ['TCP', 'UDP'] - rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) - || l.hostname == '''') : true)' - - message: Listener name must be unique within the Gateway - rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) - - message: Combination of port, protocol and hostname must be unique - for each listener - rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) - && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) - && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) - && !has(l2.hostname))))' - parentRef: - description: ParentRef references the Gateway that the listeners are - attached to. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: Kind is kind of the referent. For example "Gateway". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. If not present, - the namespace of the referent is assumed to be the same as - the namespace of the referring object. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object required: - - listeners - - parentRef + - targetRefs type: object status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: Status defines the current state of ListenerSet. + description: Status defines the current state of BackendTrafficPolicy. properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed + ancestors: description: |- - Conditions describe the current conditions of the ListenerSet. + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Implementations MUST express ListenerSet conditions using the - `ListenerSetConditionType` and `ListenerSetConditionReason` - constants so that operators and tools can converge on a common - vocabulary to describe ListenerSet state. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Known condition types are: - * "Accepted" - * "Programmed" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - listeners: - description: Listeners provide status for each unique listener port - defined in the Spec. - items: - description: ListenerStatus is the status associated with a Listener. - properties: - attachedRoutes: - description: |- - AttachedRoutes represents the total number of Routes that have been - successfully attached to this Listener. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Successful attachment of a Route to a Listener is based solely on the - combination of the AllowedRoutes field on the corresponding Listener - and the Route's ParentRefs field. A Route is successfully attached to - a Listener when it is selected by the Listener's AllowedRoutes field - AND the Route has a valid ParentRef selecting the whole Gateway - resource or a specific Listener as a parent resource (more detail on - attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact - successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Uses for this field include troubleshooting Route attachment and - measuring blast radius/impact of changes to a Listener. - format: int32 - type: integer + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object conditions: - description: Conditions describe the current condition of this - listener. + description: Conditions describes the status of the Policy with + respect to the given Ancestor. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -20345,69 +21776,40 @@ spec: - type type: object maxItems: 8 + minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - name: - description: Name is the name of the Listener that this status - corresponds to. + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - port: - description: Port is the network port the listener is configured - to listen on. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - supportedKinds: - description: |- - SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for - that Listener configuration. - - If kinds are specified in Spec that are not supported, they MUST NOT - appear in this list and an implementation MUST set the "ResolvedRefs" - condition to "False" with the "InvalidRouteKinds" reason. If both valid - and invalid Route kinds are specified, the implementation MUST - reference the valid Route kinds that have been specified. - items: - description: RouteGroupKind indicates the group and kind of - a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic required: - - attachedRoutes + - ancestorRef - conditions - - name - - port - - supportedKinds + - controllerName type: object - maxItems: 64 + maxItems: 16 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + required: + - ancestors type: object required: - spec @@ -20431,7 +21833,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backends.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backends.yaml index 60083b5202..046ae3d125 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backends.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backends.yaml @@ -370,8 +370,9 @@ spec: If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string type: object x-kubernetes-validations: diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index b1faba9c9a..65818024d3 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -2045,8 +2045,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -2119,8 +2125,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index f86e2c2eca..a2ba35ddcf 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -263,8 +263,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -315,8 +321,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -422,8 +434,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -484,8 +502,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -536,8 +560,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -643,8 +673,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml index f905780b1c..39e64597d6 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -13569,8 +13569,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -14975,8 +14981,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -16319,8 +16331,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_httproutefilters.yaml index 0c5fedfcc1..47ba2fc376 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_httproutefilters.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_httproutefilters.yaml @@ -237,8 +237,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -311,8 +317,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml b/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml index fcc9e088b7..5d80be60f4 100644 --- a/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml +++ b/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml @@ -1,5 +1,5 @@ {{- if and .Values.crds.gatewayAPI.enabled (eq .Values.crds.gatewayAPI.channel "standard") }} -# Copyright 2025 The Kubernetes Authors. +# Copyright 2026 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +25,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard labels: gateway.networking.k8s.io/policy: Direct @@ -100,8 +100,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -122,9 +120,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -136,9 +134,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: - Support: Implementation-specific for any other resource + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -377,8 +394,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -388,9 +405,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -751,8 +776,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -773,9 +796,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -787,9 +810,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service - Support: Implementation-specific for any other resource + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -1028,8 +1070,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -1039,9 +1081,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1361,7 +1411,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1880,7 +1930,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard name: gateways.gateway.networking.k8s.io spec: @@ -2012,6 +2062,87 @@ spec: rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value == a1.value) : true )' + allowedListeners: + description: |- + AllowedListeners defines which ListenerSets can be attached to this Gateway. + The default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: |- + Namespaces defines which namespaces ListenerSets can be attached to this Gateway. + The default value is to allow no ListenerSets. + properties: + from: + default: None + description: |- + From indicates where ListenerSets can attach to this Gateway. Possible + values are: + + * Same: Only ListenerSets in the same namespace may be attached to this Gateway. + * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. + * All: ListenerSets in all namespaces may be attached to this Gateway. + * None: Only listeners defined in the Gateway's spec are allowed + + The default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only ListenerSets in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -2480,7 +2611,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2691,6 +2822,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -2701,6 +2835,421 @@ spec: rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + tls: + description: |- + TLS specifies frontend and backend tls configuration for entire gateway. + + Support: Extended + properties: + backend: + description: |- + Backend describes TLS configuration for gateway when connecting + to backends. + + Note that this contains only details for the Gateway as a TLS client, + and does _not_ imply behavior about how to choose which backend should + get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: |- + Frontend describes TLS config when client connects to Gateway. + Support: Core + properties: + default: + description: |- + Default specifies the default client certificate validation configuration + for all Listeners handling HTTPS traffic, unless a per-port configuration + is defined. + + support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: |- + PerPort specifies tls configuration assigned per port. + Per port configuration is optional. Once set this configuration overrides + the default configuration for all Listeners handling HTTPS traffic + that match this port. + Each override port requires a unique TLS configuration. + + support: Core + items: + properties: + port: + description: |- + The Port indicates the Port Number to which the TLS configuration will be + applied. This configuration will be applied to all Listeners handling HTTPS + traffic that match this port. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: |- + TLS store the configuration that will be applied to all Listeners handling + HTTPS traffic and matching given port. + + Support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + For example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Port for TLS configuration must be unique within + the Gateway + rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) + required: + - default + type: object + type: object required: - gatewayClassName - listeners @@ -2776,6 +3325,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -2880,8 +3443,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -2960,7 +3526,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -2994,7 +3560,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -3125,6 +3690,87 @@ spec: rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value == a1.value) : true )' + allowedListeners: + description: |- + AllowedListeners defines which ListenerSets can be attached to this Gateway. + The default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: |- + Namespaces defines which namespaces ListenerSets can be attached to this Gateway. + The default value is to allow no ListenerSets. + properties: + from: + default: None + description: |- + From indicates where ListenerSets can attach to this Gateway. Possible + values are: + + * Same: Only ListenerSets in the same namespace may be attached to this Gateway. + * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. + * All: ListenerSets in all namespaces may be attached to this Gateway. + * None: Only listeners defined in the Gateway's spec are allowed + + The default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only ListenerSets in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -3593,7 +4239,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -3804,6 +4450,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -3814,21 +4463,436 @@ spec: rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' - required: - - gatewayClassName - - listeners - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending + tls: + description: |- + TLS specifies frontend and backend tls configuration for entire gateway. + + Support: Extended + properties: + backend: + description: |- + Backend describes TLS configuration for gateway when connecting + to backends. + + Note that this contains only details for the Gateway as a TLS client, + and does _not_ imply behavior about how to choose which backend should + get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: |- + Frontend describes TLS config when client connects to Gateway. + Support: Core + properties: + default: + description: |- + Default specifies the default client certificate validation configuration + for all Listeners handling HTTPS traffic, unless a per-port configuration + is defined. + + support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: |- + PerPort specifies tls configuration assigned per port. + Per port configuration is optional. Once set this configuration overrides + the default configuration for all Listeners handling HTTPS traffic + that match this port. + Each override port requires a unique TLS configuration. + + support: Core + items: + properties: + port: + description: |- + The Port indicates the Port Number to which the TLS configuration will be + applied. This configuration will be applied to all Listeners handling HTTPS + traffic that match this port. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: |- + TLS store the configuration that will be applied to all Listeners handling + HTTPS traffic and matching given port. + + Support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + For example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Port for TLS configuration must be unique within + the Gateway + rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) + required: + - default + type: object + type: object + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending status: Unknown type: Programmed description: Status defines the current state of Gateway. @@ -3889,6 +4953,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3993,8 +5071,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -4073,7 +5154,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -4107,7 +5188,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -4137,7 +5217,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard name: grpcroutes.gateway.networking.k8s.io spec: @@ -5793,8 +6873,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -5978,7 +7058,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -6211,7 +7291,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard name: httproutes.gateway.networking.k8s.io spec: @@ -6618,6 +7698,316 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. + + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). + + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). + + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). + + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. + + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. + + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. + + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. + + Method names are case-sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). + + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. + + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. + + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. + + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. + + Valid values for scheme are: `http` and `https`. + + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. + + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: + + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. + + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. + + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. + + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. + + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. + + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. + + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). + + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. + + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. + + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. + format: int32 + minimum: 1 + type: integer + type: object extensionRef: description: |- ExtensionRef is an optional, implementation-specific extension to the @@ -7087,6 +8477,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -7265,6 +8658,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -7354,6 +8748,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -7554,34 +8953,344 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. properties: - extensionRef: + cors: description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. - This filter can be used multiple times within the same rule. - - Support: Implementation-specific + Support: Extended properties: - group: + allowCredentials: description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). + + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). + + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). + + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. + + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. + + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. + + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. + + Method names are case-sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). + + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. + + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. + + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. + + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. + + Valid values for scheme are: `http` and `https`. + + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. + + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: + + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. + + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. + + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. + + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. + + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. + + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. + + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). + + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. + + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. + + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 minLength: 1 type: string required: @@ -8021,6 +9730,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8197,6 +9909,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -8286,6 +9999,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -8754,6 +10472,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -8816,7 +10535,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -9427,6 +11146,316 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. + + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). + + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). + + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). + + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. + + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. + + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. + + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. + + Method names are case-sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). + + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. + + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. + + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. + + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. + + Valid values for scheme are: `http` and `https`. + + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. + + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: + + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. + + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. + + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. + + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. + + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. + + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. + + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). + + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. + + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. + + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. + format: int32 + minimum: 1 + type: integer + type: object extensionRef: description: |- ExtensionRef is an optional, implementation-specific extension to the @@ -9896,6 +11925,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10074,6 +12106,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -10163,6 +12196,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -10363,6 +12401,316 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. + + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). + + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). + + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). + + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. + + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. + + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. + + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. + + Method names are case-sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). + + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. + + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. + + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. + + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. + + Valid values for scheme are: `http` and `https`. + + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. + + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: + + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. + + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. + + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. + + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. + + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. + + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. + + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). + + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. + + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. + + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. + format: int32 + minimum: 1 + type: integer + type: object extensionRef: description: |- ExtensionRef is an optional, implementation-specific extension to the @@ -10830,6 +13178,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -11006,6 +13357,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -11095,6 +13447,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -11563,6 +13920,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -11625,7 +13983,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -11851,53 +14209,71 @@ status: storedVersions: null --- # -# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +# config/crd/standard/gateway.networking.k8s.io_listenersets.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard - name: referencegrants.gateway.networking.k8s.io + name: listenersets.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - - refgrant - singular: referencegrant + - lset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1 schema: openAPIV3Schema: description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. - - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. - - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. - - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. + + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. + + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. + + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -11917,130 +14293,3230 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferenceGrant. + description: Spec defines the desired state of ListenerSet. properties: - from: + listeners: description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. + Listeners associated with this ListenerSet. Listeners define + logical endpoints that are bound on this referenced parent Gateway's addresses. + + Listeners in a `Gateway` and their attached `ListenerSets` are concatenated + as a list when programming the underlying infrastructure. Each listener + name does not need to be unique across the Gateway and ListenerSets. + See ListenerEntry.Name for more details. + + Implementations MUST treat the parent Gateway as having the merged + list of all listeners from itself and attached ListenerSets using + the following precedence: + + 1. "parent" Gateway + 2. ListenerSet ordered by creation time (oldest first) + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". + + An implementation MAY reject listeners by setting the ListenerEntryStatus + `Accepted` condition to False with the Reason `TooManyListeners` + + If a listener has a conflict, this will be reported in the + Status.ListenerEntryStatus setting the `Conflicted` condition to True. + + Implementations SHOULD be cautious about what information from the + parent or siblings are reported to avoid accidentally leaking + sensitive information that the child would not otherwise have access + to. This can include contents of secrets etc. + items: + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + ListenerSet. + + Name is not required to be unique across a Gateway and ListenerSets. + Routes can attach to a Listener by having a ListenerSet as a parentRef + and setting the SectionName + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) + && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) + && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) + && !has(l2.hostname))))' + parentRef: + description: ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. If not present, + the namespace of the referent is assumed to be the same as + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the ListenerSet. + + Implementations MUST express ListenerSet conditions using the + `ListenerSetConditionType` and `ListenerSetConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe ListenerSet state. + + Known condition types are: + + * "Accepted" + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds supported by an implementation for + that Listener configuration. + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: standard + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_tlsroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: standard + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. Support: Core items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. properties: - group: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Support: Core + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - kind: + parentRef: description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - When used to permit a SecretObjectReference: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - * Gateway + There are two kinds of parent resources with "Core" support: - When used to permit a BackendObjectReference: + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: - description: |- - Namespace is the namespace of the referent. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 - minLength: 1 - type: string + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object required: - - group - - kind + - conditions + - controllerName + - parentRef type: object - maxItems: 16 - minItems: 1 + maxItems: 32 type: array x-kubernetes-list-type: atomic required: - - from - - to + - parents type: object + required: + - spec type: object - served: true - storage: true - subresources: {} + served: false + storage: false + subresources: + status: {} status: acceptedNames: kind: "" plural: "" conditions: null storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: "safe-upgrades.gateway.networking.k8s.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + validations: + - expression: "object.spec.group != 'gateway.networking.k8s.io' || ( + has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' )" + message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." + reason: Invalid + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library + message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + reason: Invalid + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: [Deny] + matchResources: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + resources: ["customresourcedefinitions"] + operations: ["CREATE", "UPDATE"] {{- end }} diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml index 45d974d865..781f0d8a11 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml @@ -369,8 +369,9 @@ spec: If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string type: object x-kubernetes-validations: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index d932b9e0ba..3157b70557 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -2044,8 +2044,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -2118,8 +2124,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 0a83915dbe..bbd038aa97 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -262,8 +262,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -314,8 +320,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -421,8 +433,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -483,8 +501,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -535,8 +559,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -642,8 +672,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 900b4e5fa0..ed8cb7e281 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -13568,8 +13568,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -14974,8 +14980,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -16318,8 +16330,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml index 22c7ff1024..34834b3d5e 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml @@ -236,8 +236,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -310,8 +316,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl index c8a07d18d9..2645809cb1 100644 --- a/charts/gateway-helm/templates/_rbac.tpl +++ b/charts/gateway-helm/templates/_rbac.tpl @@ -9,8 +9,6 @@ All namespaced resources for Envoy Gateway RBAC. - {{ include "eg.rbac.namespaced.gateway.envoyproxy.status" . | nindent 2 | trim }} - {{ include "eg.rbac.namespaced.gateway.networking" . | nindent 2 | trim }} - {{ include "eg.rbac.namespaced.gateway.networking.status" . | nindent 2 | trim }} -- {{ include "eg.rbac.namespaced.gateway.networking.experimental" . | nindent 2 | trim }} -- {{ include "eg.rbac.namespaced.gateway.networking.experimental.status" . | nindent 2 | trim }} {{- if .Values.topologyInjector.enabled }} - {{ include "eg.rbac.namespaced.topologyinjector" . | nindent 2 | trim }} {{- end }} @@ -117,6 +115,7 @@ apiGroups: - gateway.networking.k8s.io resources: - gateways +- listenersets - grpcroutes - httproutes - referencegrants @@ -135,6 +134,7 @@ apiGroups: - gateway.networking.k8s.io resources: - gateways/status +- listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -146,23 +146,9 @@ verbs: {{- end }} {{- define "eg.rbac.namespaced.gateway.networking.experimental" -}} -apiGroups: -- gateway.networking.x-k8s.io -resources: -- xlistenersets -verbs: -- get -- list -- watch {{- end }} {{- define "eg.rbac.namespaced.gateway.networking.experimental.status" -}} -apiGroups: -- gateway.networking.x-k8s.io -resources: -- xlistenersets/status -verbs: -- update {{- end }} {{/* diff --git a/embed.go b/embed.go index 97f2e3bf54..bed7ec0297 100644 --- a/embed.go +++ b/embed.go @@ -11,7 +11,7 @@ import ( ) var ( - //go:embed charts/gateway-helm/crds/gatewayapi-crds.yaml + //go:embed gatewayapi-crds.yaml gatewayAPICRDs []byte //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index d41651e3d9..b2a45ef6ed 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -11,7 +11,7 @@ require ( google.golang.org/protobuf v1.36.11 k8s.io/apimachinery v0.35.0 sigs.k8s.io/controller-runtime v0.23.1 - sigs.k8s.io/gateway-api v1.4.1 + sigs.k8s.io/gateway-api v1.5.0-rc.1 sigs.k8s.io/gateway-api-inference-extension v1.3.0 ) @@ -32,7 +32,7 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/mailru/easyjson v0.9.0 // indirect + github.com/mailru/easyjson v0.9.1 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect @@ -62,7 +62,7 @@ require ( k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect - k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect + k8s.io/utils v0.0.0-20260108192941-914a6e750570 // indirect sigs.k8s.io/controller-tools v0.19.0 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/randfill v1.0.0 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 48531afc8d..59c15ecac0 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -79,8 +79,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8= +github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= @@ -97,10 +97,10 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.27.3 h1:ICsZJ8JoYafeXFFlFAG75a7CxMsJHwgKwtO+82SE9L8= -github.com/onsi/ginkgo/v2 v2.27.3/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= -github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM= -github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= +github.com/onsi/ginkgo/v2 v2.28.0 h1:Rrf+lVLmtlBIKv6KrIGJCjyY8N36vDVcutbGJkyqjJc= +github.com/onsi/ginkgo/v2 v2.28.0/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= +github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -231,16 +231,16 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY= +k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE= sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= sigs.k8s.io/controller-tools v0.19.0 h1:OU7jrPPiZusryu6YK0jYSjPqg8Vhf8cAzluP9XGI5uk= sigs.k8s.io/controller-tools v0.19.0/go.mod h1:y5HY/iNDFkmFla2CfQoVb2AQXMsBk4ad84iR1PLANB0= -sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8= -sigs.k8s.io/gateway-api v1.4.1/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/gateway-api v1.5.0-rc.1 h1:AS+IYP7NdTqDYmWlVl2J9+EcpQ8QyGsRu4kusr2W0vs= +sigs.k8s.io/gateway-api v1.5.0-rc.1/go.mod h1:GpMCTueMQOF6+p7aEvFMdQK97F0kG35whYyziGj5Lrg= sigs.k8s.io/gateway-api-inference-extension v1.3.0 h1:Ng2Qs1Oum4WycuWyi3rOkAC7pZ2aDqgN2ku6Lr/mryQ= sigs.k8s.io/gateway-api-inference-extension v1.3.0/go.mod h1:Cyex0AlEzhuXFklzl0y5Hdf5zVY8PUtSKhzMvHh5D9M= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/gatewayapi-crds.yaml similarity index 91% rename from charts/gateway-helm/crds/gatewayapi-crds.yaml rename to gatewayapi-crds.yaml index ee7eb803a7..64a4372f66 100644 --- a/charts/gateway-helm/crds/gatewayapi-crds.yaml +++ b/gatewayapi-crds.yaml @@ -1,4 +1,4 @@ -# Copyright 2025 The Kubernetes Authors. +# Copyright 2026 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,7 +24,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -99,8 +99,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -121,9 +119,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -135,9 +133,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: - Support: Implementation-specific for any other resource + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -376,8 +393,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -387,9 +404,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -768,8 +793,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -790,9 +813,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -804,9 +827,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. - Support: Implementation-specific for any other resource + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -1045,8 +1087,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -1056,9 +1098,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1396,7 +1446,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1915,7 +1965,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2050,14 +2100,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -2070,7 +2120,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -2619,7 +2669,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2830,6 +2880,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -2859,19 +2912,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -2938,27 +3002,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3081,27 +3167,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3275,6 +3383,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3379,8 +3501,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -3459,7 +3584,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -3493,7 +3618,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -3627,14 +3751,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -3647,7 +3771,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -4196,7 +4320,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -4407,6 +4531,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -4436,19 +4563,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4515,27 +4653,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4658,27 +4818,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4852,6 +5034,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -4956,8 +5152,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -5036,7 +5235,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -5070,7 +5269,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -5100,7 +5298,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5642,10 +5840,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5717,10 +5919,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5925,10 +6131,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6000,10 +6210,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6294,10 +6508,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6368,10 +6586,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6575,10 +6797,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6649,10 +6875,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6803,8 +7033,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -6991,7 +7221,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -7007,6 +7237,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' type: object maxItems: 16 type: array @@ -7098,7 +7330,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -7349,7 +7581,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -7829,7 +8061,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -7848,18 +8080,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -7883,6 +8118,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -7891,7 +8130,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -7911,18 +8150,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -7989,10 +8231,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -8040,14 +8291,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -8083,6 +8338,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -8261,6 +8519,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8299,6 +8558,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8310,6 +8570,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8414,10 +8675,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8489,10 +8754,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8803,6 +9072,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8850,10 +9122,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8925,10 +9201,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9072,6 +9352,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -9115,11 +9400,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -9309,7 +9589,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -9328,18 +9608,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -9363,6 +9646,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -9371,7 +9658,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -9391,18 +9678,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -9469,10 +9759,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -9520,14 +9819,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -9563,6 +9866,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -9741,6 +10047,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9779,6 +10086,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9790,6 +10098,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9891,10 +10200,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9965,10 +10278,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10279,6 +10596,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10325,10 +10645,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10399,10 +10723,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10546,6 +10874,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -10586,11 +10919,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -10736,10 +11064,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10948,7 +11280,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -10991,7 +11323,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -11082,7 +11414,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -11098,6 +11430,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -11202,6 +11536,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -11285,7 +11620,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -11987,7 +12322,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -12006,18 +12341,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -12041,6 +12379,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -12049,7 +12391,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -12069,18 +12411,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -12147,10 +12492,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -12198,14 +12552,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -12241,6 +12599,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -12419,6 +12780,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12457,6 +12819,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12468,6 +12831,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12572,10 +12936,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12647,10 +13015,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12961,6 +13333,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -13008,10 +13383,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13083,10 +13462,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13230,6 +13613,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -13273,11 +13661,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -13467,7 +13850,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -13486,18 +13869,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -13521,6 +13907,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -13529,7 +13919,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -13549,18 +13939,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -13627,10 +14020,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -13678,14 +14080,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -13721,6 +14127,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -13899,6 +14308,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13937,6 +14347,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13948,6 +14359,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14049,10 +14461,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14123,10 +14539,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14437,6 +14857,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14483,10 +14906,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14557,10 +14984,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14704,6 +15135,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -14744,11 +15180,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -14894,10 +15325,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15106,7 +15541,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -15149,7 +15584,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -15240,7 +15675,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -15256,6 +15691,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -15360,6 +15797,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -15443,7 +15881,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -15687,53 +16125,71 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: referencegrants.gateway.networking.k8s.io + name: listenersets.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - - refgrant - singular: referencegrant + - lset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1 schema: openAPIV3Schema: description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -15753,931 +16209,918 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferenceGrant. + description: Spec defines the desired state of ListenerSet. properties: - from: + listeners: description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. + Listeners associated with this ListenerSet. Listeners define + logical endpoints that are bound on this referenced parent Gateway's addresses. - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Listeners in a `Gateway` and their attached `ListenerSets` are concatenated + as a list when programming the underlying infrastructure. Each listener + name does not need to be unique across the Gateway and ListenerSets. + See ListenerEntry.Name for more details. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. + Implementations MUST treat the parent Gateway as having the merged + list of all listeners from itself and attached ListenerSets using + the following precedence: - When used to permit a SecretObjectReference: + 1. "parent" Gateway + 2. ListenerSet ordered by creation time (oldest first) + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * Gateway + An implementation MAY reject listeners by setting the ListenerEntryStatus + `Accepted` condition to False with the Reason `TooManyListeners` - When used to permit a BackendObjectReference: + If a listener has a conflict, this will be reported in the + Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: + Implementations SHOULD be cautious about what information from the + parent or siblings are reported to avoid accidentally leaking + sensitive information that the child would not otherwise have access + to. This can include contents of secrets etc. + items: + properties: + allowedRoutes: + default: + namespaces: + from: Same description: |- - Namespace is the namespace of the referent. + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. - Support: Core + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - kind: + name: description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: + Name is the name of the Listener. This name MUST be unique within a + ListenerSet. - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 + Name is not required to be unique across a Gateway and ListenerSets. + Routes can attach to a Listener by having a ListenerSet as a parentRef + and setting the SectionName + maxLength: 253 minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - name: + port: description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - required: - - from - - to - type: object - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tcproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TCPRoute - listKind: TCPRouteList - plural: tcproutes - singular: tcproute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - TCPRoute provides a way to route TCP requests. When combined with a Gateway - listener, it can be used to forward connections on the port specified by the - listener to a set of backends specified by the TCPRoute. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of TCPRoute. - properties: - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". - There are two kinds of parent resources with "Core" support: + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. - This API may be extended in the future to support additional kinds of parent - resources. + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. - ParentRefs must be _distinct_. This means either that: + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. - Some examples: + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. - This API may be extended in the future to support additional kinds of parent - resources. + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) + && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) + && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) + && !has(l2.hostname))))' + parentRef: + description: ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. If not present, + the namespace of the referent is assumed to be the same as + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the ListenerSet. - There are two kinds of parent resources with "Core" support: + Implementations MUST express ListenerSet conditions using the + `ListenerSetConditionType` and `ListenerSetConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe ListenerSet state. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Known condition types are: - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + * "Accepted" + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - name: + message: description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - namespace: + observedGeneration: description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string - port: + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. - Support: Extended + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. format: int32 - maximum: 65535 - minimum: 1 type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of TCP matchers and actions. - items: - description: TCPRouteRule is the configuration for a given rule. - properties: - backendRefs: + supportedKinds: description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Connection rejections must - respect weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. - - Support: Core for Kubernetes Service - - Support: Extended for Kubernetes ServiceImport - - Support: Implementation-specific for any other resource + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds supported by an implementation for + that Listener configuration. - Support for weight: Extended + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. items: - description: |- - BackendRef defines how a Route should forward a request to a Kubernetes - resource. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. - - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. - - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. - - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - - Note that when the BackendTLSPolicy object is enabled by the implementation, - there are some extra rules about validity to consider here. See the fields - where this struct is used for more information about the exact behavior. + description: RouteGroupKind indicates the group and kind of + a Route resource. properties: group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. + default: gateway.networking.k8s.io + description: Group is the group of the Route. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) + description: Kind is the kind of the Route. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer required: - - name + - kind type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - minItems: 1 + maxItems: 8 type: array x-kubernetes-list-type: atomic - name: + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - Support: Extended + Support: Core maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - - backendRefs + - group + - kind + - namespace type: object maxItems: 16 minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) - useDefaultGateways: - description: |- - UseDefaultGateways indicates the default Gateway scope to use for this - Route. If unset (the default) or set to None, the Route will not be - attached to any default Gateway; if set, it will be attached to any - default Gateway supporting the named scope, subject to the usual rules - about which Routes a Gateway is allowed to claim. - - Think carefully before using this functionality! The set of default - Gateways supporting the requested scope can change over time without - any notice to the Route author, and in many situations it will not be - appropriate to request a default Gateway for a given Route -- for - example, a Route with specific security requirements should almost - certainly not use a default Gateway. - enum: - - All - - None - type: string - required: - - rules - type: object - status: - description: Status defines the current state of TCPRoute. - properties: - parents: + to: description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. + Support: Core items: description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. properties: - conditions: + group: description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object required: - - conditions - - controllerName - - parentRef + - group + - kind type: object - maxItems: 32 + maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic required: - - parents + - from + - to type: object - required: - - spec type: object served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tlsroutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TLSRoute - listKind: TLSRouteList - plural: tlsroutes - singular: tlsroute - scope: Namespaced - versions: + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1beta1 schema: openAPIV3Schema: description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. - If you need to forward traffic to a single target for a TLS listener, you - could choose to use a TCPRoute with a TLS listener. - properties: - apiVersion: + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and @@ -16695,66 +17138,187 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of TLSRoute. + description: Spec defines the desired state of ReferenceGrant. properties: - hostnames: + from: description: |- - Hostnames defines a set of SNI names that should match against the - SNI attribute of TLS ClientHello message in TLS handshake. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. - 1. IPs are not allowed in SNI names per RFC 6066. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. + When used to permit a SecretObjectReference: - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. + * Gateway - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. Support: Core items: description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + TCPRoute provides a way to route TCP requests. When combined with a Gateway + listener, it can be used to forward connections on the port specified by the + listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -16992,21 +17556,18 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: Rules are a list of TCP matchers and actions. items: - description: TLSRouteRule is the configuration for a given rule. + description: TCPRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or - a Service with no endpoints), the rule performs no forwarding; if no - filters are specified that would result in a response being sent, the - underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Connection rejections must + respect weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. Support: Core for Kubernetes Service @@ -17178,7 +17739,7 @@ spec: - rules type: object status: - description: Status defines the current state of TLSRoute. + description: Status defines the current state of TCPRoute. properties: parents: description: |- @@ -17221,7 +17782,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -17454,22 +18015,51 @@ spec: - spec type: object served: true - storage: false + storage: true subresources: status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. - - If you need to forward traffic to a single target for a TLS listener, you +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener. properties: apiVersion: @@ -17501,32 +18091,6 @@ spec: 1. IPs are not allowed in SNI hostnames per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have specified at least one of `test.example.com` or - `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have specified at least one hostname that matches the Listener - hostname. For example, `test.example.com` and `*.example.com` would both - match. On the other hand, `example.com` and `test.example.net` would not - match. - - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches @@ -17551,6 +18115,17 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -17933,10 +18508,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17948,10 +18521,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) useDefaultGateways: description: |- UseDefaultGateways indicates the default Gateway scope to use for this @@ -18018,7 +18587,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -18254,46 +18823,20 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: udproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: UDPRoute - listKind: UDPRouteList - plural: udproutes - singular: udproute - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. name: v1alpha2 schema: openAPIV3Schema: description: |- - UDPRoute provides a way to route UDP traffic. When combined with a Gateway - listener, it can be used to forward traffic on the port specified by the - listener to a set of backends specified by the UDPRoute. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. properties: apiVersion: description: |- @@ -18313,8 +18856,66 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of UDPRoute. + description: Spec defines the desired state of TLSRoute. properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -18552,18 +19153,21 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of UDP matchers and actions. + description: Rules are a list of TLS matchers and actions. items: - description: UDPRouteRule is the configuration for a given rule. + description: TLSRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Packet drops must - respect weight; if an invalid backend is requested to have 80% of - the packets, then 80% of packets must be dropped instead. + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. Support: Core for Kubernetes Service @@ -18694,10 +19298,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -18735,7 +19337,7 @@ spec: - rules type: object status: - description: Status defines the current state of UDPRoute. + description: Status defines the current state of TLSRoute. properties: parents: description: |- @@ -18778,7 +19380,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -19011,52 +19613,26 @@ spec: - spec type: object served: true - storage: true + storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - labels: - gateway.networking.k8s.io/policy: Direct - name: xbackendtrafficpolicies.gateway.networking.x-k8s.io -spec: - group: gateway.networking.x-k8s.io - names: - categories: - - gateway-api - kind: XBackendTrafficPolicy - listKind: XBackendTrafficPolicyList - plural: xbackendtrafficpolicies - shortNames: - - xbtrafficpolicy - singular: xbackendtrafficpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 schema: openAPIV3Schema: description: |- - XBackendTrafficPolicy defines the configuration for how traffic to a - target backend should be handled. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. properties: apiVersion: description: |- @@ -19076,320 +19652,1358 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of BackendTrafficPolicy. + description: Spec defines the desired state of TLSRoute. properties: - retryConstraint: + hostnames: description: |- - RetryConstraint defines the configuration for when to allow or prevent - further retries to a target backend, by dynamically calculating a 'retry - budget'. This budget is calculated based on the percentage of incoming - traffic composed of retries over a given time interval. Once the budget - is exceeded, additional retries will be rejected. - - For example, if the retry budget interval is 10 seconds, there have been - 1000 active requests in the past 10 seconds, and the allowed percentage - of requests that can be retried is 20% (the default), then 200 of those - requests may be composed of retries. Active requests will only be - considered for the duration of the interval when calculating the retry - budget. Retrying the same original request multiple times within the - retry budget interval will lead to each retry being counted towards - calculating the budget. + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - HTTPRoute Retry settings for each HTTPRouteRule that targets the same - backend. While the HTTPRouteRule Retry stanza can specify whether a - request will be retried, and the number of retry attempts each client - may perform, RetryConstraint helps prevent cascading failures such as - retry storms during periods of consistent failures. + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + UDPRoute provides a way to route UDP traffic. When combined with a Gateway + listener, it can be used to forward traffic on the port specified by the + listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - After the retry budget has been exceeded, additional retries to the - backend MUST return a 503 response to the client. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Additional configurations for defining a constraint on retries MAY be - defined in the future. + There are two kinds of parent resources with "Core" support: - Support: Extended - properties: - budget: - default: - interval: 10s - percent: 20 - description: Budget holds the details of the retry budget configuration. - properties: - interval: - default: 10s - description: |- - Interval defines the duration in which requests will be considered - for calculating the budget for retries. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour or less - than one second - rule: '!(duration(self) < duration(''1s'') || duration(self) - > duration(''1h''))' - percent: - default: 20 - description: |- - Percent defines the maximum percentage of active requests that may - be made up of retries. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Support: Extended - maximum: 100 - minimum: 0 - type: integer - type: object - minRetryRate: - default: - count: 10 - interval: 1s - description: |- - MinRetryRate defines the minimum rate of retries that will be allowable - over a specified duration of time. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - The effective overall minimum rate of retries targeting the backend - service may be much higher, as there can be any number of clients which - are applying this setting locally. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - This ensures that requests can still be retried during periods of low - traffic, where the budget for retries may be calculated as a very low - value. - Support: Extended - properties: - count: - description: |- - Count specifies the number of requests per time interval. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Support: Extended - maximum: 1000000 - minimum: 1 - type: integer - interval: - description: |- - Interval specifies the divisor of the rate of requests, the amount of - time during which the given count of requests occur. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour - rule: '!(duration(self) == duration(''0s'') || duration(self) - > duration(''1h''))' - type: object - type: object - sessionPersistence: - description: |- - SessionPersistence defines and configures session persistence - for the backend. - Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Packet drops must + respect weight; if an invalid backend is requested to have 80% of + the packets, then 80% of packets must be dropped instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. - Defaults to "Session". + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - Support: Core for "Session" type - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + Defaults to "Service" when not specified. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. - Support: Core for "Cookie" type + Support: Core (Services with a type other than ExternalName) - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - targetRefs: - description: |- - TargetRefs identifies API object(s) to apply this policy to. - Currently, Backends (A grouping of like endpoints such as Service, - ServiceImport, or any implementation-specific backendRef) are the only - valid API target references. + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. - Currently, a TargetRef can not be scoped to a specific port on a - Service. - items: - description: |- - LocalPolicyTargetReference identifies an API object to apply a direct or - inherited policy to. This should be used as part of Policy resources - that can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer to - the policy attachment documentation for Gateway API. - properties: - group: - description: Group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic name: - description: Name is the name of the target resource. + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - - group - - kind - - name + - backendRefs type: object maxItems: 16 minItems: 1 type: array - x-kubernetes-list-map-keys: - - group - - kind - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string required: - - targetRefs + - rules type: object status: - description: Status defines the current state of BackendTrafficPolicy. + description: Status defines the current state of UDPRoute. properties: - ancestors: + parents: description: |- - Ancestors is a list of ancestor resources (usually Gateways) that are - associated with the policy, and the status of the policy with respect to - each ancestor. When this policy attaches to a parent, the controller that - manages the parent and the ancestors MUST add an entry to this list when - the controller first sees the policy and SHOULD update the entry as - appropriate when the relevant ancestor is modified. - - Note that choosing the relevant ancestor is left to the Policy designers; - an important part of Policy design is designing the right object level at - which to namespace this status. - - Note also that implementations MUST ONLY populate ancestor status for - the Ancestor resources they are responsible for. Implementations MUST - use the ControllerName field to uniquely identify the entries in this list - that they are responsible for. - - Note that to achieve this, the list of PolicyAncestorStatus structs - MUST be treated as a map with a composite key, made up of the AncestorRef - and ControllerName fields combined. + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. - A maximum of 16 ancestors will be represented in this list. An empty list - means the Policy is not relevant for any ancestors. + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. - If this slice is full, implementations MUST NOT add further entries. - Instead they MUST consider the policy unimplementable and signal that - on any related resources such as the ancestor that would be referenced - here. For example, if this list was full on BackendTLSPolicy, no - additional Gateways would be able to reference the Service targeted by - the BackendTLSPolicy. + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. items: description: |- - PolicyAncestorStatus describes the status of a route with respect to an - associated Ancestor. + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. - Ancestors refer to objects that are either the Target of a policy or above it - in terms of object hierarchy. For example, if a policy targets a Service, the - Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - useful object to place Policy status on, so we recommend that implementations - SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - have a _very_ good reason otherwise. + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. - In the context of policy attachment, the Ancestor is used to distinguish which - resource results in a distinct application of this policy. For example, if a policy - targets a Service, it may have a distinct result per attached Gateway. + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. - Policies targeting the same resource may have different effects depending on the - ancestors of those resources. For example, different Gateways targeting the same - Service may have different capabilities, especially if they have different underlying - implementations. + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: - For example, in BackendTLSPolicy, the Policy attaches to a Service that is - used as a backend in a HTTPRoute that is itself attached to a Gateway. - In this case, the relevant object for status is the Gateway, and that is the - ancestor object referred to in this status. + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Note that a parent is also an ancestor, so for objects where the parent is the - relevant object for status, this struct SHOULD still be used. + Example: "example.net/gateway-controller". - This struct is intended to be used in a slice that's effectively a map, - with a composite key made up of the AncestorRef and the ControllerName. - properties: - ancestorRef: + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: description: |- - AncestorRef corresponds with a ParentRef in the spec that this - PolicyAncestorStatus struct describes the status of. + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. properties: group: default: gateway.networking.k8s.io @@ -19523,99 +21137,16 @@ spec: required: - name type: object - conditions: - description: Conditions describes the status of the Policy with - respect to the given Ancestor. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string required: - - ancestorRef - conditions - controllerName + - parentRef type: object - maxItems: 16 + maxItems: 32 type: array x-kubernetes-list-type: atomic required: - - ancestors + - parents type: object required: - spec @@ -19632,36 +21163,82 @@ status: storedVersions: null --- # -# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml +# config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: "safe-upgrades.gateway.networking.k8s.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + validations: + - expression: "object.spec.group != 'gateway.networking.k8s.io' || ( + has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' )" + message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." + reason: Invalid + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library + message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + reason: Invalid + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: [Deny] + matchResources: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + resources: ["customresourcedefinitions"] + operations: ["CREATE", "UPDATE"] +--- +# +# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: xlistenersets.gateway.networking.x-k8s.io + labels: + gateway.networking.k8s.io/policy: Direct + name: xbackendtrafficpolicies.gateway.networking.x-k8s.io spec: group: gateway.networking.x-k8s.io names: categories: - gateway-api - kind: XListenerSet - listKind: XListenerSetList - plural: xlistenersets + kind: XBackendTrafficPolicy + listKind: XBackendTrafficPolicyList + plural: xbackendtrafficpolicies shortNames: - - lset - singular: xlistenerset + - xbtrafficpolicy + singular: xbackendtrafficpolicy scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed - type: string - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -19669,33 +21246,8 @@ spec: schema: openAPIV3Schema: description: |- - XListenerSet defines a set of additional listeners to attach to an existing Gateway. - This resource provides a mechanism to merge multiple listeners into a single Gateway. - - The parent Gateway must explicitly allow ListenerSet attachment through its - AllowedListeners configuration. By default, Gateways do not allow ListenerSet - attachment. - - Routes can attach to a ListenerSet by specifying it as a parentRef, and can - optionally target specific listeners using the sectionName field. - - Policy Attachment: - - Policies that attach to a ListenerSet apply to all listeners defined in that resource - - Policies do not impact listeners in the parent Gateway - - Different ListenerSets attached to the same Gateway can have different policies - - If an implementation cannot apply a policy to specific listeners, it should reject the policy - - ReferenceGrant Semantics: - - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - - Gateway Integration: - - The parent Gateway's status will include an "AttachedListenerSets" condition - - This condition will be: - - True: when AllowedListeners is set and at least one child ListenerSet is attached - - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - - Unknown: when no AllowedListeners config is present + XBackendTrafficPolicy defines the configuration for how traffic to a + target backend should be handled. properties: apiVersion: description: |- @@ -19715,579 +21267,458 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ListenerSet. + description: Spec defines the desired state of BackendTrafficPolicy. properties: - listeners: + retryConstraint: description: |- - Listeners associated with this ListenerSet. Listeners define - logical endpoints that are bound on this referenced parent Gateway's addresses. - - Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - as a list when programming the underlying infrastructure. Each listener - name does not need to be unique across the Gateway and ListenerSets. - See ListenerEntry.Name for more details. - - Implementations MUST treat the parent Gateway as having the merged - list of all listeners from itself and attached ListenerSets using - the following precedence: - - 1. "parent" Gateway - 2. ListenerSet ordered by creation time (oldest first) - 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - - An implementation MAY reject listeners by setting the ListenerEntryStatus - `Accepted` condition to False with the Reason `TooManyListeners` - - If a listener has a conflict, this will be reported in the - Status.ListenerEntryStatus setting the `Conflicted` condition to True. - - Implementations SHOULD be cautious about what information from the - parent or siblings are reported to avoid accidentally leaking - sensitive information that the child would not otherwise have access - to. This can include contents of secrets etc. - items: - properties: - allowedRoutes: - default: - namespaces: - from: Same - description: |- - AllowedRoutes defines the types of routes that MAY be attached to a - Listener and the trusted namespaces where those Route resources MAY be - present. - - Although a client request may match multiple route rules, only one rule - may ultimately receive the request. Matching precedence MUST be - determined in order of the following criteria: - - * The most specific match as defined by the Route type. - * The oldest Route based on creation timestamp. For example, a Route with - a creation timestamp of "2020-09-08 01:02:03" is given precedence over - a Route with a creation timestamp of "2020-09-08 01:02:04". - * If everything else is equivalent, the Route appearing first in - alphabetical order (namespace/name) should be given precedence. For - example, foo/bar is given precedence over foo/baz. - - All valid rules within a Route attached to this Listener should be - implemented. Invalid Route rules can be ignored (sometimes that will mean - the full Route). If a Route rule transitions from valid to invalid, - support for that Route rule should be dropped to ensure consistency. For - example, even if a filter specified by a Route rule is invalid, the rest - of the rules within that Route should still be supported. - properties: - kinds: - description: |- - Kinds specifies the groups and kinds of Routes that are allowed to bind - to this Gateway Listener. When unspecified or empty, the kinds of Routes - selected are determined using the Listener protocol. - - A RouteGroupKind MUST correspond to kinds of Routes that are compatible - with the application protocol specified in the Listener's Protocol field. - If an implementation does not support or recognize this resource type, it - MUST set the "ResolvedRefs" condition to False for this Listener with the - "InvalidRouteKinds" reason. - - Support: Core - items: - description: RouteGroupKind indicates the group and kind - of a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - namespaces: - default: - from: Same - description: |- - Namespaces indicates namespaces from which Routes may be attached to this - Listener. This is restricted to the namespace of this Gateway by default. - - Support: Core - properties: - from: - default: Same - description: |- - From indicates where Routes will be selected for this Gateway. Possible - values are: - - * All: Routes in all namespaces may be used by this Gateway. - * Selector: Routes in namespaces selected by the selector may be used by - this Gateway. - * Same: Only Routes in the same namespace may be used by this Gateway. + RetryConstraint defines the configuration for when to allow or prevent + further retries to a target backend, by dynamically calculating a 'retry + budget'. This budget is calculated based on the percentage of incoming + traffic composed of retries over a given time interval. Once the budget + is exceeded, additional retries will be rejected. - Support: Core - enum: - - All - - Selector - - Same - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only Routes in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". + For example, if the retry budget interval is 10 seconds, there have been + 1000 active requests in the past 10 seconds, and the allowed percentage + of requests that can be retried is 20% (the default), then 200 of those + requests may be composed of retries. Active requests will only be + considered for the duration of the interval when calculating the retry + budget. Retrying the same original request multiple times within the + retry budget interval will lead to each retry being counted towards + calculating the budget. - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - hostname: - description: |- - Hostname specifies the virtual hostname to match for protocol types that - define this concept. When unspecified, all hostnames are matched. This - field is ignored for protocols that don't require hostname based - matching. + Configuring a RetryConstraint in BackendTrafficPolicy is compatible with + HTTPRoute Retry settings for each HTTPRouteRule that targets the same + backend. While the HTTPRouteRule Retry stanza can specify whether a + request will be retried, and the number of retry attempts each client + may perform, RetryConstraint helps prevent cascading failures such as + retry storms during periods of consistent failures. - Implementations MUST apply Hostname matching appropriately for each of - the following protocols: + After the retry budget has been exceeded, additional retries to the + backend MUST return a 503 response to the client. - * TLS: The Listener Hostname MUST match the SNI. - * HTTP: The Listener Hostname MUST match the Host header of the request. - * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - protocol layers as described above. If an implementation does not - ensure that both the SNI and Host header match the Listener hostname, - it MUST clearly document that. + Additional configurations for defining a constraint on retries MAY be + defined in the future. - For HTTPRoute and TLSRoute resources, there is an interaction with the - `spec.hostnames` array. When both listener and route specify hostnames, - there MUST be an intersection between the values for a Route to be - accepted. For more information, refer to the Route specific Hostnames - documentation. + Support: Extended + properties: + budget: + default: + interval: 10s + percent: 20 + description: Budget holds the details of the retry budget configuration. + properties: + interval: + default: 10s + description: |- + Interval defines the duration in which requests will be considered + for calculating the budget for retries. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - name: - description: |- - Name is the name of the Listener. This name MUST be unique within a - ListenerSet. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour or less + than one second + rule: '!(duration(self) < duration(''1s'') || duration(self) + > duration(''1h''))' + percent: + default: 20 + description: |- + Percent defines the maximum percentage of active requests that may + be made up of retries. - Name is not required to be unique across a Gateway and ListenerSets. - Routes can attach to a Listener by having a ListenerSet as a parentRef - and setting the SectionName - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - port: - default: 0 - description: |- - Port is the network port. Multiple listeners may use the - same port, subject to the Listener compatibility rules. + Support: Extended + maximum: 100 + minimum: 0 + type: integer + type: object + minRetryRate: + default: + count: 10 + interval: 1s + description: |- + MinRetryRate defines the minimum rate of retries that will be allowable + over a specified duration of time. - If the port is not set or specified as zero, the implementation will assign - a unique port. If the implementation does not support dynamic port - assignment, it MUST set `Accepted` condition to `False` with the - `UnsupportedPort` reason. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - protocol: - description: Protocol specifies the network protocol this listener - expects to receive. - maxLength: 255 - minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ - type: string - tls: - description: |- - TLS is the TLS configuration for the Listener. This field is required if - the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - if the Protocol field is "HTTP", "TCP", or "UDP". + The effective overall minimum rate of retries targeting the backend + service may be much higher, as there can be any number of clients which + are applying this setting locally. - The association of SNIs to Certificate defined in ListenerTLSConfig is - defined based on the Hostname field for this listener. + This ensures that requests can still be retried during periods of low + traffic, where the budget for retries may be calculated as a very low + value. - The GatewayClass MUST use the longest matching SNI out of all - available certificates for any TLS handshake. - properties: - certificateRefs: - description: |- - CertificateRefs contains a series of references to Kubernetes objects that - contains TLS certificates and private keys. These certificates are used to - establish a TLS handshake for requests that match the hostname of the - associated listener. + Support: Extended + properties: + count: + description: |- + Count specifies the number of requests per time interval. - A single CertificateRef to a Kubernetes Secret has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a Listener, but this behavior is implementation-specific. + Support: Extended + maximum: 1000000 + minimum: 1 + type: integer + interval: + description: |- + Interval specifies the divisor of the rate of requests, the amount of + time during which the given count of requests occur. - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour + rule: '!(duration(self) == duration(''0s'') || duration(self) + > duration(''1h''))' + type: object + type: object + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the backend. - This field is required to have at least one element when the mode is set - to "Terminate" (default) and is optional otherwise. + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. - CertificateRefs can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. - Support: Implementation-specific (More than one reference or other resource types) - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + Defaults to "Session". - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + Support: Core for "Session" type - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - mode: - default: Terminate - description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. - Support: Core - enum: - - Terminate - - Passthrough - type: string - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use of a header or cookie. Defaults to cookie based session + persistence. - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. + Support: Core for "Cookie" type - Support: Implementation-specific - maxProperties: 16 - type: object - type: object - x-kubernetes-validations: - - message: certificateRefs or options must be specified when - mode is Terminate - rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) - > 0 || size(self.options) > 0 : true' + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' + targetRefs: + description: |- + TargetRefs identifies API object(s) to apply this policy to. + Currently, Backends (A grouping of like endpoints such as Service, + ServiceImport, or any implementation-specific backendRef) are the only + valid API target references. + + Currently, a TargetRef cannot be scoped to a specific port on a + Service. + items: + description: |- + LocalPolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string required: + - group + - kind - name - - protocol type: object - maxItems: 64 + maxItems: 16 minItems: 1 type: array x-kubernetes-list-map-keys: + - group + - kind - name x-kubernetes-list-type: map - x-kubernetes-validations: - - message: tls must not be specified for protocols ['HTTP', 'TCP', - 'UDP'] - rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? - !has(l.tls) : true)' - - message: tls mode must be Terminate for protocol HTTPS - rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode - == '''' || l.tls.mode == ''Terminate'') : true)' - - message: hostname must not be specified for protocols ['TCP', 'UDP'] - rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) - || l.hostname == '''') : true)' - - message: Listener name must be unique within the Gateway - rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) - - message: Combination of port, protocol and hostname must be unique - for each listener - rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) - && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) - && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) - && !has(l2.hostname))))' - parentRef: - description: ParentRef references the Gateway that the listeners are - attached to. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: Kind is kind of the referent. For example "Gateway". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. If not present, - the namespace of the referent is assumed to be the same as - the namespace of the referring object. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object required: - - listeners - - parentRef + - targetRefs type: object status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: Status defines the current state of ListenerSet. + description: Status defines the current state of BackendTrafficPolicy. properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed + ancestors: description: |- - Conditions describe the current conditions of the ListenerSet. + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Implementations MUST express ListenerSet conditions using the - `ListenerSetConditionType` and `ListenerSetConditionReason` - constants so that operators and tools can converge on a common - vocabulary to describe ListenerSet state. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Known condition types are: - * "Accepted" - * "Programmed" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - listeners: - description: Listeners provide status for each unique listener port - defined in the Spec. - items: - description: ListenerStatus is the status associated with a Listener. - properties: - attachedRoutes: - description: |- - AttachedRoutes represents the total number of Routes that have been - successfully attached to this Listener. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Successful attachment of a Route to a Listener is based solely on the - combination of the AllowedRoutes field on the corresponding Listener - and the Route's ParentRefs field. A Route is successfully attached to - a Listener when it is selected by the Listener's AllowedRoutes field - AND the Route has a valid ParentRef selecting the whole Gateway - resource or a specific Listener as a parent resource (more detail on - attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact - successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Uses for this field include troubleshooting Route attachment and - measuring blast radius/impact of changes to a Listener. - format: int32 - type: integer + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object conditions: - description: Conditions describe the current condition of this - listener. + description: Conditions describes the status of the Policy with + respect to the given Ancestor. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -20344,69 +21775,40 @@ spec: - type type: object maxItems: 8 + minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - name: - description: Name is the name of the Listener that this status - corresponds to. + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - port: - description: Port is the network port the listener is configured - to listen on. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - supportedKinds: - description: |- - SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for - that Listener configuration. - - If kinds are specified in Spec that are not supported, they MUST NOT - appear in this list and an implementation MUST set the "ResolvedRefs" - condition to "False" with the "InvalidRouteKinds" reason. If both valid - and invalid Route kinds are specified, the implementation MUST - reference the valid Route kinds that have been specified. - items: - description: RouteGroupKind indicates the group and kind of - a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic required: - - attachedRoutes + - ancestorRef - conditions - - name - - port - - supportedKinds + - controllerName type: object - maxItems: 64 + maxItems: 16 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + required: + - ancestors type: object required: - spec @@ -20430,7 +21832,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: diff --git a/go.mod b/go.mod index 44e3746fe1..8f597e1d5c 100644 --- a/go.mod +++ b/go.mod @@ -70,9 +70,9 @@ require ( k8s.io/klog/v2 v2.130.1 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 k8s.io/kubectl v0.35.0 - k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 + k8s.io/utils v0.0.0-20260108192941-914a6e750570 sigs.k8s.io/controller-runtime v0.23.1 - sigs.k8s.io/gateway-api v1.4.1 + sigs.k8s.io/gateway-api v1.5.0-rc.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 sigs.k8s.io/mcs-api v0.3.0 sigs.k8s.io/yaml v1.6.0 @@ -191,7 +191,7 @@ require ( github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e // indirect github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect github.com/lyft/gostats v0.4.1 // indirect - github.com/mailru/easyjson v0.9.0 // indirect + github.com/mailru/easyjson v0.9.1 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect diff --git a/go.sum b/go.sum index 6a8decb92f..eb2a0b1a88 100644 --- a/go.sum +++ b/go.sum @@ -376,8 +376,8 @@ github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIi github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg= github.com/lyft/gostats v0.4.1 h1:oR6p4HRCGxt0nUntmZIWmYMgyothBi3eZH2A71vRjsc= github.com/lyft/gostats v0.4.1/go.mod h1:Tpx2xRzz4t+T2Tx0xdVgIoBdR2UMVz+dKnE3X01XSd8= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8= +github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= @@ -447,13 +447,13 @@ github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= -github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/ginkgo/v2 v2.28.0 h1:Rrf+lVLmtlBIKv6KrIGJCjyY8N36vDVcutbGJkyqjJc= +github.com/onsi/ginkgo/v2 v2.28.0/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= -github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= +github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= +github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -824,8 +824,8 @@ k8s.io/kubectl v0.35.0 h1:cL/wJKHDe8E8+rP3G7avnymcMg6bH6JEcR5w5uo06wc= k8s.io/kubectl v0.35.0/go.mod h1:VR5/TSkYyxZwrRwY5I5dDq6l5KXmiCb+9w8IKplk3Qo= k8s.io/metrics v0.35.0 h1:xVFoqtAGm2dMNJAcB5TFZJPCen0uEqqNt52wW7ABbX8= k8s.io/metrics v0.35.0/go.mod h1:g2Up4dcBygZi2kQSEQVDByFs+VUwepJMzzQLJJLpq4M= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY= +k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= periph.io/x/host/v3 v3.8.5 h1:g4g5xE1XZtDiGl1UAJaUur1aT7uNiFLMkyMEiZ7IHII= @@ -834,8 +834,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUo sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE= sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= -sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8= -sigs.k8s.io/gateway-api v1.4.1/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/gateway-api v1.5.0-rc.1 h1:AS+IYP7NdTqDYmWlVl2J9+EcpQ8QyGsRu4kusr2W0vs= +sigs.k8s.io/gateway-api v1.5.0-rc.1/go.mod h1:GpMCTueMQOF6+p7aEvFMdQK97F0kG35whYyziGj5Lrg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 h1:JQbPOwLjSztom+aSDQIi6UZq8V0Gbv7BjAlYQSgycCI= diff --git a/internal/cmd/egctl/testdata/translate/in/rejected-http-route.yaml b/internal/cmd/egctl/testdata/translate/in/rejected-http-route.yaml deleted file mode 100644 index 6979c77c15..0000000000 --- a/internal/cmd/egctl/testdata/translate/in/rejected-http-route.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass -metadata: - name: eg -spec: - controllerName: gateway.envoyproxy.io/gatewayclass-controller ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: eg -spec: - gatewayClassName: eg - listeners: - - name: tls - protocol: TLS - port: 8443 ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: backend -spec: - parentRefs: - - name: eg - rules: - - backendRefs: - - group: "" - kind: Service - name: backend - port: 3000 - weight: 1 - matches: - - path: - type: PathPrefix - value: / - diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml index 109e252fe2..40b9babaf8 100644 --- a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml @@ -5,7 +5,6 @@ gatewayClass: name: eg spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller - status: {} gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml b/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml deleted file mode 100644 index f3daeb0a37..0000000000 --- a/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml +++ /dev/null @@ -1,90 +0,0 @@ -gatewayClass: - apiVersion: gateway.networking.k8s.io/v1 - kind: GatewayClass - metadata: - name: eg - spec: - controllerName: gateway.envoyproxy.io/gatewayclass-controller - status: - conditions: - - lastTransitionTime: null - message: Valid GatewayClass - reason: Accepted - status: "True" - type: Accepted -gateways: -- apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - metadata: - name: eg - namespace: envoy-gateway-system - spec: - gatewayClassName: eg - listeners: - - allowedRoutes: - namespaces: - from: Same - name: tls - port: 8443 - protocol: TLS - status: - listeners: - - attachedRoutes: 0 - conditions: - - lastTransitionTime: null - message: Listener must have TLS set when protocol is TLS. - reason: Invalid - status: "False" - type: Programmed - - lastTransitionTime: null - message: Listener references have been resolved - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - name: tls - supportedKinds: - - group: gateway.networking.k8s.io - kind: TCPRoute - - group: gateway.networking.k8s.io - kind: TLSRoute -httpRoutes: -- apiVersion: gateway.networking.k8s.io/v1 - kind: HTTPRoute - metadata: - name: backend - namespace: envoy-gateway-system - spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: eg - rules: - - backendRefs: - - group: "" - kind: Service - name: backend - port: 3000 - weight: 1 - matches: - - path: - type: PathPrefix - value: / - status: - parents: - - conditions: - - lastTransitionTime: null - message: No listeners included by this parent ref allowed this attachment. - reason: NotAllowedByListeners - status: "False" - type: Accepted - - lastTransitionTime: null - message: 'Failed to process route rule 0 backendRef 0: service envoy-gateway-system/backend - not found.' - reason: BackendNotFound - status: "False" - type: ResolvedRefs - controllerName: gateway.envoyproxy.io/gatewayclass-controller - parentRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go index 770320d0fc..6d60bce182 100644 --- a/internal/cmd/egctl/translate_test.go +++ b/internal/cmd/egctl/translate_test.go @@ -212,14 +212,6 @@ func TestTranslate(t *testing.T) { resourceType: string(EndpointEnvoyConfigType), expect: true, }, - { - name: "rejected-http-route", - from: "gateway-api", - to: "gateway-api", - output: yamlOutput, - resourceType: string(RouteEnvoyConfigType), - expect: true, - }, { name: "echo-gateway-api", from: "gateway-api", diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 7cc3cc5ae8..bda586ec09 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -847,7 +847,7 @@ func mergeBackendTrafficPolicy(routePolicy, gwPolicy *egv1a1.BackendTrafficPolic return routePolicy, nil } - return utils.Merge[*egv1a1.BackendTrafficPolicy](gwPolicy, routePolicy, *routePolicy.Spec.MergeType) + return utils.Merge(gwPolicy, routePolicy, *routePolicy.Spec.MergeType) } func (t *Translator) buildTrafficFeatures(policy *egv1a1.BackendTrafficPolicy) (*ir.TrafficFeatures, error) { diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index 66dbce04ba..b31d8cd5ae 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -16,7 +16,6 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" mcsapiv1a1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -94,10 +93,10 @@ type ListenerContext struct { gateway *GatewayContext listenerStatusIdx int - // xListenerSet is the XListenerSet that this listener belongs to. + // listenerSet is the ListenerSet that this listener belongs to. // If nil, this listener belongs to the Gateway. - xListenerSet *gwapixv1a1.XListenerSet - xListenerSetStatusIdx int + listenerSet *gwapiv1.ListenerSet + listenerSetStatusIdx int namespaceSelector labels.Selector tlsSecrets []*corev1.Secret @@ -106,18 +105,18 @@ type ListenerContext struct { httpIR *ir.HTTPListener } -// isFromXListenerSet returns true if the listener belongs to an XListenerSet instead of a Gateway. -func (l *ListenerContext) isFromXListenerSet() bool { - return l.xListenerSet != nil +// isFromListenerSet returns true if the listener belongs to a ListenerSet instead of a Gateway. +func (l *ListenerContext) isFromListenerSet() bool { + return l.listenerSet != nil } func (l *ListenerContext) SetSupportedKinds(kinds ...gwapiv1.RouteGroupKind) { - if l.isFromXListenerSet() { + if l.isFromListenerSet() { if len(kinds) > 0 { - l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].SupportedKinds = make([]gwapixv1a1.RouteGroupKind, len(kinds)) - copy(l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].SupportedKinds, kinds) + l.listenerSet.Status.Listeners[l.listenerSetStatusIdx].SupportedKinds = make([]gwapiv1.RouteGroupKind, len(kinds)) + copy(l.listenerSet.Status.Listeners[l.listenerSetStatusIdx].SupportedKinds, kinds) } else { - l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].SupportedKinds = []gwapixv1a1.RouteGroupKind{} + l.listenerSet.Status.Listeners[l.listenerSetStatusIdx].SupportedKinds = []gwapiv1.RouteGroupKind{} } } else { if len(kinds) > 0 { @@ -130,26 +129,26 @@ func (l *ListenerContext) SetSupportedKinds(kinds ...gwapiv1.RouteGroupKind) { } func (l *ListenerContext) IncrementAttachedRoutes() { - if l.isFromXListenerSet() { - l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].AttachedRoutes++ + if l.isFromListenerSet() { + l.listenerSet.Status.Listeners[l.listenerSetStatusIdx].AttachedRoutes++ } else { l.gateway.Status.Listeners[l.listenerStatusIdx].AttachedRoutes++ } } func (l *ListenerContext) AttachedRoutes() int32 { - if l.isFromXListenerSet() { - return l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].AttachedRoutes + if l.isFromListenerSet() { + return l.listenerSet.Status.Listeners[l.listenerSetStatusIdx].AttachedRoutes } return l.gateway.Status.Listeners[l.listenerStatusIdx].AttachedRoutes } func (l *ListenerContext) AllowsKind(kind gwapiv1.RouteGroupKind) bool { var supportedKinds []gwapiv1.RouteGroupKind - if l.xListenerSet != nil { - // Convert XListenerSet supported kinds to Gateway API kinds + if l.listenerSet != nil { + // Convert ListenerSet supported kinds to Gateway API kinds // Since they are alias types, we can cast them - supportedKinds = append(supportedKinds, l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].SupportedKinds...) + supportedKinds = append(supportedKinds, l.listenerSet.Status.Listeners[l.listenerSetStatusIdx].SupportedKinds...) } else { supportedKinds = l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds } @@ -189,8 +188,8 @@ func (l *ListenerContext) AllowsNamespace(namespace *corev1.Namespace) bool { func (l *ListenerContext) IsReady() bool { var conditions []metav1.Condition - if l.isFromXListenerSet() { - conditions = l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].Conditions + if l.isFromListenerSet() { + conditions = l.listenerSet.Status.Listeners[l.listenerSetStatusIdx].Conditions } else { conditions = l.gateway.Status.Listeners[l.listenerStatusIdx].Conditions } @@ -205,27 +204,27 @@ func (l *ListenerContext) IsReady() bool { } func (l *ListenerContext) GetNamespace() string { - if l.isFromXListenerSet() { - return l.xListenerSet.Namespace + if l.isFromListenerSet() { + return l.listenerSet.Namespace } return l.gateway.Namespace } func (l *ListenerContext) GetConditions() []metav1.Condition { - if l.isFromXListenerSet() { - return l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].Conditions + if l.isFromListenerSet() { + return l.listenerSet.Status.Listeners[l.listenerSetStatusIdx].Conditions } return l.gateway.Status.Listeners[l.listenerStatusIdx].Conditions } func (l *ListenerContext) SetCondition(conditionType gwapiv1.ListenerConditionType, conditionStatus metav1.ConditionStatus, reason gwapiv1.ListenerConditionReason, message string) { - if l.isFromXListenerSet() { - // Convert Gateway API types to XListenerSet types + if l.isFromListenerSet() { + // Convert Gateway API types to ListenerSet types // Note: The string values are expected to match between the APIs - status.SetXListenerSetListenerStatusCondition(l.xListenerSet, l.xListenerSetStatusIdx, - gwapixv1a1.ListenerEntryConditionType(conditionType), + status.SetListenerSetListenerStatusCondition(l.listenerSet, l.listenerSetStatusIdx, + gwapiv1.ListenerEntryConditionType(conditionType), conditionStatus, - gwapixv1a1.ListenerEntryConditionReason(reason), + gwapiv1.ListenerEntryConditionReason(reason), message) } else { status.SetGatewayListenerStatusCondition(l.gateway.Gateway, l.listenerStatusIdx, diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index a6cde9133c..d1f5ab4cdd 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -23,7 +23,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -143,15 +142,15 @@ func IsRefToGateway(routeNamespace gwapiv1.Namespace, parentRef gwapiv1.ParentRe return string(parentRef.Name) == gateway.Name } -// GetReferencedListeners returns whether a given parent ref references a Gateway or XListenerSet -// in the given list, and if so, a list of the Listeners within that Gateway or XListenerSet that +// GetReferencedListeners returns whether a given parent ref references a Gateway or ListenerSet +// in the given list, and if so, a list of the Listeners within that Gateway or ListenerSet that // are included by the parent ref (either one specific Listener, or all Listeners -// in the Gateway or XListenerSet, depending on whether section name is specified or not). +// in the Gateway or ListenerSet, depending on whether section name is specified or not). func GetReferencedListeners(routeNamespace gwapiv1.Namespace, parentRef gwapiv1.ParentReference, gateways []*GatewayContext) (bool, []*ListenerContext) { var referencedListeners []*ListenerContext - // The parentRef is an XListenerSet - if isRefToXListenerSet(parentRef) { + // The parentRef is an ListenerSet + if isRefToListenerSet(parentRef) { ns := routeNamespace if parentRef.Namespace != nil { ns = *parentRef.Namespace @@ -159,11 +158,11 @@ func GetReferencedListeners(routeNamespace gwapiv1.Namespace, parentRef gwapiv1. var matchedListenerSet bool for _, gateway := range gateways { for _, listener := range gateway.listeners { - if !listener.isFromXListenerSet() { + if !listener.isFromListenerSet() { continue } - if listener.xListenerSet.Namespace != string(ns) || - listener.xListenerSet.Name != string(parentRef.Name) { + if listener.listenerSet.Namespace != string(ns) || + listener.listenerSet.Name != string(parentRef.Name) { continue } matchedListenerSet = true @@ -180,7 +179,7 @@ func GetReferencedListeners(routeNamespace gwapiv1.Namespace, parentRef gwapiv1. for _, gateway := range gateways { if IsRefToGateway(routeNamespace, parentRef, utils.NamespacedName(gateway)) { for _, listener := range gateway.listeners { - if listener.isFromXListenerSet() { + if listener.isFromListenerSet() { continue } // The parentRef may be to the entire Gateway, or to a specific listener. @@ -195,9 +194,9 @@ func GetReferencedListeners(routeNamespace gwapiv1.Namespace, parentRef gwapiv1. return false, referencedListeners } -func isRefToXListenerSet(parentRef gwapiv1.ParentReference) bool { - if parentRef.Kind != nil && string(*parentRef.Kind) == resource.KindXListenerSet && - parentRef.Group != nil && string(*parentRef.Group) == gwapixv1a1.GroupVersion.Group { +func isRefToListenerSet(parentRef gwapiv1.ParentReference) bool { + if parentRef.Kind != nil && string(*parentRef.Kind) == resource.KindListenerSet && + parentRef.Group != nil && string(*parentRef.Group) == gwapiv1.GroupVersion.Group { return true } return false @@ -437,8 +436,8 @@ func extractGatewayNameFromListener(listenerName string) string { } func irListenerName(listener *ListenerContext) string { - if listener.isFromXListenerSet() { - return fmt.Sprintf("%s/%s/%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.xListenerSet.Namespace, listener.xListenerSet.Name, listener.Name) + if listener.isFromListenerSet() { + return fmt.Sprintf("%s/%s/%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.listenerSet.Namespace, listener.listenerSet.Name, listener.Name) } return fmt.Sprintf("%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.Name) } diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index f7b73653ea..09b17d3963 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -243,7 +243,7 @@ func loadKubernetesYAMLToResources(input []byte, addMissingResources bool, envoy Name: name, Namespace: namespace, }, - Spec: typedSpec.(gwapiv1a3.TLSRouteSpec), + Spec: typedSpec.(gwapiv1.TLSRouteSpec), } resources.TLSRoutes = append(resources.TLSRoutes, tlsRoute) case KindHTTPRoute: diff --git a/internal/gatewayapi/resource/resource.go b/internal/gatewayapi/resource/resource.go index 30af9ae2a4..e3f6f19fec 100644 --- a/internal/gatewayapi/resource/resource.go +++ b/internal/gatewayapi/resource/resource.go @@ -18,7 +18,6 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" mcsapiv1a1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -48,7 +47,7 @@ type Resources struct { GatewayClass *gwapiv1.GatewayClass `json:"gatewayClass,omitempty" yaml:"gatewayClass,omitempty"` Gateways []*gwapiv1.Gateway `json:"gateways,omitempty" yaml:"gateways,omitempty"` - XListenerSets []*gwapixv1a1.XListenerSet `json:"xListenerSets,omitempty" yaml:"xListenerSets,omitempty"` + ListenerSets []*gwapiv1.ListenerSet `json:"listenerSets,omitempty" yaml:"listenerSets,omitempty"` HTTPRoutes []*gwapiv1.HTTPRoute `json:"httpRoutes,omitempty" yaml:"httpRoutes,omitempty"` GRPCRoutes []*gwapiv1.GRPCRoute `json:"grpcRoutes,omitempty" yaml:"grpcRoutes,omitempty"` TLSRoutes []*gwapiv1a3.TLSRoute `json:"tlsRoutes,omitempty" yaml:"tlsRoutes,omitempty"` @@ -78,7 +77,7 @@ type Resources struct { func NewResources() *Resources { return &Resources{ Gateways: []*gwapiv1.Gateway{}, - XListenerSets: []*gwapixv1a1.XListenerSet{}, + ListenerSets: []*gwapiv1.ListenerSet{}, HTTPRoutes: []*gwapiv1.HTTPRoute{}, GRPCRoutes: []*gwapiv1.GRPCRoute{}, TLSRoutes: []*gwapiv1a3.TLSRoute{}, @@ -240,15 +239,15 @@ func (r *Resources) Sort() { return r.Gateways[i].CreationTimestamp.Before(&(r.Gateways[j].CreationTimestamp)) }) - // Sort XListenerSets by creation timestamp, then namespace/name - sort.Slice(r.XListenerSets, func(i, j int) bool { - if r.XListenerSets[i].CreationTimestamp.Equal(&(r.XListenerSets[j].CreationTimestamp)) { - if r.XListenerSets[i].Namespace != r.XListenerSets[j].Namespace { - return r.XListenerSets[i].Namespace < r.XListenerSets[j].Namespace + // Sort ListenerSets by creation timestamp, then namespace/name + sort.Slice(r.ListenerSets, func(i, j int) bool { + if r.ListenerSets[i].CreationTimestamp.Equal(&(r.ListenerSets[j].CreationTimestamp)) { + if r.ListenerSets[i].Namespace != r.ListenerSets[j].Namespace { + return r.ListenerSets[i].Namespace < r.ListenerSets[j].Namespace } - return r.XListenerSets[i].Name < r.XListenerSets[j].Name + return r.ListenerSets[i].Name < r.ListenerSets[j].Name } - return r.XListenerSets[i].CreationTimestamp.Before(&(r.XListenerSets[j].CreationTimestamp)) + return r.ListenerSets[i].CreationTimestamp.Before(&(r.ListenerSets[j].CreationTimestamp)) }) // Sort HTTPRoutes by creation timestamp, then namespace/name diff --git a/internal/gatewayapi/resource/supported_kind.go b/internal/gatewayapi/resource/supported_kind.go index d62a5c7ad6..58a91c7cc9 100644 --- a/internal/gatewayapi/resource/supported_kind.go +++ b/internal/gatewayapi/resource/supported_kind.go @@ -29,5 +29,5 @@ const ( KindHTTPRouteFilter = "HTTPRouteFilter" KindReferenceGrant = "ReferenceGrant" KindClusterTrustBundle = "ClusterTrustBundle" - KindXListenerSet = "XListenerSet" + KindListenerSet = "ListenerSet" ) diff --git a/internal/gatewayapi/resource/testdata/all-resources.out.yaml b/internal/gatewayapi/resource/testdata/all-resources.out.yaml index 0f7e0b9a50..ed845ce395 100644 --- a/internal/gatewayapi/resource/testdata/all-resources.out.yaml +++ b/internal/gatewayapi/resource/testdata/all-resources.out.yaml @@ -182,7 +182,6 @@ gatewayClass: name: eg spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller - status: {} gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -198,7 +197,6 @@ gateways: name: http port: 80 protocol: HTTP - status: {} grpcRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute diff --git a/internal/gatewayapi/resource/testdata/all-resources2.out.yaml b/internal/gatewayapi/resource/testdata/all-resources2.out.yaml index 0f7e0b9a50..ed845ce395 100644 --- a/internal/gatewayapi/resource/testdata/all-resources2.out.yaml +++ b/internal/gatewayapi/resource/testdata/all-resources2.out.yaml @@ -182,7 +182,6 @@ gatewayClass: name: eg spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller - status: {} gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -198,7 +197,6 @@ gateways: name: http port: 80 protocol: HTTP - status: {} grpcRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute diff --git a/internal/gatewayapi/resource/zz_generated.deepcopy.go b/internal/gatewayapi/resource/zz_generated.deepcopy.go index 241bcc73b7..010123c411 100644 --- a/internal/gatewayapi/resource/zz_generated.deepcopy.go +++ b/internal/gatewayapi/resource/zz_generated.deepcopy.go @@ -19,7 +19,6 @@ import ( "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/gateway-api/apis/v1alpha3" "sigs.k8s.io/gateway-api/apis/v1beta1" - apisxv1alpha1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" apisv1alpha1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" ) @@ -63,13 +62,13 @@ func (in *Resources) DeepCopyInto(out *Resources) { } } } - if in.XListenerSets != nil { - in, out := &in.XListenerSets, &out.XListenerSets - *out = make([]*apisxv1alpha1.XListenerSet, len(*in)) + if in.ListenerSets != nil { + in, out := &in.ListenerSets, &out.ListenerSets + *out = make([]*v1.ListenerSet, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(apisxv1alpha1.XListenerSet) + *out = new(v1.ListenerSet) (*in).DeepCopyInto(*out) } } diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 77dcf79481..17d6fe6ea9 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -175,7 +175,7 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re keysToDelete := r.keyCache.copy() // Aggregate metric counters for batch publishing - var infraIRCount, xdsIRCount, gatewayStatusCount, xListenerSetStatusCount, httpRouteStatusCount, grpcRouteStatusCount int + var infraIRCount, xdsIRCount, gatewayStatusCount, listenerSetStatusCount, httpRouteStatusCount, grpcRouteStatusCount int var tlsRouteStatusCount, tcpRouteStatusCount, udpRouteStatusCount int var backendTLSPolicyStatusCount, clientTrafficPolicyStatusCount, backendTrafficPolicyStatusCount int var securityPolicyStatusCount, envoyExtensionPolicyStatusCount, backendStatusCount, extensionServerPolicyStatusCount int @@ -274,12 +274,12 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re delete(keysToDelete.GatewayStatus, key) r.keyCache.GatewayStatus[key] = true } - for _, xListenerSet := range result.XListenerSets { - key := utils.NamespacedName(xListenerSet) - r.ProviderResources.XListenerSetStatuses.Store(key, &xListenerSet.Status) - xListenerSetStatusCount++ - delete(keysToDelete.XListenerSetStatus, key) - r.keyCache.XListenerSetStatus[key] = true + for _, listenerSet := range result.ListenerSets { + key := utils.NamespacedName(listenerSet) + r.ProviderResources.ListenerSetStatuses.Store(key, &listenerSet.Status) + listenerSetStatusCount++ + delete(keysToDelete.ListenerSetStatus, key) + r.keyCache.ListenerSetStatus[key] = true } for _, httpRoute := range result.HTTPRoutes { key := utils.NamespacedName(httpRoute) @@ -399,7 +399,7 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re message.PublishMetric(message.Metadata{Runner: r.Name(), Message: message.XDSIRMessageName}, xdsIRCount) message.PublishMetric(message.Metadata{Runner: r.Name(), Message: message.GatewayClassStatusMessageName}, 1) message.PublishMetric(message.Metadata{Runner: r.Name(), Message: message.GatewayStatusMessageName}, gatewayStatusCount) - message.PublishMetric(message.Metadata{Runner: r.Name(), Message: message.XListenerSetStatusMessageName}, xListenerSetStatusCount) + message.PublishMetric(message.Metadata{Runner: r.Name(), Message: message.ListenerSetStatusMessageName}, listenerSetStatusCount) message.PublishMetric(message.Metadata{Runner: r.Name(), Message: message.HTTPRouteStatusMessageName}, httpRouteStatusCount) message.PublishMetric(message.Metadata{Runner: r.Name(), Message: message.GRPCRouteStatusMessageName}, grpcRouteStatusCount) message.PublishMetric(message.Metadata{Runner: r.Name(), Message: message.TLSRouteStatusMessageName}, tlsRouteStatusCount) @@ -492,8 +492,8 @@ func (r *Runner) deleteAllKeys() { for key := range r.keyCache.GatewayStatus { r.ProviderResources.GatewayStatuses.Delete(key) } - for key := range r.keyCache.XListenerSetStatus { - r.ProviderResources.XListenerSetStatuses.Delete(key) + for key := range r.keyCache.ListenerSetStatus { + r.ProviderResources.ListenerSetStatuses.Delete(key) } for key := range r.keyCache.HTTPRouteStatus { r.ProviderResources.HTTPRouteStatuses.Delete(key) @@ -542,7 +542,7 @@ type KeyCache struct { // Status keys GatewayStatus map[types.NamespacedName]bool - XListenerSetStatus map[types.NamespacedName]bool + ListenerSetStatus map[types.NamespacedName]bool HTTPRouteStatus map[types.NamespacedName]bool GRPCRouteStatus map[types.NamespacedName]bool TLSRouteStatus map[types.NamespacedName]bool @@ -572,8 +572,8 @@ func (kc *KeyCache) copy() *KeyCache { for key := range kc.GatewayStatus { copied.GatewayStatus[key] = true } - for key := range kc.XListenerSetStatus { - copied.XListenerSetStatus[key] = true + for key := range kc.ListenerSetStatus { + copied.ListenerSetStatus[key] = true } for key := range kc.HTTPRouteStatus { copied.HTTPRouteStatus[key] = true @@ -619,7 +619,7 @@ func newKeyCache() *KeyCache { return &KeyCache{ IR: make(map[string]bool), GatewayStatus: make(map[types.NamespacedName]bool), - XListenerSetStatus: make(map[types.NamespacedName]bool), + ListenerSetStatus: make(map[types.NamespacedName]bool), HTTPRouteStatus: make(map[types.NamespacedName]bool), GRPCRouteStatus: make(map[types.NamespacedName]bool), TLSRouteStatus: make(map[types.NamespacedName]bool), @@ -647,8 +647,8 @@ func (r *Runner) populateKeyCache() { for key := range r.ProviderResources.GatewayStatuses.LoadAll() { r.keyCache.GatewayStatus[key] = true } - for key := range r.ProviderResources.XListenerSetStatuses.LoadAll() { - r.keyCache.XListenerSetStatus[key] = true + for key := range r.ProviderResources.ListenerSetStatuses.LoadAll() { + r.keyCache.ListenerSetStatus[key] = true } for key := range r.ProviderResources.HTTPRouteStatuses.LoadAll() { r.keyCache.HTTPRouteStatus[key] = true @@ -701,9 +701,9 @@ func (r *Runner) deleteKeys(kc *KeyCache) { r.ProviderResources.GatewayStatuses.Delete(key) delete(r.keyCache.GatewayStatus, key) } - for key := range kc.XListenerSetStatus { - r.ProviderResources.XListenerSetStatuses.Delete(key) - delete(r.keyCache.XListenerSetStatus, key) + for key := range kc.ListenerSetStatus { + r.ProviderResources.ListenerSetStatuses.Delete(key) + delete(r.keyCache.ListenerSetStatus, key) } for key := range kc.HTTPRouteStatus { r.ProviderResources.HTTPRouteStatuses.Delete(key) diff --git a/internal/gatewayapi/runner/runner_test.go b/internal/gatewayapi/runner/runner_test.go index 525080ab71..674654d4c0 100644 --- a/internal/gatewayapi/runner/runner_test.go +++ b/internal/gatewayapi/runner/runner_test.go @@ -114,7 +114,7 @@ func setupTestRunner(t *testing.T) (*Runner, []types.NamespacedName) { r.ProviderResources.GatewayStatuses.Store(keys[0], &gwapiv1.GatewayStatus{}) r.ProviderResources.HTTPRouteStatuses.Store(keys[1], &gwapiv1.HTTPRouteStatus{}) r.ProviderResources.GRPCRouteStatuses.Store(keys[2], &gwapiv1.GRPCRouteStatus{}) - r.ProviderResources.TLSRouteStatuses.Store(keys[3], &gwapiv1a2.TLSRouteStatus{}) + r.ProviderResources.TLSRouteStatuses.Store(keys[3], &gwapiv1.TLSRouteStatus{}) r.ProviderResources.TCPRouteStatuses.Store(keys[4], &gwapiv1a2.TCPRouteStatus{}) r.ProviderResources.UDPRouteStatuses.Store(keys[5], &gwapiv1a2.UDPRouteStatus{}) r.ProviderResources.UDPRouteStatuses.Store(keys[6], &gwapiv1a2.UDPRouteStatus{}) diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index 923594007e..c9e625d764 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -134,7 +134,7 @@ func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Ser updateGatewayProgrammedCondition(gw, envoyObj) } -// Important: do not use this function directly, use listener.SetCondition instead so that listeners from XListenerSet can be updated correctly +// Important: do not use this function directly, use listener.SetCondition instead so that listeners from ListenerSet can be updated correctly func SetGatewayListenerStatusCondition(gateway *gwapiv1.Gateway, listenerStatusIdx int, conditionType gwapiv1.ListenerConditionType, status metav1.ConditionStatus, reason gwapiv1.ListenerConditionReason, message string, ) { diff --git a/internal/gatewayapi/status/xlistenerset.go b/internal/gatewayapi/status/xlistenerset.go index 43ac34792f..6ace3f989c 100644 --- a/internal/gatewayapi/status/xlistenerset.go +++ b/internal/gatewayapi/status/xlistenerset.go @@ -7,32 +7,32 @@ package status import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) -// UpdateXListenerSetStatusAccepted updates the Accepted condition for the XListenerSet. -func UpdateXListenerSetStatusAccepted(xls *gwapixv1a1.XListenerSet, accepted bool, reason gwapixv1a1.ListenerSetConditionReason, msg string) { +// UpdateListenerSetStatusAccepted updates the Accepted condition for the ListenerSet. +func UpdateListenerSetStatusAccepted(xls *gwapiv1.ListenerSet, accepted bool, reason gwapiv1.ListenerSetConditionReason, msg string) { status := metav1.ConditionFalse if accepted { status = metav1.ConditionTrue } - cond := newCondition(string(gwapixv1a1.ListenerSetConditionAccepted), status, string(reason), msg, xls.Generation) + cond := newCondition(string(gwapiv1.ListenerSetConditionAccepted), status, string(reason), msg, xls.Generation) xls.Status.Conditions = MergeConditions(xls.Status.Conditions, cond) } -// UpdateXListenerSetStatusProgrammed updates the Programmed condition for the XListenerSet. -func UpdateXListenerSetStatusProgrammed(xls *gwapixv1a1.XListenerSet, programmed bool, reason gwapixv1a1.ListenerSetConditionReason, msg string) { +// UpdateListenerSetStatusProgrammed updates the Programmed condition for the ListenerSet. +func UpdateListenerSetStatusProgrammed(xls *gwapiv1.ListenerSet, programmed bool, reason gwapiv1.ListenerSetConditionReason, msg string) { status := metav1.ConditionFalse if programmed { status = metav1.ConditionTrue } - cond := newCondition(string(gwapixv1a1.ListenerSetConditionProgrammed), status, string(reason), msg, xls.Generation) + cond := newCondition(string(gwapiv1.ListenerSetConditionProgrammed), status, string(reason), msg, xls.Generation) xls.Status.Conditions = MergeConditions(xls.Status.Conditions, cond) } -// SetXListenerSetListenerStatusCondition sets a condition for a specific listener in the XListenerSet. -func SetXListenerSetListenerStatusCondition(xls *gwapixv1a1.XListenerSet, listenerStatusIdx int, - conditionType gwapixv1a1.ListenerEntryConditionType, status metav1.ConditionStatus, reason gwapixv1a1.ListenerEntryConditionReason, message string, +// SetListenerSetListenerStatusCondition sets a condition for a specific listener in the ListenerSet. +func SetListenerSetListenerStatusCondition(xls *gwapiv1.ListenerSet, listenerStatusIdx int, + conditionType gwapiv1.ListenerEntryConditionType, status metav1.ConditionStatus, reason gwapiv1.ListenerEntryConditionReason, message string, ) { cond := metav1.Condition{ Type: string(conditionType), diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml index f6cb5589b7..432e4ed78f 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml @@ -71,9 +71,7 @@ gateways: protocol: TLS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml index d0548d1b5e..d7d3fa5774 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml @@ -47,9 +47,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate - allowedRoutes: namespaces: @@ -60,9 +58,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate - allowedRoutes: namespaces: @@ -73,9 +69,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml index 3d7754fe32..2984d19d5b 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml @@ -18,7 +18,6 @@ clientTrafficPolicies: clientValidation: caCertificateRefs: - group: "" - kind: null name: tls-secret-1 namespace: default status: @@ -145,9 +144,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: default mode: Terminate - allowedRoutes: @@ -164,9 +161,7 @@ gateways: protocol: TLS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: default mode: Terminate - allowedRoutes: @@ -283,9 +278,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: default mode: Terminate - allowedRoutes: @@ -302,9 +295,7 @@ gateways: protocol: TLS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: default mode: Terminate - allowedRoutes: @@ -421,9 +412,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: default mode: Terminate - allowedRoutes: @@ -440,9 +429,7 @@ gateways: protocol: TLS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: default mode: Terminate - allowedRoutes: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-invalid.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-invalid.out.yaml index 1bf9bd40e6..6daed09e28 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-invalid.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-invalid.out.yaml @@ -18,7 +18,6 @@ clientTrafficPolicies: clientValidation: caCertificateRefs: - group: "" - kind: null name: tls-bundle-secret namespace: default status: @@ -54,9 +53,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-bundle-secret + - name: tls-bundle-secret namespace: default mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-valid.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-valid.out.yaml index e6e6a822dd..c5aae30f00 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-valid.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-valid.out.yaml @@ -18,7 +18,6 @@ clientTrafficPolicies: clientValidation: caCertificateRefs: - group: "" - kind: null name: tls-bundle-secret namespace: default status: @@ -52,9 +51,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-bundle-secret + - name: tls-bundle-secret namespace: default mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle.out.yaml index 8e384a01b4..92e1e49420 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle.out.yaml @@ -18,7 +18,6 @@ clientTrafficPolicies: clientValidation: caCertificateRefs: - group: "" - kind: null name: tls-bundle-secret namespace: default status: @@ -52,9 +51,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-bundle-secret + - name: tls-bundle-secret namespace: default mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification-expired-crl.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification-expired-crl.out.yaml index 2a5755fd9e..cad9955d1e 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification-expired-crl.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification-expired-crl.out.yaml @@ -13,8 +13,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway certificateHashes: @@ -65,8 +64,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway certificateHashes: @@ -116,15 +114,11 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway crl: refs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway status: ancestors: @@ -159,8 +153,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway optional: true @@ -200,9 +193,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -275,9 +266,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -321,9 +310,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -334,9 +321,7 @@ gateways: protocol: TLS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml index 9d8ac8dc56..5c44da167c 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml @@ -13,8 +13,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway certificateHashes: @@ -65,8 +64,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway certificateHashes: @@ -116,9 +114,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway status: ancestors: @@ -152,8 +148,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway optional: true @@ -193,9 +188,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -268,9 +261,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -314,9 +305,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -327,9 +316,7 @@ gateways: protocol: TLS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-clustertrustbundle.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-clustertrustbundle.out.yaml index b64c752530..6f526db32a 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-clustertrustbundle.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-clustertrustbundle.out.yaml @@ -17,9 +17,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway status: ancestors: @@ -58,8 +56,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ClusterTrustBundle + - kind: ClusterTrustBundle name: ca-cluster-trust-bundle status: ancestors: @@ -98,8 +95,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ClusterTrustBundle + - kind: ClusterTrustBundle name: ca-cluster-trust-bundle status: ancestors: @@ -140,8 +136,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ClusterTrustBundle + - kind: ClusterTrustBundle name: ca-cluster-trust-bundle status: ancestors: @@ -184,8 +179,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ClusterTrustBundle + - kind: ClusterTrustBundle name: ca-cluster-trust-bundle status: ancestors: @@ -223,9 +217,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -298,9 +290,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -344,9 +334,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -390,9 +378,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -436,9 +422,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml index b33eb51982..4f8ece33f3 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml @@ -17,9 +17,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway status: ancestors: @@ -58,8 +56,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -99,8 +96,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -142,8 +138,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -187,8 +182,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -227,9 +221,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -302,9 +294,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -348,9 +338,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -394,9 +382,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -440,9 +426,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml index d3ed2f56b8..d6a1818174 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml @@ -15,9 +15,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway status: ancestors: @@ -57,8 +55,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -96,8 +93,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -135,8 +131,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -174,8 +169,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -214,9 +208,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -289,9 +281,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -335,9 +325,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -381,9 +369,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -427,9 +413,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml index b5cb918d17..d13a080a9d 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml @@ -12,9 +12,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway status: ancestors: @@ -48,8 +46,7 @@ clientTrafficPolicies: tls: clientValidation: caCertificateRefs: - - group: null - kind: ConfigMap + - kind: ConfigMap name: ca-configmap namespace: envoy-gateway status: @@ -88,9 +85,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -163,9 +158,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-invalid-cipher.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-invalid-cipher.out.yaml index 9f2ed73b1a..3f047f361e 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-invalid-cipher.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-invalid-cipher.out.yaml @@ -48,9 +48,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret + - name: tls-secret namespace: envoy-gateway mode: Terminate status: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml index 43e2a69c0b..4e8688a7ee 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml @@ -120,9 +120,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate - allowedRoutes: @@ -195,9 +193,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: @@ -241,9 +237,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: envoy-gateway mode: Terminate status: diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index b623d93d63..005a28d44c 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -169,8 +169,6 @@ securityPolicies: spec: basicAuth: users: - group: null - kind: null name: users-secret1 cors: allowMethods: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml index d2d96361e3..3171178547 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml @@ -65,8 +65,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-2:v1.0.0 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-invalid-configuration.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-invalid-configuration.out.yaml index 2ec7e8a57e..2863178d1e 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-invalid-configuration.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-invalid-configuration.out.yaml @@ -13,8 +13,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret-1 sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-1:v1.0.0 @@ -55,8 +53,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret-1 sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-1:v1.0.0 @@ -98,8 +94,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret-1 sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-1:v1.0.0 @@ -110,8 +104,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret-2 sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-2:v1.0.0 @@ -159,8 +151,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret-1 sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-1:v1.0.0 @@ -206,8 +196,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret-1 sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-1:v1.0.0 @@ -248,8 +236,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret-1 sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-1:v1.0.0 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index 19c4d8006b..0953c66a67 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -68,8 +68,6 @@ envoyExtensionPolicies: - code: image: pullSecretRef: - group: null - kind: null name: my-pull-secret sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-2:v1.0.0 diff --git a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml index 09c5037296..3fc6466677 100644 --- a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml +++ b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml @@ -22,9 +22,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml index d6eddedd1d..b7cd5d08e0 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml @@ -31,7 +31,6 @@ gateways: status: "False" type: Programmed name: http - supportedKinds: [] httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml index 891bdd8a8b..da9a1c0fed 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml @@ -31,7 +31,6 @@ gateways: status: "False" type: Programmed name: http - supportedKinds: [] httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml index 8a474483bb..ae83edc036 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml @@ -34,7 +34,6 @@ gateways: status: "False" type: Programmed name: tls - supportedKinds: [] infraIR: envoy-gateway/gateway-1: proxy: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml index 3886a7ff40..925aa2a1c4 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml @@ -15,12 +15,8 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-ecdsa-1 - - group: null - kind: null - name: not-exist-secret + - name: tls-secret-ecdsa-1 + - name: not-exist-secret mode: Terminate - allowedRoutes: namespaces: @@ -30,12 +26,8 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-ecdsa-2 - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-ecdsa-2 + - name: tls-secret-1 mode: Terminate - allowedRoutes: namespaces: @@ -45,9 +37,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: not-exist-secret + - name: not-exist-secret mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml index e6aaa0af27..d3b527cf81 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml @@ -16,9 +16,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Passthrough status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml index e34ffacdae..fdf22c3ae1 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml @@ -15,9 +15,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml index c896a01e5f..be22741fa9 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml @@ -15,9 +15,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: default mode: Terminate status: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml index d0e4fd6e3e..5ab341a973 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml @@ -15,9 +15,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.out.yaml index 7a339130fd..debf84aeff 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.out.yaml @@ -16,9 +16,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml index 7c6ae26997..85b59396fa 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml @@ -15,9 +15,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 namespace: default mode: Terminate status: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml index 1cd0624c5e..fb8b3ac15e 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml @@ -25,9 +25,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml index 1765434059..e2192b8fac 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml @@ -33,7 +33,6 @@ gateways: status: "True" type: ResolvedRefs name: unsupported - supportedKinds: [] httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml index 670223f58b..5cfb02f62c 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml @@ -15,12 +15,8 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-ecdsa-1 - - group: null - kind: null - name: tls-secret-ecdsa-2 + - name: tls-secret-ecdsa-1 + - name: tls-secret-ecdsa-2 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml index 25eef2ba77..faaae79502 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml @@ -15,12 +15,8 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 - - group: null - kind: null - name: tls-secret-ecdsa-1 + - name: tls-secret-1 + - name: tls-secret-ecdsa-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml index 92d5eeeb5e..e9a7ad0135 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml @@ -15,9 +15,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-certs.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-certs.out.yaml index 354c549eee..334f02bd4d 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-certs.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-certs.out.yaml @@ -16,9 +16,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-example-com + - name: tls-secret-example-com mode: Terminate - allowedRoutes: namespaces: @@ -29,9 +27,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-bar-example-com + - name: tls-secret-bar-example-com mode: Terminate - allowedRoutes: namespaces: @@ -42,9 +38,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-foo-bar-com + - name: tls-secret-foo-bar-com mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml index 6b75b53acd..0ff626a3a6 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml @@ -16,9 +16,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-example-com + - name: tls-secret-example-com mode: Terminate status: listeners: @@ -70,9 +68,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-bar-example-com + - name: tls-secret-bar-example-com mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs.out.yaml index 491dccad64..341e258cf7 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs.out.yaml @@ -16,9 +16,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-example-com + - name: tls-secret-example-com mode: Terminate - allowedRoutes: namespaces: @@ -29,9 +27,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-bar-example-com + - name: tls-secret-bar-example-com mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml index a3a96ec944..d2e4c13f77 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml @@ -16,9 +16,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-example-com + - name: tls-secret-example-com mode: Terminate status: listeners: @@ -70,9 +68,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-example-com + - name: tls-secret-example-com mode: Terminate - allowedRoutes: namespaces: @@ -83,9 +79,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-foo-bar-com + - name: tls-secret-foo-bar-com mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames.out.yaml index d185ea73bc..5ee69a9e33 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames.out.yaml @@ -16,9 +16,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-example-com + - name: tls-secret-example-com mode: Terminate - allowedRoutes: namespaces: @@ -29,9 +27,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-example-com + - name: tls-secret-example-com mode: Terminate - allowedRoutes: namespaces: @@ -42,9 +38,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-foo-bar-com + - name: tls-secret-foo-bar-com mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml index 1b6ef5206a..f044051b7d 100644 --- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml @@ -15,9 +15,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml index 95bb6785b0..b29949de81 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml @@ -21,9 +21,7 @@ gateways: protocol: HTTPS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Terminate status: listeners: diff --git a/internal/gatewayapi/testdata/httproute-with-api-key-auth-duplicated-api-key.out.yaml b/internal/gatewayapi/testdata/httproute-with-api-key-auth-duplicated-api-key.out.yaml index 420c509843..448a90c165 100644 --- a/internal/gatewayapi/testdata/httproute-with-api-key-auth-duplicated-api-key.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-api-key-auth-duplicated-api-key.out.yaml @@ -105,9 +105,7 @@ securityPolicies: spec: apiKeyAuth: credentialRefs: - - group: null - kind: null - name: credential-1 + - name: credential-1 extractFrom: - headers: - X-API-KEY diff --git a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml index 0775204423..a70aadde98 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml @@ -148,8 +148,6 @@ securityPolicies: spec: basicAuth: users: - group: null - kind: null name: users-secret1 targetRef: group: gateway.networking.k8s.io @@ -186,8 +184,6 @@ securityPolicies: spec: basicAuth: users: - group: null - kind: null name: users-secret2 targetRef: group: gateway.networking.k8s.io diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml index 8a923623ab..0507a09ced 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml @@ -446,8 +446,6 @@ securityPolicies: spec: basicAuth: users: - group: null - kind: null name: users-secret1 extAuth: failOpen: true @@ -527,8 +525,6 @@ securityPolicies: spec: basicAuth: users: - group: null - kind: null name: users-secret1 extAuth: failOpen: true diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml index 3a16d2a9c7..c8c58c20b3 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml @@ -153,8 +153,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client2-secret provider: issuer: https://accounts.google.com @@ -202,8 +200,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret provider: issuer: https://accounts.google.com diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-and-jwt-passthrough.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-and-jwt-passthrough.out.yaml index 4df425c02b..dd2ca471d1 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-and-jwt-passthrough.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-and-jwt-passthrough.out.yaml @@ -112,8 +112,6 @@ securityPolicies: oidc: clientID: client.oauth.foo.com clientSecret: - group: null - kind: null name: client-secret-1 passThroughAuthHeader: true provider: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml index 83754567ef..c7abdc0f88 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -160,8 +160,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret defaultRefreshTokenTTL: 24h defaultTokenTTL: 30m diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendrefs.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendrefs.out.yaml index be63a4ce16..c127a65b29 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendrefs.out.yaml @@ -141,8 +141,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret defaultRefreshTokenTTL: 24h defaultTokenTTL: 30m diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendsettings.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendsettings.out.yaml index ce34ae541a..0ef34a8fb3 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendsettings.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendsettings.out.yaml @@ -106,8 +106,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret defaultRefreshTokenTTL: 24h defaultTokenTTL: 30m diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies-samesite.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies-samesite.out.yaml index e6c585cf44..7ab80612a3 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies-samesite.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies-samesite.out.yaml @@ -106,8 +106,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret cookieConfig: sameSite: None diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml index a13d591927..1e6027bb38 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml @@ -106,8 +106,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret cookieNames: accessToken: CustomAccessTokenCookie diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-deny-redirect.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-deny-redirect.out.yaml index 5ac23819f3..ee6d594fff 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-deny-redirect.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-deny-redirect.out.yaml @@ -106,8 +106,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret cookieNames: accessToken: CustomAccessTokenCookie diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml index 30047b3317..b796c91f11 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml @@ -68,8 +68,6 @@ securityPolicies: oidc: clientID: client1.apps.foo.bar.com clientSecret: - group: null - kind: null name: client1-secret provider: issuer: https://gateway.envoyproxy.io diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml index dffbdf687a..ea08527604 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml @@ -182,8 +182,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret provider: authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth @@ -217,8 +215,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client2-secret namespace: envoy-gateway provider: @@ -252,8 +248,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client3-secret namespace: default provider: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml index 6406be444d..5822501a95 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml @@ -143,8 +143,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret defaultRefreshTokenTTL: 24h defaultTokenTTL: 30m diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 4b418b2bb4..0da1723ab1 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -179,12 +179,8 @@ securityPolicies: spec: oidc: clientIDRef: - group: null - kind: null name: client2-secret clientSecret: - group: null - kind: null name: client2-secret cookieDomain: example.com defaultRefreshTokenTTL: 48h @@ -237,8 +233,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client3-secret csrfTokenTTL: 35m defaultRefreshTokenTTL: 24h @@ -284,8 +278,6 @@ securityPolicies: oidc: clientID: client1.apps.googleusercontent.com clientSecret: - group: null - kind: null name: client1-secret csrfTokenTTL: 35m defaultRefreshTokenTTL: 24h diff --git a/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml index 95283df48a..e1f898a957 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml @@ -16,9 +16,7 @@ gateways: protocol: TLS tls: certificateRefs: - - group: null - kind: null - name: tls-secret-1 + - name: tls-secret-1 mode: Passthrough status: listeners: diff --git a/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.in.yaml b/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.in.yaml index 1e0d3e8315..9106915f15 100644 --- a/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.in.yaml @@ -32,9 +32,9 @@ gateways: name: conflict-listener port: 8888 protocol: HTTP -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: conflict-listener-from-same-xls @@ -54,8 +54,8 @@ xListenerSets: allowedRoutes: namespaces: from: All -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: conflict-listener-from-two-xlss @@ -75,8 +75,8 @@ xListenerSets: allowedRoutes: namespaces: from: All -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: listener-conflict-with-gateway diff --git a/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml b/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml index 92a1d49369..09af02f39f 100644 --- a/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml @@ -104,9 +104,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: conflict-listener-from-same-xls namespace: gateway-xls @@ -125,8 +125,6 @@ xListenerSets: port: 8089 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -159,7 +157,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: conflict-listener-1 - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -183,14 +180,13 @@ xListenerSets: status: "True" type: ResolvedRefs name: conflict-listener-2 - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: conflict-listener-from-two-xlss namespace: gateway-xls @@ -209,8 +205,6 @@ xListenerSets: port: 8090 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -243,7 +237,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: conflict-listener - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -267,14 +260,13 @@ xListenerSets: status: "True" type: ResolvedRefs name: good-listener - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: listener-conflict-with-gateway namespace: gateway-xls @@ -293,8 +285,6 @@ xListenerSets: port: 8091 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -327,7 +317,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: conflict-listener - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -351,7 +340,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: good-listener - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-cross-namespace.in.yaml b/internal/gatewayapi/testdata/xlistenerset-cross-namespace.in.yaml index e80ef811ee..f942b8f688 100644 --- a/internal/gatewayapi/testdata/xlistenerset-cross-namespace.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-cross-namespace.in.yaml @@ -36,9 +36,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: cross-allowed name: cross-namespace-allowed @@ -53,8 +53,8 @@ xListenerSets: allowedRoutes: namespaces: from: All -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: cross-allowed name: cross-namespace-same @@ -69,8 +69,8 @@ xListenerSets: allowedRoutes: namespaces: from: Same -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: cross-denied name: cross-namespace-denied @@ -93,8 +93,8 @@ httpRoutes: name: route-cross-http-allowed spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: cross-allowed name: cross-namespace-allowed sectionName: cross-http-allowed @@ -109,8 +109,8 @@ httpRoutes: name: route-same-namespace spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: cross-allowed name: cross-namespace-same sectionName: cross-http-same @@ -126,8 +126,8 @@ httpRoutes: name: route-cross-http-denied spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: cross-denied name: cross-namespace-denied sectionName: cross-http-denied diff --git a/internal/gatewayapi/testdata/xlistenerset-cross-namespace.out.yaml b/internal/gatewayapi/testdata/xlistenerset-cross-namespace.out.yaml index 2c4953143f..f0e8cfc794 100644 --- a/internal/gatewayapi/testdata/xlistenerset-cross-namespace.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-cross-namespace.out.yaml @@ -52,8 +52,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: cross-namespace-allowed namespace: cross-allowed sectionName: cross-http-allowed @@ -76,8 +76,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: cross-namespace-allowed namespace: cross-allowed sectionName: cross-http-allowed @@ -88,8 +88,8 @@ httpRoutes: namespace: cross-allowed spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: cross-namespace-same namespace: cross-allowed sectionName: cross-http-same @@ -113,8 +113,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: cross-namespace-same namespace: cross-allowed sectionName: cross-http-same @@ -149,9 +149,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: cross-namespace-allowed namespace: cross-allowed @@ -164,8 +164,6 @@ xListenerSets: port: 8083 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway namespace: gateway-xls status: @@ -199,14 +197,13 @@ xListenerSets: status: "True" type: ResolvedRefs name: cross-http-allowed - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: cross-namespace-same namespace: cross-allowed @@ -219,8 +216,6 @@ xListenerSets: port: 8085 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway namespace: gateway-xls status: @@ -254,14 +249,13 @@ xListenerSets: status: "True" type: ResolvedRefs name: cross-http-same - port: 8085 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: cross-namespace-denied namespace: cross-denied @@ -274,15 +268,13 @@ xListenerSets: port: 8084 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway namespace: gateway-xls status: conditions: - lastTransitionTime: null - message: XListenerSet attachment from namespace cross-denied not allowed by - Gateway gateway-xls/composite-gateway + message: ListenerSet attachment from namespace cross-denied not allowed by Gateway + gateway-xls/composite-gateway reason: NotAllowed status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/xlistenerset-grpcroute.in.yaml b/internal/gatewayapi/testdata/xlistenerset-grpcroute.in.yaml index 818def875a..da420a02d0 100644 --- a/internal/gatewayapi/testdata/xlistenerset-grpcroute.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-grpcroute.in.yaml @@ -26,9 +26,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: xlistenerset-grpc-one @@ -42,8 +42,8 @@ xListenerSets: allowedRoutes: namespaces: from: All -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: xlistenerset-grpc-two @@ -79,8 +79,8 @@ grpcRoutes: name: route-grpc-one spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: xlistenerset-grpc-one sectionName: grpc-listener @@ -95,8 +95,8 @@ grpcRoutes: name: route-grpc-two spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: xlistenerset-grpc-two rules: diff --git a/internal/gatewayapi/testdata/xlistenerset-grpcroute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-grpcroute.out.yaml index 305f190236..c605112699 100644 --- a/internal/gatewayapi/testdata/xlistenerset-grpcroute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-grpcroute.out.yaml @@ -84,8 +84,8 @@ grpcRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: xlistenerset-grpc-one namespace: gateway-xls sectionName: grpc-listener @@ -108,8 +108,8 @@ grpcRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: xlistenerset-grpc-one namespace: gateway-xls sectionName: grpc-listener @@ -120,8 +120,8 @@ grpcRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: xlistenerset-grpc-two namespace: gateway-xls rules: @@ -143,8 +143,8 @@ grpcRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: xlistenerset-grpc-two namespace: gateway-xls infraIR: @@ -178,9 +178,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: xlistenerset-grpc-one namespace: gateway-xls @@ -193,8 +193,6 @@ xListenerSets: port: 8081 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -227,14 +225,13 @@ xListenerSets: status: "True" type: ResolvedRefs name: grpc-listener - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: xlistenerset-grpc-two namespace: gateway-xls @@ -247,8 +244,6 @@ xListenerSets: port: 8082 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -281,7 +276,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: grpc-listener - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-httproute.in.yaml b/internal/gatewayapi/testdata/xlistenerset-httproute.in.yaml index 7c25534162..21f14c0074 100644 --- a/internal/gatewayapi/testdata/xlistenerset-httproute.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-httproute.in.yaml @@ -26,9 +26,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: same-namespace-valid @@ -70,8 +70,8 @@ httpRoutes: name: route-extra-http-one spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: same-namespace-valid sectionName: extra-http-one @@ -86,8 +86,8 @@ httpRoutes: name: route-extra-http-two spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: same-namespace-valid sectionName: extra-http-two @@ -102,8 +102,8 @@ httpRoutes: name: route-entire-xls spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: same-namespace-valid rules: diff --git a/internal/gatewayapi/testdata/xlistenerset-httproute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-httproute.out.yaml index 4100cc1373..c0aa55768b 100644 --- a/internal/gatewayapi/testdata/xlistenerset-httproute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-httproute.out.yaml @@ -84,8 +84,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-valid namespace: gateway-xls sectionName: extra-http-one @@ -108,8 +108,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-valid namespace: gateway-xls sectionName: extra-http-one @@ -120,8 +120,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-valid namespace: gateway-xls sectionName: extra-http-two @@ -144,8 +144,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-valid namespace: gateway-xls sectionName: extra-http-two @@ -156,8 +156,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-valid namespace: gateway-xls rules: @@ -179,8 +179,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-valid namespace: gateway-xls infraIR: @@ -214,9 +214,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: same-namespace-valid namespace: gateway-xls @@ -235,8 +235,6 @@ xListenerSets: port: 8082 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -269,7 +267,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-http-one - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -293,7 +290,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-http-two - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.in.yaml b/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.in.yaml index 73f2f62c52..cf0361a5e9 100644 --- a/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.in.yaml @@ -30,9 +30,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: xls name: https-xls @@ -62,8 +62,8 @@ httpRoutes: name: route-extra-https spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: xls name: https-xls sectionName: extra-https-same-ns diff --git a/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml b/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml index 34613d0aae..53fbe663de 100644 --- a/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml @@ -52,8 +52,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: https-xls namespace: xls sectionName: extra-https-same-ns @@ -76,8 +76,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: https-xls namespace: xls sectionName: extra-https-same-ns @@ -100,9 +100,9 @@ infraIR: name: envoy-gateway-class name: gateway/composite-gateway namespace: envoy-gateway-system -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: https-xls namespace: xls @@ -122,8 +122,6 @@ xListenerSets: namespace: gateway mode: Terminate parentRef: - group: null - kind: null name: composite-gateway namespace: gateway status: @@ -153,7 +151,6 @@ xListenerSets: status: "False" type: Programmed name: extra-https-same-ns - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.in.yaml b/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.in.yaml index 314a1c2b8d..7fac7f559c 100644 --- a/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.in.yaml @@ -30,9 +30,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: xls name: https-xls @@ -62,8 +62,8 @@ httpRoutes: name: route-extra-https spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: xls name: https-xls sectionName: extra-https-same-ns diff --git a/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.out.yaml b/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.out.yaml index ecc11efea8..0f3f56c7b8 100644 --- a/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-https-tls-same-namespace.out.yaml @@ -52,8 +52,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: https-xls namespace: xls sectionName: extra-https-same-ns @@ -76,8 +76,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: https-xls namespace: xls sectionName: extra-https-same-ns @@ -106,9 +106,9 @@ infraIR: name: envoy-gateway-class name: gateway/composite-gateway namespace: envoy-gateway-system -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: https-xls namespace: xls @@ -128,8 +128,6 @@ xListenerSets: namespace: xls mode: Terminate parentRef: - group: null - kind: null name: composite-gateway namespace: gateway status: @@ -163,7 +161,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-https-same-ns - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-invalid.in.yaml b/internal/gatewayapi/testdata/xlistenerset-invalid.in.yaml index b2ae57b7b3..b38d1e852d 100644 --- a/internal/gatewayapi/testdata/xlistenerset-invalid.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-invalid.in.yaml @@ -26,9 +26,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: same-namespace-invalid @@ -48,8 +48,8 @@ xListenerSets: allowedRoutes: namespaces: from: All -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: same-namespace-mixed @@ -77,8 +77,8 @@ httpRoutes: name: route-invalid-one spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: same-namespace-invalid sectionName: invalid-one @@ -93,8 +93,8 @@ httpRoutes: name: route-invalid-two spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: same-namespace-invalid sectionName: invalid-two @@ -109,8 +109,8 @@ httpRoutes: name: route-mixed-valid spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: same-namespace-mixed sectionName: mixed-valid @@ -125,8 +125,8 @@ httpRoutes: name: route-mixed-invalid spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: same-namespace-mixed sectionName: mixed-invalid diff --git a/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml b/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml index 224ef50568..164aaa34d1 100644 --- a/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml @@ -52,8 +52,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-invalid namespace: gateway-xls sectionName: invalid-one @@ -76,8 +76,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-invalid namespace: gateway-xls sectionName: invalid-one @@ -88,8 +88,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-invalid namespace: gateway-xls sectionName: invalid-two @@ -112,8 +112,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-invalid namespace: gateway-xls sectionName: invalid-two @@ -124,8 +124,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-mixed namespace: gateway-xls sectionName: mixed-valid @@ -148,8 +148,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-mixed namespace: gateway-xls sectionName: mixed-valid @@ -160,8 +160,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-mixed namespace: gateway-xls sectionName: mixed-invalid @@ -184,8 +184,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: same-namespace-mixed namespace: gateway-xls sectionName: mixed-invalid @@ -214,9 +214,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: same-namespace-invalid namespace: gateway-xls @@ -235,8 +235,6 @@ xListenerSets: port: 8086 protocol: INVALID parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -269,8 +267,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: invalid-one - port: 0 - supportedKinds: [] - attachedRoutes: 0 conditions: - lastTransitionTime: null @@ -289,10 +285,8 @@ xListenerSets: status: "True" type: ResolvedRefs name: invalid-two - port: 0 - supportedKinds: [] -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: same-namespace-mixed namespace: gateway-xls @@ -311,8 +305,6 @@ xListenerSets: port: 8088 protocol: INVALID parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -345,7 +337,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: mixed-valid - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -369,8 +360,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: mixed-invalid - port: 0 - supportedKinds: [] xdsIR: gateway-xls/composite-gateway: accessLog: diff --git a/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.in.yaml b/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.in.yaml index 22ea33eb66..eaf2f9c394 100644 --- a/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.in.yaml @@ -32,9 +32,9 @@ gateways: name: conflict-listener port: 8888 protocol: HTTP -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: listener-from-same-xls @@ -70,8 +70,8 @@ httpRoutes: name: route-extra-http-one spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: listener-from-same-xls sectionName: non-existent-listener diff --git a/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.out.yaml b/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.out.yaml index 7211e369df..8dd9a06944 100644 --- a/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-no-maching-listener.out.yaml @@ -113,8 +113,8 @@ httpRoutes: namespace: default spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet name: listener-from-same-xls namespace: gateway-xls sectionName: non-existent-listener @@ -137,8 +137,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet + group: gateway.networking.k8s.io + kind: ListenerSet name: listener-from-same-xls namespace: gateway-xls sectionName: non-existent-listener @@ -173,9 +173,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: listener-from-same-xls namespace: gateway-xls @@ -188,8 +188,6 @@ xListenerSets: port: 8089 protocol: HTTP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -222,7 +220,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: listener-1 - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/xlistenerset-tcproute.in.yaml b/internal/gatewayapi/testdata/xlistenerset-tcproute.in.yaml index 4807d17340..668192ff60 100644 --- a/internal/gatewayapi/testdata/xlistenerset-tcproute.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-tcproute.in.yaml @@ -26,9 +26,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: - - apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: + - apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: tcproute-xls @@ -53,8 +53,8 @@ tcpRoutes: name: tcproute spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: tcproute-xls sectionName: extra-tcp diff --git a/internal/gatewayapi/testdata/xlistenerset-tcproute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-tcproute.out.yaml index c4c6fcb193..b7303f6947 100644 --- a/internal/gatewayapi/testdata/xlistenerset-tcproute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-tcproute.out.yaml @@ -69,47 +69,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -tcpRoutes: -- apiVersion: gateway.networking.k8s.io/v1alpha2 - kind: TCPRoute - metadata: - name: tcproute - namespace: default - spec: - parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet - name: tcproute-xls - namespace: gateway-xls - sectionName: extra-tcp - rules: - - backendRefs: - - name: service-1 - namespace: default - port: 8163 - status: - parents: - - conditions: - - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - controllerName: gateway.envoyproxy.io/gatewayclass-controller - parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet - name: tcproute-xls - namespace: gateway-xls - sectionName: extra-tcp -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: tcproute-xls namespace: gateway-xls @@ -125,8 +87,6 @@ xListenerSets: port: 8089 protocol: TCP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -159,10 +119,47 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-tcp - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute +tcpRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TCPRoute + metadata: + name: tcproute + namespace: default + spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: ListenerSet + name: tcproute-xls + namespace: gateway-xls + sectionName: extra-tcp + rules: + - backendRefs: + - name: service-1 + namespace: default + port: 8163 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: ListenerSet + name: tcproute-xls + namespace: gateway-xls + sectionName: extra-tcp xdsIR: gateway-xls/composite-gateway: accessLog: diff --git a/internal/gatewayapi/testdata/xlistenerset-tlsroute.in.yaml b/internal/gatewayapi/testdata/xlistenerset-tlsroute.in.yaml index db3d8a1c87..c899cf1539 100644 --- a/internal/gatewayapi/testdata/xlistenerset-tlsroute.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-tlsroute.in.yaml @@ -30,9 +30,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: tls-xls @@ -75,8 +75,8 @@ tlsRoutes: name: tls-app-passthrough spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: tls-xls sectionName: extra-tls-passthrough @@ -92,8 +92,8 @@ tlsRoutes: name: tls-app-terminate spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: tls-xls sectionName: extra-tls-terminate @@ -110,8 +110,8 @@ referenceGrants: namespace: secret spec: from: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls to: - group: "" diff --git a/internal/gatewayapi/testdata/xlistenerset-tlsroute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-tlsroute.out.yaml index 1ec7983522..ffa54bc0b5 100644 --- a/internal/gatewayapi/testdata/xlistenerset-tlsroute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-tlsroute.out.yaml @@ -75,84 +75,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -tlsRoutes: -- apiVersion: gateway.networking.k8s.io/v1alpha2 - kind: TLSRoute - metadata: - name: tls-app-passthrough - namespace: default - spec: - parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet - name: tls-xls - namespace: gateway-xls - sectionName: extra-tls-passthrough - rules: - - backendRefs: - - name: service-1 - namespace: default - port: 8080 - status: - parents: - - conditions: - - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - controllerName: gateway.envoyproxy.io/gatewayclass-controller - parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet - name: tls-xls - namespace: gateway-xls - sectionName: extra-tls-passthrough -- apiVersion: gateway.networking.k8s.io/v1alpha2 - kind: TLSRoute - metadata: - name: tls-app-terminate - namespace: default - spec: - parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet - name: tls-xls - namespace: gateway-xls - sectionName: extra-tls-terminate - rules: - - backendRefs: - - name: service-1 - namespace: default - port: 8080 - status: - parents: - - conditions: - - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - controllerName: gateway.envoyproxy.io/gatewayclass-controller - parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet - name: tls-xls - namespace: gateway-xls - sectionName: extra-tls-terminate -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: tls-xls namespace: gateway-xls @@ -186,8 +111,6 @@ xListenerSets: namespace: secret mode: Terminate parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -220,7 +143,6 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-tls-passthrough - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: TLSRoute @@ -242,10 +164,84 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-tls-terminate - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: TLSRoute +tlsRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: tls-app-passthrough + namespace: default + spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: ListenerSet + name: tls-xls + namespace: gateway-xls + sectionName: extra-tls-passthrough + rules: + - backendRefs: + - name: service-1 + namespace: default + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: ListenerSet + name: tls-xls + namespace: gateway-xls + sectionName: extra-tls-passthrough +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: tls-app-terminate + namespace: default + spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: ListenerSet + name: tls-xls + namespace: gateway-xls + sectionName: extra-tls-terminate + rules: + - backendRefs: + - name: service-1 + namespace: default + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: ListenerSet + name: tls-xls + namespace: gateway-xls + sectionName: extra-tls-terminate xdsIR: gateway-xls/composite-gateway: accessLog: diff --git a/internal/gatewayapi/testdata/xlistenerset-udproute.in.yaml b/internal/gatewayapi/testdata/xlistenerset-udproute.in.yaml index bc3b60b46c..19c7360b74 100644 --- a/internal/gatewayapi/testdata/xlistenerset-udproute.in.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-udproute.in.yaml @@ -26,9 +26,9 @@ gateways: allowedRoutes: namespaces: from: All -xListenerSets: - - apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: + - apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: namespace: gateway-xls name: udproute-xls @@ -53,8 +53,8 @@ udpRoutes: name: udp-app-1 spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-xls name: udproute-xls sectionName: extra-udp diff --git a/internal/gatewayapi/testdata/xlistenerset-udproute.out.yaml b/internal/gatewayapi/testdata/xlistenerset-udproute.out.yaml index 8316a7b197..2743e1e25f 100644 --- a/internal/gatewayapi/testdata/xlistenerset-udproute.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-udproute.out.yaml @@ -69,47 +69,9 @@ infraIR: name: envoy-gateway-class name: gateway-xls/composite-gateway namespace: envoy-gateway-system -udpRoutes: -- apiVersion: gateway.networking.k8s.io/v1alpha2 - kind: UDPRoute - metadata: - name: udp-app-1 - namespace: default - spec: - parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet - name: udproute-xls - namespace: gateway-xls - sectionName: extra-udp - rules: - - backendRefs: - - name: service-1 - namespace: default - port: 8162 - status: - parents: - - conditions: - - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - controllerName: gateway.envoyproxy.io/gatewayclass-controller - parentRef: - group: gateway.networking.x-k8s.io - kind: XListenerSet - name: udproute-xls - namespace: gateway-xls - sectionName: extra-udp -xListenerSets: -- apiVersion: gateway.networking.x-k8s.io/v1alpha1 - kind: XListenerSet +listenerSets: +- apiVersion: gateway.networking.k8s.io/v1 + kind: ListenerSet metadata: name: udproute-xls namespace: gateway-xls @@ -125,8 +87,6 @@ xListenerSets: port: 8162 protocol: UDP parentRef: - group: null - kind: null name: composite-gateway status: conditions: @@ -159,10 +119,47 @@ xListenerSets: status: "True" type: ResolvedRefs name: extra-udp - port: 0 supportedKinds: - group: gateway.networking.k8s.io kind: UDPRoute +udpRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: UDPRoute + metadata: + name: udp-app-1 + namespace: default + spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: ListenerSet + name: udproute-xls + namespace: gateway-xls + sectionName: extra-udp + rules: + - backendRefs: + - name: service-1 + namespace: default + port: 8162 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: ListenerSet + name: udproute-xls + namespace: gateway-xls + sectionName: extra-udp xdsIR: gateway-xls/composite-gateway: accessLog: diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 08b72d9f1f..c61363b360 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -17,7 +17,6 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/api/v1alpha1/validation" @@ -149,7 +148,7 @@ func newTranslateResult( envoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy, extPolicies []unstructured.Unstructured, backends []*egv1a1.Backend, - xListenerSets []*gwapixv1a1.XListenerSet, + xListenerSets []*gwapiv1.ListenerSet, xdsIR resource.XdsIRMap, infraIR resource.InfraIRMap, ) *TranslateResult { translateResult := &TranslateResult{ @@ -223,7 +222,7 @@ func newTranslateResult( translateResult.Backends = backends } if len(xListenerSets) > 0 { - translateResult.XListenerSets = xListenerSets + translateResult.ListenerSets = xListenerSets } return translateResult @@ -253,15 +252,15 @@ func (t *Translator) Translate(resources *resource.Resources) (*TranslateResult, // Build IR maps. xdsIR, infraIR := t.InitIRs(acceptedGateways, failedGateways) - // Process XListenerSets and attach them to the relevant Gateways - t.ProcessXListenerSets(resources.XListenerSets, acceptedGateways) + // Process ListenerSets and attach them to the relevant Gateways + t.ProcessListenerSets(resources.ListenerSets, acceptedGateways) // Process all Listeners for all relevant Gateways. t.ProcessListeners(acceptedGateways, xdsIR, infraIR, resources) - // Compute XListenerSet status based on listener processing results - // This should be done after ProcessListeners because XListenerSet status depends on listener processing results - t.ProcessXListenerSetStatus(resources.XListenerSets) + // Compute ListenerSet status based on listener processing results + // This should be done after ProcessListeners because ListenerSet status depends on listener processing results + t.ProcessListenerSetStatus(resources.ListenerSets) // Process EnvoyPatchPolicies t.ProcessEnvoyPatchPolicies(resources.EnvoyPatchPolicies, xdsIR) @@ -358,7 +357,7 @@ func (t *Translator) Translate(resources *resource.Resources) (*TranslateResult, allGateways, httpRoutes, grpcRoutes, tlsRoutes, tcpRoutes, udpRoutes, clientTrafficPolicies, backendTrafficPolicies, securityPolicies, resources.BackendTLSPolicies, envoyExtensionPolicies, - extServerPolicies, backends, resources.XListenerSets, xdsIR, infraIR), errs + extServerPolicies, backends, resources.ListenerSets, xdsIR, infraIR), errs } // GetRelevantGateways returns GatewayContexts, containing a copy of the original diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 3722d51cc5..47311a5f22 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -20,7 +20,6 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -402,9 +401,9 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets( fromGroup := gwapiv1.GroupName fromKind := resource.KindGateway - if listener.isFromXListenerSet() { - fromGroup = gwapixv1a1.GroupName - fromKind = resource.KindXListenerSet + if listener.isFromListenerSet() { + fromGroup = gwapiv1.GroupVersion.Group + fromKind = resource.KindListenerSet } if !t.validateCrossNamespaceRef( diff --git a/internal/gatewayapi/xlistenerset.go b/internal/gatewayapi/xlistenerset.go index 65466b4c7f..e3160ea07c 100644 --- a/internal/gatewayapi/xlistenerset.go +++ b/internal/gatewayapi/xlistenerset.go @@ -12,71 +12,70 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/status" ) -func (t *Translator) ProcessXListenerSets(xListenerSets []*gwapixv1a1.XListenerSet, gateways []*GatewayContext) { +func (t *Translator) ProcessListenerSets(listenerSets []*gwapiv1.ListenerSet, gateways []*GatewayContext) { // Create a map for quick lookup of gateways gatewayMap := make(map[types.NamespacedName]*GatewayContext) for _, gw := range gateways { gatewayMap[types.NamespacedName{Namespace: gw.Namespace, Name: gw.Name}] = gw } - for _, xls := range xListenerSets { - t.processXListenerSet(xls, gatewayMap) + for _, ls := range listenerSets { + t.processListenerSet(ls, gatewayMap) } } -func (t *Translator) processXListenerSet(xls *gwapixv1a1.XListenerSet, gatewayMap map[types.NamespacedName]*GatewayContext) { - parentNamespace := NamespaceDerefOr(xls.Spec.ParentRef.Namespace, xls.Namespace) +func (t *Translator) processListenerSet(ls *gwapiv1.ListenerSet, gatewayMap map[types.NamespacedName]*GatewayContext) { + parentNamespace := NamespaceDerefOr(ls.Spec.ParentRef.Namespace, ls.Namespace) - gatewayKey := types.NamespacedName{Namespace: parentNamespace, Name: string(xls.Spec.ParentRef.Name)} + gatewayKey := types.NamespacedName{Namespace: parentNamespace, Name: string(ls.Spec.ParentRef.Name)} gatewayCtx, exists := gatewayMap[gatewayKey] - // If the Gateway is not found (not managed by us), ignore the XListenerSet completely. + // If the Gateway is not found (not managed by us), ignore the ListenerSet completely. // Just a sanity check, this should already be handled in the provider layer. if !exists { return } var ( - xlsReason gwapixv1a1.ListenerSetConditionReason + xlsReason gwapiv1.ListenerSetConditionReason xlsMsg string ) - // If the Gateway is not accepted, mark the XListenerSet as not accepted + // If the Gateway is not accepted, mark the ListenerSet as not accepted if status.GatewayNotAccepted(gatewayCtx.Gateway) { - xlsReason = gwapixv1a1.ListenerSetReasonParentNotAccepted - xlsMsg = fmt.Sprintf("Parent Gateway %s/%s not accepted", parentNamespace, xls.Spec.ParentRef.Name) - status.UpdateXListenerSetStatusAccepted(xls, false, xlsReason, xlsMsg) - status.UpdateXListenerSetStatusProgrammed(xls, false, gwapixv1a1.ListenerSetReasonProgrammed, "Not Programmed") + xlsReason = gwapiv1.ListenerSetReasonParentNotAccepted + xlsMsg = fmt.Sprintf("Parent Gateway %s/%s not accepted", parentNamespace, ls.Spec.ParentRef.Name) + status.UpdateListenerSetStatusAccepted(ls, false, xlsReason, xlsMsg) + status.UpdateListenerSetStatusProgrammed(ls, false, gwapiv1.ListenerSetReasonProgrammed, "Not Programmed") return } // Check if the namespace is allowed - if !t.isXListenerSetAllowed(gatewayCtx.Gateway, xls) { - xlsReason = gwapixv1a1.ListenerSetReasonNotAllowed - xlsMsg = fmt.Sprintf("XListenerSet attachment from namespace %s not allowed by Gateway %s/%s", xls.Namespace, gatewayCtx.Namespace, gatewayCtx.Name) - status.UpdateXListenerSetStatusAccepted(xls, false, xlsReason, xlsMsg) - status.UpdateXListenerSetStatusProgrammed(xls, false, gwapixv1a1.ListenerSetReasonProgrammed, "Not Programmed") + if !t.isListenerSetAllowed(gatewayCtx.Gateway, ls) { + xlsReason = gwapiv1.ListenerSetReasonNotAllowed + xlsMsg = fmt.Sprintf("ListenerSet attachment from namespace %s not allowed by Gateway %s/%s", ls.Namespace, gatewayCtx.Namespace, gatewayCtx.Name) + status.UpdateListenerSetStatusAccepted(ls, false, xlsReason, xlsMsg) + status.UpdateListenerSetStatusProgrammed(ls, false, gwapiv1.ListenerSetReasonProgrammed, "Not Programmed") return } // Attach listeners to the GatewayContext - // We do NOT update status here. It will be updated in ProcessXListenerSetStatus after listeners are processed. - for i := range xls.Spec.Listeners { - listener := &xls.Spec.Listeners[i] + // We do NOT update status here. It will be updated in ProcessListenerSetStatus after listeners are processed. + for i := range ls.Spec.Listeners { + listener := &ls.Spec.Listeners[i] // Initialize listener status conditions - xls.Status.Listeners = append(xls.Status.Listeners, gwapixv1a1.ListenerEntryStatus{ + ls.Status.Listeners = append(ls.Status.Listeners, gwapiv1.ListenerEntryStatus{ Name: listener.Name, - SupportedKinds: []gwapixv1a1.RouteGroupKind{}, + SupportedKinds: []gwapiv1.RouteGroupKind{}, AttachedRoutes: 0, Conditions: []metav1.Condition{}, }) - // Convert XListenerSet listener to Gateway listener for internal processing + // Convert ListenerSet listener to Gateway listener for internal processing gwListener := &gwapiv1.Listener{ Name: listener.Name, Port: gwapiv1.PortNumber(listener.Port), //nolint @@ -87,23 +86,23 @@ func (t *Translator) processXListenerSet(xls *gwapixv1a1.XListenerSet, gatewayMa } listenerCtx := &ListenerContext{ - Listener: gwListener, - gateway: gatewayCtx, - xListenerSet: xls, - xListenerSetStatusIdx: i, + Listener: gwListener, + gateway: gatewayCtx, + listenerSet: ls, + listenerSetStatusIdx: i, } gatewayCtx.listeners = append(gatewayCtx.listeners, listenerCtx) } } -// ProcessXListenerSetStatus computes the status of XListenerSets after their listeners have been processed. -func (t *Translator) ProcessXListenerSetStatus(xListenerSets []*gwapixv1a1.XListenerSet) { - for _, xls := range xListenerSets { +// ProcessListenerSetStatus computes the status of ListenerSets after their listeners have been processed. +func (t *Translator) ProcessListenerSetStatus(listenerSets []*gwapiv1.ListenerSet) { + for _, ls := range listenerSets { // If Accepted condition is already set to False, it means it failed during attachment (parent not found/accepted or not allowed). // We skip re-processing. alreadyRejected := false - for _, cond := range xls.Status.Conditions { - if cond.Type == string(gwapixv1a1.ListenerSetConditionAccepted) && cond.Status == metav1.ConditionFalse { + for _, cond := range ls.Status.Conditions { + if cond.Type == string(gwapiv1.ListenerSetConditionAccepted) && cond.Status == metav1.ConditionFalse { alreadyRejected = true break } @@ -116,10 +115,10 @@ func (t *Translator) ProcessXListenerSetStatus(xListenerSets []*gwapixv1a1.XList allListenersValid := true anyListenerValid := false - for _, lStatus := range xls.Status.Listeners { + for _, lStatus := range ls.Status.Listeners { accepted := false for _, cond := range lStatus.Conditions { - if cond.Type == string(gwapixv1a1.ListenerEntryConditionAccepted) && cond.Status == metav1.ConditionTrue { + if cond.Type == string(gwapiv1.ListenerEntryConditionAccepted) && cond.Status == metav1.ConditionTrue { accepted = true break } @@ -129,36 +128,36 @@ func (t *Translator) ProcessXListenerSetStatus(xListenerSets []*gwapixv1a1.XList } var ( - xlsAccepted bool - xlsReason gwapixv1a1.ListenerSetConditionReason - xlsProgrammedReason gwapixv1a1.ListenerSetConditionReason - xlsMsg string + lsAccepted bool + lsReason gwapiv1.ListenerSetConditionReason + lsProgrammedReason gwapiv1.ListenerSetConditionReason + lsMsg string ) switch { case allListenersValid: - xlsAccepted = true - xlsReason = gwapixv1a1.ListenerSetReasonAccepted - xlsProgrammedReason = gwapixv1a1.ListenerSetReasonProgrammed - xlsMsg = "All listeners are valid" + lsAccepted = true + lsReason = gwapiv1.ListenerSetReasonAccepted + lsProgrammedReason = gwapiv1.ListenerSetReasonProgrammed + lsMsg = "All listeners are valid" case anyListenerValid: // TODO: implement PartiallyInvalid conditions when Gateway API supports it - xlsAccepted = true - xlsReason = gwapixv1a1.ListenerSetReasonListenersNotValid - xlsProgrammedReason = gwapixv1a1.ListenerSetReasonProgrammed - xlsMsg = "Some listeners are invalid" + lsAccepted = true + lsReason = gwapiv1.ListenerSetReasonListenersNotValid + lsProgrammedReason = gwapiv1.ListenerSetReasonProgrammed + lsMsg = "Some listeners are invalid" default: - xlsAccepted = false - xlsReason = gwapixv1a1.ListenerSetReasonListenersNotValid - xlsProgrammedReason = gwapixv1a1.ListenerSetReasonInvalid - xlsMsg = "All listeners are invalid" + lsAccepted = false + lsReason = gwapiv1.ListenerSetReasonListenersNotValid + lsProgrammedReason = gwapiv1.ListenerSetReasonInvalid + lsMsg = "All listeners are invalid" } - status.UpdateXListenerSetStatusAccepted(xls, xlsAccepted, xlsReason, xlsMsg) - status.UpdateXListenerSetStatusProgrammed(xls, xlsAccepted, xlsProgrammedReason, xlsMsg) + status.UpdateListenerSetStatusAccepted(ls, lsAccepted, lsReason, lsMsg) + status.UpdateListenerSetStatusProgrammed(ls, lsAccepted, lsProgrammedReason, lsMsg) } } -func (t *Translator) isXListenerSetAllowed(gateway *gwapiv1.Gateway, xls *gwapixv1a1.XListenerSet) bool { +func (t *Translator) isListenerSetAllowed(gateway *gwapiv1.Gateway, ls *gwapiv1.ListenerSet) bool { // If AllowedListeners is not set, attachment is not allowed (default is None) if gateway.Spec.AllowedListeners == nil || gateway.Spec.AllowedListeners.Namespaces == nil || gateway.Spec.AllowedListeners.Namespaces.From == nil { return false @@ -170,7 +169,7 @@ func (t *Translator) isXListenerSetAllowed(gateway *gwapiv1.Gateway, xls *gwapix case gwapiv1.NamespacesFromAll: return true case gwapiv1.NamespacesFromSame: - return gateway.Namespace == xls.Namespace + return gateway.Namespace == ls.Namespace case gwapiv1.NamespacesFromSelector: selectorVal := gateway.Spec.AllowedListeners.Namespaces.Selector if selectorVal == nil { @@ -181,9 +180,9 @@ func (t *Translator) isXListenerSetAllowed(gateway *gwapiv1.Gateway, xls *gwapix t.Logger.Error(err, "invalid label selector in AllowedListeners", "gateway", gateway.Name) return false } - // We need to look up the namespace of the XListenerSet to check labels + // We need to look up the namespace of the ListenerSet to check labels // translatorContext has NamespaceMap - ns := t.GetNamespace(xls.Namespace) + ns := t.GetNamespace(ls.Namespace) if ns != nil { return selector.Matches(labels.Set(ns.Labels)) } diff --git a/internal/message/types.go b/internal/message/types.go index 4335d1bd9c..836aa30b3b 100644 --- a/internal/message/types.go +++ b/internal/message/types.go @@ -14,7 +14,6 @@ import ( "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -85,10 +84,10 @@ type GatewayAPIStatuses struct { GatewayStatuses watchable.Map[types.NamespacedName, *gwapiv1.GatewayStatus] HTTPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1.HTTPRouteStatus] GRPCRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1.GRPCRouteStatus] - TLSRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.TLSRouteStatus] + TLSRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1.TLSRouteStatus] TCPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.TCPRouteStatus] UDPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.UDPRouteStatus] - XListenerSetStatuses watchable.Map[types.NamespacedName, *gwapixv1a1.ListenerSetStatus] + ListenerSetStatuses watchable.Map[types.NamespacedName, *gwapiv1.ListenerSetStatus] } func (s *GatewayAPIStatuses) Close() { @@ -99,7 +98,7 @@ func (s *GatewayAPIStatuses) Close() { s.TLSRouteStatuses.Close() s.TCPRouteStatuses.Close() s.UDPRouteStatuses.Close() - s.XListenerSetStatuses.Close() + s.ListenerSetStatuses.Close() } type NamespacedNameAndGVK struct { @@ -222,8 +221,8 @@ const ( HTTPRouteStatusMessageName MessageName = "httproute-status" // GatewayStatusMessageName is a message containing updates to Gateway status GatewayStatusMessageName MessageName = "gateway-status" - // XListenerSetStatusMessageName is a message containing updates to XListenerSet status - XListenerSetStatusMessageName MessageName = "xlistenerset-status" + // ListenerSetStatusMessageName is a message containing updates to ListenerSet status + ListenerSetStatusMessageName MessageName = "listenerset-status" // GatewayClassStatusMessageName is a message containing updates to GatewayClass status GatewayClassStatusMessageName MessageName = "gatewayclass-status" ) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index a726f7b814..50fe1dad68 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -43,7 +43,6 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" mcsapiv1a1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -96,11 +95,11 @@ type gatewayAPIReconciler struct { tcpRouteCRDExists bool tlsRouteCRDExists bool udpRouteCRDExists bool + listenerSetEnabled bool clusterTrustBundleExits bool // Experimental Gateway API features - xListenerSetEnabled bool } // isGatewayClassMerged reports whether the supplied GatewayClass has mergeGateways enabled. @@ -126,10 +125,10 @@ type subscriptions struct { gatewayStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1.GatewayStatus] httpRouteStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1.HTTPRouteStatus] grpcRouteStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1.GRPCRouteStatus] - tlsRouteStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1a2.TLSRouteStatus] + tlsRouteStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1.TLSRouteStatus] tcpRouteStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1a2.TCPRouteStatus] udpRouteStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1a2.UDPRouteStatus] - xListenerSetStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapixv1a1.ListenerSetStatus] + listenerSetStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1.ListenerSetStatus] backendTLSPolicyStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1.PolicyStatus] backendTrafficPolicyStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1.PolicyStatus] envoyExtensionPolicyStatuses <-chan watchable.Snapshot[types.NamespacedName, *gwapiv1.PolicyStatus] @@ -250,7 +249,7 @@ func (r *gatewayAPIReconciler) subscribeToResources(ctx context.Context) { r.subscriptions.tlsRouteStatuses = r.resources.TLSRouteStatuses.Subscribe(ctx) r.subscriptions.tcpRouteStatuses = r.resources.TCPRouteStatuses.Subscribe(ctx) r.subscriptions.udpRouteStatuses = r.resources.UDPRouteStatuses.Subscribe(ctx) - r.subscriptions.xListenerSetStatuses = r.resources.XListenerSetStatuses.Subscribe(ctx) + r.subscriptions.listenerSetStatuses = r.resources.ListenerSetStatuses.Subscribe(ctx) r.subscriptions.backendTLSPolicyStatuses = r.resources.BackendTLSPolicyStatuses.Subscribe(ctx) r.subscriptions.backendTrafficPolicyStatuses = r.resources.BackendTrafficPolicyStatuses.Subscribe(ctx) r.subscriptions.envoyExtensionPolicyStatuses = r.resources.EnvoyExtensionPolicyStatuses.Subscribe(ctx) @@ -443,7 +442,7 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques gcLogger.Error(err, "failed to process EnvoyTLSSecret") } - // Add all Gateways, their associated XListenerSets, Routes, and referenced resources to the resourceTree + // Add all Gateways, their associated ListenerSets, Routes, and referenced resources to the resourceTree if err = r.processGateways(ctx, managedGC, gwcResourceMapping, gwcResource); err != nil { if isTransientError(err) { gcLogger.Error(err, "transient error processing gateways") @@ -1661,13 +1660,13 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g gtwNamespacedName := utils.NamespacedName(gtw).String() - // XListenerSet Processing (must be done before route processing) - if r.xListenerSetEnabled { - if err := r.processXListenerSets(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + // ListenerSet Processing (must be done before route processing) + if r.listenerSetEnabled { + if err := r.processListenerSets(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { if isTransientError(err) { return err } - r.log.Error(err, "failed to process XListenerSets for gateway", "namespace", gtw.Namespace, "name", gtw.Name) + r.log.Error(err, "failed to process ListenerSets for gateway", "namespace", gtw.Namespace, "name", gtw.Name) } } @@ -1855,37 +1854,37 @@ func (r *gatewayAPIReconciler) processClientTrafficPolicies( return r.processCTPCrlRefs(ctx, resourceTree, resourceMap) } -func (r *gatewayAPIReconciler) processXListenerSets(ctx context.Context, gatewayNamespaceName string, +func (r *gatewayAPIReconciler) processListenerSets(ctx context.Context, gatewayNamespaceName string, resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { - resourceMap.gatewayToXListenerSets[gatewayNamespaceName] = nil + resourceMap.gatewayToListenerSets[gatewayNamespaceName] = nil - xListenerSetList := &gwapixv1a1.XListenerSetList{} - if err := r.client.List(ctx, xListenerSetList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(gatewayXListenerSetIndex, gatewayNamespaceName), + listenerSetList := &gwapiv1.ListenerSetList{} + if err := r.client.List(ctx, listenerSetList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(gatewayListenerSetIndex, gatewayNamespaceName), }); err != nil { - r.log.Error(err, "failed to list XListenerSets", "gateway", gatewayNamespaceName) + r.log.Error(err, "failed to list ListenerSets", "gateway", gatewayNamespaceName) return err } - for i := range xListenerSetList.Items { - xls := &xListenerSetList.Items[i] + for i := range listenerSetList.Items { + ls := &listenerSetList.Items[i] if r.namespaceLabel != nil { - if ok, err := r.checkObjectNamespaceLabels(xls); err != nil { - r.log.Error(err, "failed to check namespace labels for XListenerSet", - "name", xls.GetName(), "namespace", xls.GetNamespace()) + if ok, err := r.checkObjectNamespaceLabels(ls); err != nil { + r.log.Error(err, "failed to check namespace labels for ListenerSet", + "name", ls.GetName(), "namespace", ls.GetNamespace()) continue } else if !ok { continue } } - key := utils.NamespacedName(xls).String() - if resourceMap.allAssociatedXListenerSets.Has(key) { + key := utils.NamespacedName(ls).String() + if resourceMap.allAssociatedListenerSets.Has(key) { continue } - for _, listener := range xls.Spec.Listeners { + for _, listener := range ls.Spec.Listeners { // Listener TLS is optional; only process when TLS termination occurs. if !isListenerEntryTerminatesTLS(&listener) { continue @@ -1895,27 +1894,27 @@ func (r *gatewayAPIReconciler) processXListenerSets(ctx context.Context, gateway if refsSecret(&certRef) { if err := r.processSecretRef(ctx, resourceMap, resourceTree, - resource.KindXListenerSet, xls.Namespace, xls.Name, + resource.KindListenerSet, ls.Namespace, ls.Name, certRef); err != nil { if isTransientError(err) { return err } - r.log.Error(err, "failed to process TLS SecretRef for XListenerSet", - "xListenerSet", xls, "secretRef", certRef) + r.log.Error(err, "failed to process TLS SecretRef for ListenerSet", + "listenerSet", ls, "secretRef", certRef) } } } } // Drop Status to reduce memory - xls.Status = gwapixv1a1.ListenerSetStatus{} - resourceMap.allAssociatedNamespaces.Insert(xls.Namespace) - resourceMap.allAssociatedXListenerSets.Insert(key) - resourceMap.gatewayToXListenerSets[gatewayNamespaceName] = append( - resourceMap.gatewayToXListenerSets[gatewayNamespaceName], - utils.NamespacedName(xls), + ls.Status = gwapiv1.ListenerSetStatus{} + resourceMap.allAssociatedNamespaces.Insert(ls.Namespace) + resourceMap.allAssociatedListenerSets.Insert(key) + resourceMap.gatewayToListenerSets[gatewayNamespaceName] = append( + resourceMap.gatewayToListenerSets[gatewayNamespaceName], + utils.NamespacedName(ls), ) - resourceTree.XListenerSets = append(resourceTree.XListenerSets, xls) + resourceTree.ListenerSets = append(resourceTree.ListenerSets, ls) } return nil @@ -2100,44 +2099,34 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch XListenerSet CRUDs when the experimental API is enabled and the CRD exists. - r.xListenerSetEnabled = false - exists, err := checkCRD(resource.KindXListenerSet, gwapixv1a1.GroupVersion.String()) + // Watch ListenerSet CRUDs when the experimental API is enabled and the CRD exists. + r.listenerSetEnabled, err = checkCRD(resource.KindListenerSet, gwapiv1.GroupVersion.String()) if err != nil { return err } - - disabled := r.envoyGateway == nil || r.envoyGateway.GatewayAPI == nil || - !r.envoyGateway.GatewayAPI.IsEnabled(egv1a1.XListenerSet) - - switch { - case !exists: - r.log.Info("XListenerSet CRD not found, skipping XListenerSet watch") - case disabled: - r.log.Info("XListenerSet API disabled, skipping XListenerSet watch") - default: - r.log.Info("XListenerSet API enabled, watching XListenerSets") - xlsPredicates := []predicate.TypedPredicate[*gwapixv1a1.XListenerSet]{ - predicate.TypedGenerationChangedPredicate[*gwapixv1a1.XListenerSet]{}, + if !r.listenerSetEnabled { + r.log.Info("ListenerSet API not enabled, skipping ListenerSet watch") + } else { + xlsPredicates := []predicate.TypedPredicate[*gwapiv1.ListenerSet]{ + predicate.TypedGenerationChangedPredicate[*gwapiv1.ListenerSet]{}, } if r.namespaceLabel != nil { - xlsPredicates = append(xlsPredicates, predicate.NewTypedPredicateFuncs(func(obj *gwapixv1a1.XListenerSet) bool { + xlsPredicates = append(xlsPredicates, predicate.NewTypedPredicateFuncs(func(obj *gwapiv1.ListenerSet) bool { return r.hasMatchingNamespaceLabels(obj) })) } if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapixv1a1.XListenerSet{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, obj *gwapixv1a1.XListenerSet) []reconcile.Request { + source.Kind(mgr.GetCache(), &gwapiv1.ListenerSet{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, obj *gwapiv1.ListenerSet) []reconcile.Request { return r.enqueueClass(ctx, obj) }), xlsPredicates...)); err != nil { return err } - if err := addXListenerSetIndexers(ctx, mgr); err != nil { + if err := addListenerSetIndexers(ctx, mgr); err != nil { return err } - r.xListenerSetEnabled = true } // Watch HTTPRoute CRUDs and process affected Gateways. diff --git a/internal/provider/kubernetes/controller_test.go b/internal/provider/kubernetes/controller_test.go index dd7a7af9ef..b4eec803b9 100644 --- a/internal/provider/kubernetes/controller_test.go +++ b/internal/provider/kubernetes/controller_test.go @@ -29,7 +29,6 @@ import ( fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" @@ -1806,13 +1805,13 @@ func TestProcessBackendRefs(t *testing.T) { } } -func TestProcessXListenerSets(t *testing.T) { +func TestProcessListenerSets(t *testing.T) { logger := logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo) scheme := envoygateway.GetScheme() testCases := []struct { name string - xls *gwapixv1a1.XListenerSet + xls *gwapiv1.ListenerSet secret *corev1.Secret referenceGrant *gwapiv1b1.ReferenceGrant gatewayNamespace string @@ -1821,22 +1820,22 @@ func TestProcessXListenerSets(t *testing.T) { }{ { name: "matching gateway with TLS secret and XLS in same namespace", - xls: &gwapixv1a1.XListenerSet{ + xls: &gwapiv1.ListenerSet{ ObjectMeta: metav1.ObjectMeta{ Name: "test-xls", Namespace: "default", }, - Spec: gwapixv1a1.ListenerSetSpec{ - ParentRef: gwapixv1a1.ParentGatewayReference{ - Name: gwapixv1a1.ObjectName("test-gateway"), + Spec: gwapiv1.ListenerSetSpec{ + ParentRef: gwapiv1.ParentGatewayReference{ + Name: gwapiv1.ObjectName("test-gateway"), Namespace: ptr.To(gwapiv1.Namespace("default")), }, - Listeners: []gwapixv1a1.ListenerEntry{ + Listeners: []gwapiv1.ListenerEntry{ { - Name: gwapixv1a1.SectionName("http"), - Protocol: gwapixv1a1.ProtocolType("HTTPS"), - Port: gwapixv1a1.PortNumber(8080), - TLS: &gwapixv1a1.ListenerTLSConfig{ + Name: gwapiv1.SectionName("http"), + Protocol: gwapiv1.ProtocolType("HTTPS"), + Port: gwapiv1.PortNumber(8080), + TLS: &gwapiv1.ListenerTLSConfig{ Mode: ptr.To(gwapiv1.TLSModeTerminate), CertificateRefs: []gwapiv1.SecretObjectReference{{ Name: gwapiv1.ObjectName("listener-cert"), @@ -1859,22 +1858,22 @@ func TestProcessXListenerSets(t *testing.T) { { name: "matching gateway with TLS secret and XLS in different namespace", - xls: &gwapixv1a1.XListenerSet{ + xls: &gwapiv1.ListenerSet{ ObjectMeta: metav1.ObjectMeta{ Name: "test-xls", Namespace: "xls", }, - Spec: gwapixv1a1.ListenerSetSpec{ - ParentRef: gwapixv1a1.ParentGatewayReference{ - Name: gwapixv1a1.ObjectName("test-gateway"), + Spec: gwapiv1.ListenerSetSpec{ + ParentRef: gwapiv1.ParentGatewayReference{ + Name: gwapiv1.ObjectName("test-gateway"), Namespace: ptr.To(gwapiv1.Namespace("gateway")), }, - Listeners: []gwapixv1a1.ListenerEntry{ + Listeners: []gwapiv1.ListenerEntry{ { - Name: gwapixv1a1.SectionName("http"), - Protocol: gwapixv1a1.ProtocolType("HTTPS"), - Port: gwapixv1a1.PortNumber(8080), - TLS: &gwapixv1a1.ListenerTLSConfig{ + Name: gwapiv1.SectionName("http"), + Protocol: gwapiv1.ProtocolType("HTTPS"), + Port: gwapiv1.PortNumber(8080), + TLS: &gwapiv1.ListenerTLSConfig{ Mode: ptr.To(gwapiv1.TLSModeTerminate), CertificateRefs: []gwapiv1.SecretObjectReference{{ Name: gwapiv1.ObjectName("listener-cert"), @@ -1898,22 +1897,22 @@ func TestProcessXListenerSets(t *testing.T) { { name: "matching gateway with TLS secret and XLS all in different namespaces with valid ReferenceGrant", - xls: &gwapixv1a1.XListenerSet{ + xls: &gwapiv1.ListenerSet{ ObjectMeta: metav1.ObjectMeta{ Name: "test-xls", Namespace: "xls", }, - Spec: gwapixv1a1.ListenerSetSpec{ - ParentRef: gwapixv1a1.ParentGatewayReference{ - Name: gwapixv1a1.ObjectName("test-gateway"), + Spec: gwapiv1.ListenerSetSpec{ + ParentRef: gwapiv1.ParentGatewayReference{ + Name: gwapiv1.ObjectName("test-gateway"), Namespace: ptr.To(gwapiv1.Namespace("gateway")), }, - Listeners: []gwapixv1a1.ListenerEntry{ + Listeners: []gwapiv1.ListenerEntry{ { - Name: gwapixv1a1.SectionName("https"), - Protocol: gwapixv1a1.ProtocolType("HTTPS"), - Port: gwapixv1a1.PortNumber(8443), - TLS: &gwapixv1a1.ListenerTLSConfig{ + Name: gwapiv1.SectionName("https"), + Protocol: gwapiv1.ProtocolType("HTTPS"), + Port: gwapiv1.PortNumber(8443), + TLS: &gwapiv1.ListenerTLSConfig{ Mode: ptr.To(gwapiv1.TLSModeTerminate), CertificateRefs: []gwapiv1.SecretObjectReference{{ Name: gwapiv1.ObjectName("listener-cert"), @@ -1938,8 +1937,8 @@ func TestProcessXListenerSets(t *testing.T) { Spec: gwapiv1b1.ReferenceGrantSpec{ From: []gwapiv1b1.ReferenceGrantFrom{ { - Group: gwapiv1.Group(gwapixv1a1.GroupName), - Kind: gwapiv1.Kind(resource.KindXListenerSet), + Group: gwapiv1.Group(gwapiv1.GroupName), + Kind: gwapiv1.Kind(resource.KindListenerSet), Namespace: gwapiv1.Namespace("xls"), }, }, @@ -1958,22 +1957,22 @@ func TestProcessXListenerSets(t *testing.T) { { name: "matching gateway with TLS secret and XLS all in different namespaces", - xls: &gwapixv1a1.XListenerSet{ + xls: &gwapiv1.ListenerSet{ ObjectMeta: metav1.ObjectMeta{ Name: "test-xls", Namespace: "xls", }, - Spec: gwapixv1a1.ListenerSetSpec{ - ParentRef: gwapixv1a1.ParentGatewayReference{ - Name: gwapixv1a1.ObjectName("test-gateway"), + Spec: gwapiv1.ListenerSetSpec{ + ParentRef: gwapiv1.ParentGatewayReference{ + Name: gwapiv1.ObjectName("test-gateway"), Namespace: ptr.To(gwapiv1.Namespace("gateway")), }, - Listeners: []gwapixv1a1.ListenerEntry{ + Listeners: []gwapiv1.ListenerEntry{ { - Name: gwapixv1a1.SectionName("https"), - Protocol: gwapixv1a1.ProtocolType("HTTPS"), - Port: gwapixv1a1.PortNumber(8443), - TLS: &gwapixv1a1.ListenerTLSConfig{ + Name: gwapiv1.SectionName("https"), + Protocol: gwapiv1.ProtocolType("HTTPS"), + Port: gwapiv1.PortNumber(8443), + TLS: &gwapiv1.ListenerTLSConfig{ Mode: ptr.To(gwapiv1.TLSModeTerminate), CertificateRefs: []gwapiv1.SecretObjectReference{{ Name: gwapiv1.ObjectName("listener-cert"), @@ -1997,22 +1996,22 @@ func TestProcessXListenerSets(t *testing.T) { { name: "non-matching gateway", - xls: &gwapixv1a1.XListenerSet{ + xls: &gwapiv1.ListenerSet{ ObjectMeta: metav1.ObjectMeta{ Name: "test-xls", Namespace: "default", }, - Spec: gwapixv1a1.ListenerSetSpec{ - ParentRef: gwapixv1a1.ParentGatewayReference{ - Name: gwapixv1a1.ObjectName("other-gateway"), + Spec: gwapiv1.ListenerSetSpec{ + ParentRef: gwapiv1.ParentGatewayReference{ + Name: gwapiv1.ObjectName("other-gateway"), Namespace: ptr.To(gwapiv1.Namespace("default")), }, - Listeners: []gwapixv1a1.ListenerEntry{ + Listeners: []gwapiv1.ListenerEntry{ { - Name: gwapixv1a1.SectionName("http"), - Protocol: gwapixv1a1.ProtocolType("HTTPS"), - Port: gwapixv1a1.PortNumber(8080), - TLS: &gwapixv1a1.ListenerTLSConfig{ + Name: gwapiv1.SectionName("http"), + Protocol: gwapiv1.ProtocolType("HTTPS"), + Port: gwapiv1.PortNumber(8080), + TLS: &gwapiv1.ListenerTLSConfig{ Mode: ptr.To(gwapiv1.TLSModeTerminate), CertificateRefs: []gwapiv1.SecretObjectReference{{ Name: gwapiv1.ObjectName("listener-cert"), @@ -2041,7 +2040,7 @@ func TestProcessXListenerSets(t *testing.T) { fakeClient := fakeclient.NewClientBuilder(). WithScheme(scheme). WithObjects(objs...). - WithIndex(&gwapixv1a1.XListenerSet{}, gatewayXListenerSetIndex, gatewayXListenerSetIndexFunc). + WithIndex(&gwapiv1.ListenerSet{}, gatewayListenerSetIndex, gatewayListenerSetIndexFunc). WithIndex(&gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, getReferenceGrantIndexerFunc). Build() @@ -2053,14 +2052,14 @@ func TestProcessXListenerSets(t *testing.T) { resourceTree := resource.NewResources() resourceMap := newResourceMapping() gatewayNamespaceName := tc.gatewayNamespace + "/test-gateway" - err := r.processXListenerSets( + err := r.processListenerSets( context.Background(), gatewayNamespaceName, resourceMap, resourceTree) require.NoError(t, err) - require.Len(t, resourceTree.XListenerSets, tc.expectXLSCount) + require.Len(t, resourceTree.ListenerSets, tc.expectXLSCount) if tc.expectSecretRef { require.Contains(t, resourceTree.Secrets, tc.secret) } diff --git a/internal/provider/kubernetes/helpers.go b/internal/provider/kubernetes/helpers.go index c3ccfb5dac..dd900a8fcd 100644 --- a/internal/provider/kubernetes/helpers.go +++ b/internal/provider/kubernetes/helpers.go @@ -15,7 +15,6 @@ import ( toolscache "k8s.io/client-go/tools/cache" "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" mcsapiv1a1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -139,7 +138,7 @@ func terminatesTLS(listener *gwapiv1.Listener) bool { return false } -func isListenerEntryTerminatesTLS(listenerEntry *gwapixv1a1.ListenerEntry) bool { +func isListenerEntryTerminatesTLS(listenerEntry *gwapiv1.ListenerEntry) bool { if listenerEntry.TLS != nil && (listenerEntry.Protocol == gwapiv1.HTTPSProtocolType || listenerEntry.Protocol == gwapiv1.TLSProtocolType) && diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index 72467979a7..d13042e0bd 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -16,7 +16,6 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" @@ -27,12 +26,12 @@ const ( classGatewayIndex = "classGatewayIndex" gatewayTLSRouteIndex = "gatewayTLSRouteIndex" gatewayHTTPRouteIndex = "gatewayHTTPRouteIndex" - xListenerHTTPRouteIndex = "xlistenerHTTPRouteIndex" - xListenerGRPCRouteIndex = "xlistenerGRPCRouteIndex" - xListenerTLSRouteIndex = "xlistenerTLSRouteIndex" - xListenerTCPRouteIndex = "xlistenerTCPRouteIndex" - xListenerUDPRouteIndex = "xlistenerUDPRouteIndex" - gatewayXListenerSetIndex = "gatewayXListenerSetIndex" + listenerSetHTTPRouteIndex = "listenerSetHTTPRouteIndex" + listenerSetGRPCRouteIndex = "listenerSetGRPCRouteIndex" + listenerSetTLSRouteIndex = "listenerSetTLSRouteIndex" + listenerSetTCPRouteIndex = "listenerSetTCPRouteIndex" + listenerSetUDPRouteIndex = "listenerSetUDPRouteIndex" + gatewayListenerSetIndex = "gatewayListenerSetIndex" gatewayGRPCRouteIndex = "gatewayGRPCRouteIndex" gatewayTCPRouteIndex = "gatewayTCPRouteIndex" gatewayUDPRouteIndex = "gatewayUDPRouteIndex" @@ -90,7 +89,7 @@ func addHTTPRouteIndexers(ctx context.Context, mgr manager.Manager) error { if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1.HTTPRoute{}, gatewayHTTPRouteIndex, gatewayHTTPRouteIndexFunc); err != nil { return err } - if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1.HTTPRoute{}, xListenerHTTPRouteIndex, xListenerHTTPRouteIndexFunc); err != nil { + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1.HTTPRoute{}, listenerSetHTTPRouteIndex, listenerSetHTTPRouteIndexFunc); err != nil { return err } @@ -105,17 +104,17 @@ func addHTTPRouteIndexers(ctx context.Context, mgr manager.Manager) error { return nil } -func addXListenerSetIndexers(ctx context.Context, mgr manager.Manager) error { - if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapixv1a1.XListenerSet{}, gatewayXListenerSetIndex, gatewayXListenerSetIndexFunc); err != nil { +func addListenerSetIndexers(ctx context.Context, mgr manager.Manager) error { + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1.ListenerSet{}, gatewayListenerSetIndex, gatewayListenerSetIndexFunc); err != nil { return err } return nil } -func gatewayXListenerSetIndexFunc(rawObj client.Object) []string { - parent := rawObj.(*gwapixv1a1.XListenerSet).Spec.ParentRef +func gatewayListenerSetIndexFunc(rawObj client.Object) []string { + parent := rawObj.(*gwapiv1.ListenerSet).Spec.ParentRef if parent.Kind == nil || string(*parent.Kind) == resource.KindGateway { - // If an explicit Gateway namespace is not provided, use the XListenerSet namespace to + // If an explicit Gateway namespace is not provided, use the ListenerSet namespace to // lookup the provided Gateway Name. return []string{ types.NamespacedName{ @@ -146,13 +145,13 @@ func gatewayHTTPRouteIndexFunc(rawObj client.Object) []string { return gateways } -func xListenerHTTPRouteIndexFunc(rawObj client.Object) []string { +func listenerSetHTTPRouteIndexFunc(rawObj client.Object) []string { httproute := rawObj.(*gwapiv1.HTTPRoute) - xlisteners := make([]string, 0, len(httproute.Spec.ParentRefs)) + listenerSets := make([]string, 0, len(httproute.Spec.ParentRefs)) for _, parent := range httproute.Spec.ParentRefs { - if parent.Group != nil && string(*parent.Group) == gwapixv1a1.GroupVersion.Group && - parent.Kind != nil && string(*parent.Kind) == resource.KindXListenerSet { - xlisteners = append(xlisteners, + if parent.Group != nil && string(*parent.Group) == gwapiv1.GroupVersion.Group && + parent.Kind != nil && string(*parent.Kind) == resource.KindListenerSet { + listenerSets = append(listenerSets, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(parent.Namespace, httproute.Namespace), Name: string(parent.Name), @@ -160,7 +159,7 @@ func xListenerHTTPRouteIndexFunc(rawObj client.Object) []string { ) } } - return xlisteners + return listenerSets } func backendHTTPRouteIndexFunc(rawObj client.Object) []string { @@ -354,7 +353,7 @@ func addGRPCRouteIndexers(ctx context.Context, mgr manager.Manager) error { if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1.GRPCRoute{}, gatewayGRPCRouteIndex, gatewayGRPCRouteIndexFunc); err != nil { return err } - if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1.GRPCRoute{}, xListenerGRPCRouteIndex, xListenerGRPCRouteIndexFunc); err != nil { + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1.GRPCRoute{}, listenerSetGRPCRouteIndex, listenerSetGRPCRouteIndexFunc); err != nil { return err } @@ -365,13 +364,13 @@ func addGRPCRouteIndexers(ctx context.Context, mgr manager.Manager) error { return nil } -func xListenerGRPCRouteIndexFunc(rawObj client.Object) []string { +func listenerSetGRPCRouteIndexFunc(rawObj client.Object) []string { grpcRoute := rawObj.(*gwapiv1.GRPCRoute) - xlisteners := make([]string, 0, len(grpcRoute.Spec.ParentRefs)) + listenerSets := make([]string, 0, len(grpcRoute.Spec.ParentRefs)) for _, parent := range grpcRoute.Spec.ParentRefs { - if parent.Group != nil && string(*parent.Group) == gwapixv1a1.GroupVersion.Group && - parent.Kind != nil && string(*parent.Kind) == resource.KindXListenerSet { - xlisteners = append(xlisteners, + if parent.Group != nil && string(*parent.Group) == gwapiv1.GroupVersion.Group && + parent.Kind != nil && string(*parent.Kind) == resource.KindListenerSet { + listenerSets = append(listenerSets, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(parent.Namespace, grpcRoute.Namespace), Name: string(parent.Name), @@ -379,16 +378,16 @@ func xListenerGRPCRouteIndexFunc(rawObj client.Object) []string { ) } } - return xlisteners + return listenerSets } -func xListenerTLSRouteIndexFunc(rawObj client.Object) []string { +func listenerSetTLSRouteIndexFunc(rawObj client.Object) []string { tlsRoute := rawObj.(*gwapiv1a3.TLSRoute) - xlisteners := make([]string, 0, len(tlsRoute.Spec.ParentRefs)) + listenerSets := make([]string, 0, len(tlsRoute.Spec.ParentRefs)) for _, parent := range tlsRoute.Spec.ParentRefs { - if parent.Group != nil && string(*parent.Group) == gwapixv1a1.GroupVersion.Group && - parent.Kind != nil && string(*parent.Kind) == resource.KindXListenerSet { - xlisteners = append(xlisteners, + if parent.Group != nil && string(*parent.Group) == gwapiv1.GroupVersion.Group && + parent.Kind != nil && string(*parent.Kind) == resource.KindListenerSet { + listenerSets = append(listenerSets, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(parent.Namespace, tlsRoute.Namespace), Name: string(parent.Name), @@ -396,16 +395,16 @@ func xListenerTLSRouteIndexFunc(rawObj client.Object) []string { ) } } - return xlisteners + return listenerSets } -func xListenerTCPRouteIndexFunc(rawObj client.Object) []string { +func listenerSetTCPRouteIndexFunc(rawObj client.Object) []string { tcpRoute := rawObj.(*gwapiv1a2.TCPRoute) - xlisteners := make([]string, 0, len(tcpRoute.Spec.ParentRefs)) + listenerSets := make([]string, 0, len(tcpRoute.Spec.ParentRefs)) for _, parent := range tcpRoute.Spec.ParentRefs { - if parent.Group != nil && string(*parent.Group) == gwapixv1a1.GroupVersion.Group && - parent.Kind != nil && string(*parent.Kind) == resource.KindXListenerSet { - xlisteners = append(xlisteners, + if parent.Group != nil && string(*parent.Group) == gwapiv1.GroupVersion.Group && + parent.Kind != nil && string(*parent.Kind) == resource.KindListenerSet { + listenerSets = append(listenerSets, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(parent.Namespace, tcpRoute.Namespace), Name: string(parent.Name), @@ -413,16 +412,16 @@ func xListenerTCPRouteIndexFunc(rawObj client.Object) []string { ) } } - return xlisteners + return listenerSets } -func xListenerUDPRouteIndexFunc(rawObj client.Object) []string { +func listenerSetUDPRouteIndexFunc(rawObj client.Object) []string { udpRoute := rawObj.(*gwapiv1a2.UDPRoute) - xlisteners := make([]string, 0, len(udpRoute.Spec.ParentRefs)) + listenerSets := make([]string, 0, len(udpRoute.Spec.ParentRefs)) for _, parent := range udpRoute.Spec.ParentRefs { - if parent.Group != nil && string(*parent.Group) == gwapixv1a1.GroupVersion.Group && - parent.Kind != nil && string(*parent.Kind) == resource.KindXListenerSet { - xlisteners = append(xlisteners, + if parent.Group != nil && string(*parent.Group) == gwapiv1.GroupVersion.Group && + parent.Kind != nil && string(*parent.Kind) == resource.KindListenerSet { + listenerSets = append(listenerSets, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(parent.Namespace, udpRoute.Namespace), Name: string(parent.Name), @@ -430,7 +429,7 @@ func xListenerUDPRouteIndexFunc(rawObj client.Object) []string { ) } } - return xlisteners + return listenerSets } func gatewayGRPCRouteIndexFunc(rawObj client.Object) []string { @@ -478,7 +477,7 @@ func addTLSRouteIndexers(ctx context.Context, mgr manager.Manager) error { if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a3.TLSRoute{}, gatewayTLSRouteIndex, gatewayTLSRouteIndexFunc); err != nil { return err } - if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a3.TLSRoute{}, xListenerTLSRouteIndex, xListenerTLSRouteIndexFunc); err != nil { + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a3.TLSRoute{}, listenerSetTLSRouteIndex, listenerSetTLSRouteIndexFunc); err != nil { return err } @@ -533,7 +532,7 @@ func addTCPRouteIndexers(ctx context.Context, mgr manager.Manager) error { if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.TCPRoute{}, gatewayTCPRouteIndex, gatewayTCPRouteIndexFunc); err != nil { return err } - if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.TCPRoute{}, xListenerTCPRouteIndex, xListenerTCPRouteIndexFunc); err != nil { + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.TCPRoute{}, listenerSetTCPRouteIndex, listenerSetTCPRouteIndexFunc); err != nil { return err } @@ -590,7 +589,7 @@ func addUDPRouteIndexers(ctx context.Context, mgr manager.Manager) error { if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.UDPRoute{}, gatewayUDPRouteIndex, gatewayUDPRouteIndexFunc); err != nil { return err } - if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.UDPRoute{}, xListenerUDPRouteIndex, xListenerUDPRouteIndexFunc); err != nil { + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a2.UDPRoute{}, listenerSetUDPRouteIndex, listenerSetUDPRouteIndexFunc); err != nil { return err } diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index e5913fd806..741c016020 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -110,7 +110,7 @@ func TestProvider(t *testing.T) { func startEnv() (*envtest.Environment, *rest.Config, error) { log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) - gwAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "crds", "gatewayapi-crds.yaml") + gwAPIs := filepath.Join("..", "..", "..", "gatewayapi-crds.yaml") egAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "crds", "generated") mcsAPIs := filepath.Join(".", "testdata", "crds", "multicluster-svc.yaml") @@ -985,7 +985,7 @@ func testTLSRoute(ctx context.Context, t *testing.T, provider *Provider, resourc Name: "tlsroute-test", Namespace: ns.Name, }, - Spec: gwapiv1a3.TLSRouteSpec{ + Spec: gwapiv1.TLSRouteSpec{ CommonRouteSpec: gwapiv1.CommonRouteSpec{ ParentRefs: []gwapiv1.ParentReference{ { @@ -994,7 +994,7 @@ func testTLSRoute(ctx context.Context, t *testing.T, provider *Provider, resourc }, }, Hostnames: []gwapiv1a2.Hostname{"test.hostname.local"}, - Rules: []gwapiv1a2.TLSRouteRule{ + Rules: []gwapiv1.TLSRouteRule{ { BackendRefs: []gwapiv1a2.BackendRef{ { @@ -1133,14 +1133,14 @@ func testServiceCleanupForMultipleRoutes(ctx context.Context, t *testing.T, prov Name: "tlsroute-test", Namespace: ns.Name, }, - Spec: gwapiv1a3.TLSRouteSpec{ + Spec: gwapiv1.TLSRouteSpec{ CommonRouteSpec: gwapiv1.CommonRouteSpec{ ParentRefs: []gwapiv1.ParentReference{{ Name: gwapiv1.ObjectName(gw.Name), }}, }, Hostnames: []gwapiv1a2.Hostname{"test-tls.hostname.local"}, - Rules: []gwapiv1a2.TLSRouteRule{ + Rules: []gwapiv1.TLSRouteRule{ { BackendRefs: []gwapiv1a2.BackendRef{ { diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 41bc6ef9ad..c684b419ce 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -1353,7 +1353,7 @@ func TestValidateServiceForReconcile(t *testing.T) { r := gatewayAPIReconciler{ classController: egv1a1.GatewayControllerName, log: logger, - mergeGateways: sets.New[string]("test-mg"), + mergeGateways: sets.New("test-mg"), resources: &message.ProviderResources{}, grpcRouteCRDExists: true, tcpRouteCRDExists: true, @@ -1472,7 +1472,7 @@ func TestValidateObjectForReconcile(t *testing.T) { r := gatewayAPIReconciler{ classController: egv1a1.GatewayControllerName, log: logger, - mergeGateways: sets.New[string]("test-mg"), + mergeGateways: sets.New("test-mg"), resources: &message.ProviderResources{}, } diff --git a/internal/provider/kubernetes/resource.go b/internal/provider/kubernetes/resource.go index 3fec52e8b1..73b4dbe036 100644 --- a/internal/provider/kubernetes/resource.go +++ b/internal/provider/kubernetes/resource.go @@ -71,10 +71,10 @@ type resourceMappings struct { // allAssociatedClusterTrustBundles is a set of all ClusterTrustBundles' name // key is the name of ClusterTrustBundle, because ClusterTrustBundle is cluster-scoped resource allAssociatedClusterTrustBundles sets.Set[string] - // Set for storing XListenerSets' NamespacedNames attaching to Gateways. - allAssociatedXListenerSets sets.Set[string] - // Map storing XListenerSets per Gateway (keyed by gateway namespace/name string). - gatewayToXListenerSets map[string][]types.NamespacedName + // Set for storing ListenerSets' NamespacedNames attaching to Gateways. + allAssociatedListenerSets sets.Set[string] + // Map storing ListenerSets per Gateway (keyed by gateway namespace/name string). + gatewayToListenerSets map[string][]types.NamespacedName } func newResourceMapping() *resourceMappings { @@ -105,7 +105,7 @@ func newResourceMapping() *resourceMappings { allAssociatedHTTPRouteExtensionFilters: sets.New[utils.NamespacedNameWithGroupKind](), allAssociatedBackendRefExtensionFilters: sets.New[utils.NamespacedNameWithGroupKind](), allAssociatedClusterTrustBundles: sets.New[string](), - allAssociatedXListenerSets: sets.New[string](), - gatewayToXListenerSets: make(map[string][]types.NamespacedName), + allAssociatedListenerSets: sets.New[string](), + gatewayToListenerSets: make(map[string][]types.NamespacedName), } } diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index cbe93d7ac8..943f362835 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -72,7 +72,7 @@ func (r *gatewayAPIReconciler) processTLSRoute(ctx context.Context, tlsRoute *gw resourceMap.allAssociatedTLSRoutes.Insert(key) // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer - tlsRoute.Status = gwapiv1a2.TLSRouteStatus{} + tlsRoute.Status = gwapiv1.TLSRouteStatus{} resourceTree.TLSRoutes = append(resourceTree.TLSRoutes, tlsRoute) } @@ -96,13 +96,13 @@ func (r *gatewayAPIReconciler) processTLSRoutes(ctx context.Context, gatewayName r.processTLSRoute(ctx, tlsRoute, resourceMap, resourceTree) } - // Process TLSRoutes attached to the xListenerSet - for _, xlsNN := range resourceMap.gatewayToXListenerSets[gatewayNamespaceName] { + // Process TLSRoutes attached to the ListenerSet + for _, xlsNN := range resourceMap.gatewayToListenerSets[gatewayNamespaceName] { tlsRouteList = &gwapiv1a3.TLSRouteList{} if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(xListenerTLSRouteIndex, xlsNN.String()), + FieldSelector: fields.OneTermEqualSelector(listenerSetTLSRouteIndex, xlsNN.String()), }); err != nil { - r.log.Error(err, "failed to list TLSRoutes by XListenerSet", "xListenerSet", xlsNN.String()) + r.log.Error(err, "failed to list TLSRoutes by ListenerSet", "listenerSet", xlsNN.String()) return err } for i := range tlsRouteList.Items { @@ -133,13 +133,13 @@ func (r *gatewayAPIReconciler) processGRPCRoutes(ctx context.Context, gatewayNam r.processGRPCRoute(ctx, grpcRoute, resourceMap, resourceTree) } - // Process GRPCRoutes attached to the xListenerSet - for _, xlsNN := range resourceMap.gatewayToXListenerSets[gatewayNamespaceName] { + // Process GRPCRoutes attached to the ListenerSet + for _, xlsNN := range resourceMap.gatewayToListenerSets[gatewayNamespaceName] { grpcRouteList = &gwapiv1.GRPCRouteList{} if err := r.client.List(ctx, grpcRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(xListenerGRPCRouteIndex, xlsNN.String()), + FieldSelector: fields.OneTermEqualSelector(listenerSetGRPCRouteIndex, xlsNN.String()), }); err != nil { - r.log.Error(err, "failed to list GRPCRoutes by XListenerSet", "xListenerSet", xlsNN.String()) + r.log.Error(err, "failed to list GRPCRoutes by ListenerSet", "listenerSet", xlsNN.String()) return err } for i := range grpcRouteList.Items { @@ -276,13 +276,13 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam r.processHTTPRoute(ctx, httpRoute, resourceMap, resourceTree) } - // Process HTTPRoutes attached to the xListenerSet - for _, xlsNN := range resourceMap.gatewayToXListenerSets[gatewayNamespaceName] { + // Process HTTPRoutes attached to the ListenerSet + for _, lsNN := range resourceMap.gatewayToListenerSets[gatewayNamespaceName] { httpRouteList = &gwapiv1.HTTPRouteList{} if err := r.client.List(ctx, httpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(xListenerHTTPRouteIndex, xlsNN.String()), + FieldSelector: fields.OneTermEqualSelector(listenerSetHTTPRouteIndex, lsNN.String()), }); err != nil { - r.log.Error(err, "failed to list HTTPRoutes by XListenerSet", "xListenerSet", xlsNN.String()) + r.log.Error(err, "failed to list HTTPRoutes by ListenerSet", "listenerSet", lsNN.String()) return err } for i := range httpRouteList.Items { @@ -528,13 +528,13 @@ func (r *gatewayAPIReconciler) processTCPRoutes(ctx context.Context, gatewayName r.processTCPRoute(ctx, tcpRoute, resourceMap, resourceTree) } - // Process TCPRoutes attached to the xListenerSet - for _, xlsNN := range resourceMap.gatewayToXListenerSets[gatewayNamespaceName] { + // Process TCPRoutes attached to the ListenerSet + for _, lsNN := range resourceMap.gatewayToListenerSets[gatewayNamespaceName] { tcpRouteList = &gwapiv1a2.TCPRouteList{} if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(xListenerTCPRouteIndex, xlsNN.String()), + FieldSelector: fields.OneTermEqualSelector(listenerSetTCPRouteIndex, lsNN.String()), }); err != nil { - r.log.Error(err, "failed to list TCPRoutes by XListenerSet", "xListenerSet", xlsNN.String()) + r.log.Error(err, "failed to list TCPRoutes by ListenerSet", "listenerSet", lsNN.String()) return err } for i := range tcpRouteList.Items { @@ -617,13 +617,13 @@ func (r *gatewayAPIReconciler) processUDPRoutes(ctx context.Context, gatewayName r.processUDPRoute(ctx, udpRoute, resourceMap, resourceTree) } - // Process UDPRoutes attached to the xListenerSet - for _, xlsNN := range resourceMap.gatewayToXListenerSets[gatewayNamespaceName] { + // Process UDPRoutes attached to the ListenerSet + for _, lsNN := range resourceMap.gatewayToListenerSets[gatewayNamespaceName] { udpRouteList = &gwapiv1a2.UDPRouteList{} if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(xListenerUDPRouteIndex, xlsNN.String()), + FieldSelector: fields.OneTermEqualSelector(listenerSetUDPRouteIndex, lsNN.String()), }); err != nil { - r.log.Error(err, "failed to list UDPRoutes by XListenerSet", "xListenerSet", xlsNN.String()) + r.log.Error(err, "failed to list UDPRoutes by ListenerSet", "listenerSet", lsNN.String()) return err } for i := range udpRouteList.Items { diff --git a/internal/provider/kubernetes/routes_test.go b/internal/provider/kubernetes/routes_test.go index 2770484774..967204d39b 100644 --- a/internal/provider/kubernetes/routes_test.go +++ b/internal/provider/kubernetes/routes_test.go @@ -26,7 +26,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" gwapischeme "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/scheme" mcsapiv1a1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" @@ -721,11 +720,11 @@ func TestProcessGRPCRoutes(t *testing.T) { gwNsName := utils.NamespacedName(gw).String() testCases := []struct { - name string - routes []*gwapiv1.GRPCRoute - extensionAPIGroups []schema.GroupVersionKind - gatewayToXListenerSets []types.NamespacedName - expected bool + name string + routes []*gwapiv1.GRPCRoute + extensionAPIGroups []schema.GroupVersionKind + gatewayToListenerSets []types.NamespacedName + expected bool }{ { name: "valid grpcroute", @@ -771,7 +770,7 @@ func TestProcessGRPCRoutes(t *testing.T) { expected: true, }, { - name: "grpcroute referencing xlistenerset", + name: "grpcroute referencing listenerset", routes: []*gwapiv1.GRPCRoute{ { ObjectMeta: metav1.ObjectMeta{ @@ -782,9 +781,9 @@ func TestProcessGRPCRoutes(t *testing.T) { CommonRouteSpec: gwapiv1.CommonRouteSpec{ ParentRefs: []gwapiv1.ParentReference{ { - Group: gatewayapi.GroupPtr(gwapixv1a1.GroupVersion.Group), - Kind: gatewayapi.KindPtr(resource.KindXListenerSet), - Name: "xlistener-set", + Group: gatewayapi.GroupPtr(gwapiv1.GroupVersion.Group), + Kind: gatewayapi.KindPtr(resource.KindListenerSet), + Name: "listener-set", Namespace: gatewayapi.NamespacePtr("test"), SectionName: gatewayapi.SectionNamePtr("extra-grpc"), }, @@ -806,11 +805,11 @@ func TestProcessGRPCRoutes(t *testing.T) { }, }, }, - gatewayToXListenerSets: []types.NamespacedName{{Namespace: "test", Name: "xlistener-set"}}, - expected: true, + gatewayToListenerSets: []types.NamespacedName{{Namespace: "test", Name: "listener-set"}}, + expected: true, }, { - name: "grpcroute referencing gateway and xlistenerset", + name: "grpcroute referencing gateway and listenerSet", routes: []*gwapiv1.GRPCRoute{ { ObjectMeta: metav1.ObjectMeta{ @@ -825,8 +824,8 @@ func TestProcessGRPCRoutes(t *testing.T) { }, { Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(resource.KindXListenerSet), - Name: "xlistener-set", + Kind: gatewayapi.KindPtr(resource.KindListenerSet), + Name: "listener-set", Namespace: gatewayapi.NamespacePtr("test"), SectionName: gatewayapi.SectionNamePtr("extra-grpc"), }, @@ -848,8 +847,8 @@ func TestProcessGRPCRoutes(t *testing.T) { }, }, }, - gatewayToXListenerSets: []types.NamespacedName{{Namespace: "test", Name: "xlistener-set"}}, - expected: true, + gatewayToListenerSets: []types.NamespacedName{{Namespace: "test", Name: "listener-set"}}, + expected: true, }, } @@ -881,14 +880,14 @@ func TestProcessGRPCRoutes(t *testing.T) { WithScheme(envoygateway.GetScheme()). WithObjects(objs...). WithIndex(&gwapiv1.GRPCRoute{}, gatewayGRPCRouteIndex, gatewayGRPCRouteIndexFunc). - WithIndex(&gwapiv1.GRPCRoute{}, xListenerGRPCRouteIndex, xListenerGRPCRouteIndexFunc). + WithIndex(&gwapiv1.GRPCRoute{}, listenerSetGRPCRouteIndex, listenerSetGRPCRouteIndexFunc). Build() // Process the test case httproutes. resourceTree := resource.NewResources() resourceMap := newResourceMapping() - if len(tc.gatewayToXListenerSets) > 0 { - resourceMap.gatewayToXListenerSets[gwNsName] = append(resourceMap.gatewayToXListenerSets[gwNsName], tc.gatewayToXListenerSets...) + if len(tc.gatewayToListenerSets) > 0 { + resourceMap.gatewayToListenerSets[gwNsName] = append(resourceMap.gatewayToListenerSets[gwNsName], tc.gatewayToListenerSets...) } err := r.processGRPCRoutes(ctx, gwNsName, resourceMap, resourceTree) if tc.expected { diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index 31603e7700..b045d0797b 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -16,7 +16,6 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" @@ -176,7 +175,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context message.HandleSubscription(r.log, message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.TLSRouteStatusMessageName}, r.subscriptions.tlsRouteStatuses, - func(update message.Update[types.NamespacedName, *gwapiv1a2.TLSRouteStatus], errChan chan error) { + func(update message.Update[types.NamespacedName, *gwapiv1.TLSRouteStatus], errChan chan error) { // skip delete updates. if update.Delete { return @@ -199,7 +198,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context TypeMeta: t.TypeMeta, ObjectMeta: t.ObjectMeta, Spec: t.Spec, - Status: gwapiv1a2.TLSRouteStatus{ + Status: gwapiv1.TLSRouteStatus{ RouteStatus: gwapiv1.RouteStatus{ Parents: mergeRouteParentStatus(t.Namespace, t.Status.Parents, valCopy.Parents), }, @@ -297,20 +296,20 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context r.log.Info("udpRoute status subscriber shutting down") }() - // XListenerSet object status updater + // ListenerSet object status updater go func() { message.HandleSubscription(r.log, - message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.XListenerSetStatusMessageName}, - r.subscriptions.xListenerSetStatuses, - func(update message.Update[types.NamespacedName, *gwapixv1a1.ListenerSetStatus], errChan chan error) { + message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.ListenerSetStatusMessageName}, + r.subscriptions.listenerSetStatuses, + func(update message.Update[types.NamespacedName, *gwapiv1.ListenerSetStatus], errChan chan error) { if update.Delete { return } r.statusUpdater.Send(Update{ NamespacedName: update.Key, - Resource: new(gwapixv1a1.XListenerSet), + Resource: new(gwapiv1.ListenerSet), Mutator: MutatorFunc(func(obj client.Object) client.Object { - xls, ok := obj.(*gwapixv1a1.XListenerSet) + xls, ok := obj.(*gwapiv1.ListenerSet) if !ok { err := fmt.Errorf("unsupported object type %T", obj) errChan <- err @@ -321,7 +320,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context for i := range statusCopy.Listeners { setLastTransitionTimeInConditions(statusCopy.Listeners[i].Conditions, metav1.Now()) } - return &gwapixv1a1.XListenerSet{ + return &gwapiv1.ListenerSet{ TypeMeta: xls.TypeMeta, ObjectMeta: xls.ObjectMeta, Spec: xls.Spec, @@ -331,7 +330,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context }) }, ) - r.log.Info("xListenerSet status subscriber shutting down") + r.log.Info("listenerSet status subscriber shutting down") }() // EnvoyPatchPolicy object status updater diff --git a/internal/provider/kubernetes/test/utils.go b/internal/provider/kubernetes/test/utils.go index ba01fe17f8..01556f6fe3 100644 --- a/internal/provider/kubernetes/test/utils.go +++ b/internal/provider/kubernetes/test/utils.go @@ -209,14 +209,14 @@ func GetTLSRoute(nsName types.NamespacedName, parent string, serviceName types.N Namespace: nsName.Namespace, Name: nsName.Name, }, - Spec: gwapiv1a3.TLSRouteSpec{ + Spec: gwapiv1.TLSRouteSpec{ Hostnames: []gwapiv1a3.Hostname{"example.com"}, CommonRouteSpec: gwapiv1.CommonRouteSpec{ ParentRefs: []gwapiv1.ParentReference{ {Name: gwapiv1.ObjectName(parent)}, }, }, - Rules: []gwapiv1a2.TLSRouteRule{ + Rules: []gwapiv1.TLSRouteRule{ { BackendRefs: []gwapiv1a2.BackendRef{ { diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index b4e5822d70..0bda187dbf 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2290,9 +2290,6 @@ GatewayAPI defines an experimental Gateway API resource that can be enabled. _Appears in:_ - [GatewayAPISettings](#gatewayapisettings) -| Value | Description | -| ----- | ----------- | -| `XListenerSet` | XListenerSet enables the Gateway API XListenerSet resource.
| #### GatewayAPISettings diff --git a/test/conformance/suite.go b/test/conformance/suite.go index e4e505294d..39abf5e31c 100644 --- a/test/conformance/suite.go +++ b/test/conformance/suite.go @@ -17,11 +17,8 @@ func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { skipTests := []suite.ConformanceTest{ tests.GatewayStaticAddresses, // TODO: fix following conformance tests - tests.ListenerSetCrossNamespace, tests.ListenerSetHostnameConflict, - tests.ListenerSetNotAllowed, tests.ListenerSetProtocolConflict, - tests.ListenerSetSameNamespace, tests.TLSRouteHostnameIntersection, tests.TLSRouteInvalidNoMatchingListener, tests.TLSRouteInvalidNoMatchingListenerHostname, @@ -58,7 +55,7 @@ func SkipFeatures(gatewayNamespaceMode bool) sets.Set[features.FeatureName] { return sets.New( features.GatewayStaticAddressesFeature.Name, features.GatewayInfrastructurePropagationFeature.Name, - features.GatewayListenerSetFeature.Name, + features.ListenerSetFeature.Name, ) } diff --git a/test/e2e/testdata/xlistenerset-base.yaml b/test/e2e/testdata/xlistenerset-base.yaml index 9396fbb813..f7d75cb5cf 100644 --- a/test/e2e/testdata/xlistenerset-base.yaml +++ b/test/e2e/testdata/xlistenerset-base.yaml @@ -31,8 +31,8 @@ data: tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRGhld2xHd3BTaTRacFkKWG5KMENHSm9kUUszOEZWeTcxMllTVWh2RjdzQUcxR3Jpam1GQVgyd0pBVDJzaVZEZTk3Tzg0bWxkQ1lyMXU3bgpxZWprT3QwNW44WkE1cjZPUWVCZ1prcktZZnI0cjg3Q3lOU05iRGdVUWtZSDdRWnNBVjNpakpqZlptSlZPR21JCk8wUkViMzlYUVVPeEIya25adkFQa1lQcGdKMHdCT0tiZkZ4QVJDN2JLRnovQ0FUTnBENU1BUVppRGxRck1TV08KQVhNUUw0eHpEM2FUUk50ZVVtdUZsbFcySERmclcwNkRsNDhZVGZrdmxVN2xiSDVIQUFWN2ZJL2RScmJoT0l0RQpqM1JHaUdqK0JLWDFKWUlxOGVxckFxbm52c3JBSnBMNG5LNnlhVTAvd282M3djRVBhaVBPSmZTSzdlN3dxVlFOCnRpWVVoTytiQWdNQkFBRUNnZ0VBVE9iNXN2aUtXVU00c1FzRlhpMjk0b0tGK3RZdFRwWDFCZ3Q0ZU90UERDcEYKSUl4ME1iamdkVUxUcm8venhhQnB6WXVpVnB2V3FQMFZYazNFOEpKakFWUk0rYlc1S0N1dnF6RTRNTzVaK3BkNwpuVk9CcXZwTjVocjBaNStmb1JhV1ByNVZKVngyRFRyQVE0WnpNaVFVK2wxNENOak9OSElYVGpnREZaQ1lDOWY2CnBSU2RJejZ3SjlqR1RsUzhuWHZnc053WHZ4TG1tZ2hpNFdKYWtqUlh5T0NFUkxlV1JzeThCU2pKY0YvYkpLdFIKVlpWT0JsL29Dd1l4TCtwZExBUkUzdDgyOVQyQ2h5S2pFM2htRXhZT2tEQjc5R21JcEN1QTJBVXgrVCtkbVQ5QQpta1ZHK29lNHlUQWdSK004cW41N3FNeWZ0U3hRdmFhRFQzQXA5eFU5QVFLQmdRRDdPeHlZQVVYMVpnR2kwc2JHCnh3V2xyMnRHSXFZcFdCMjh0d1R6RlVCaVI4MStrTml0bVpEN0E5N2c5RUpaSWtQbEhwMkhzeHlFeVlFRHRkcGkKdXhRb1ZlVWZRcmd4ZmIrZWdFZmtQUVJqVjFnRU9aRGIzOWNaT1hVVXJoMGtNY1R4dGtManQ3eE9RV3FsZ20wKwphcTlVcmtZOFMzTExSNExOdWVzMXFHL0NTUUtCZ1FEbHdzbW8yaEg1K25SeVFlOWpNencyUG01djJ6c0YxOW9XCmN0ODU3VFB6eG83M1psZFllL2lRdktzQzJxcWtwTHZtdWh5ZkxQV00xRHVOYzhwbURtRHpTTHFPbXc0b1BwUjYKaURtMXA3UmhraWxKS3NBZEVNaXFNQkJQRHVxQmNDNWo4ZFkwaUlhb3JDVTV2eGY4V090N3FaVTVEVkRza2xncwpwbVlMUnVSaXd3S0JnRnhMSHZvSW5iYkZQcHllYWova0pZTDBxcWdkV29XZHhXN3FuWHJmdDhOak5XN2xyM1EzCkVqZmsrQ0FVRzd1N0JzNUpMUDRKSXRUMVlkd0hGcTltb3NVZXFRbU83VFBoU2wva0tJVUVsWFFaUmxCbkJYeUIKQXZoVlQxbkZqUmNhNFlzYXRnQUtJN2RyK00zTTJHMHhyQytqeGxHb05nZlB3WkhxVnlwak1vdGhBb0dCQU1NLwo1ZmxNNEF2cjc3c05GeTdZNG1sQ1lyMUJzNFhDcWYxN3Z3Rk45MkZKTWtOQndDWmNxNTNzQnZPVStZQ1MwVzlBClo0UkpRNTVhMlFUYkNudng2aWUwZlgwa2ZVSnI4K2V4RGtHMTg0OGJFMlN2SkxWT2h3aEJjZ3FOSlhHNzhHQlUKcW5EWU9IN3NVM0lnVjNURjU4K2VERWFBYjIycTY2MTk5cWZNcGRiYkFvR0JBUFBFa2cvMXVRdldsZmtRd3RiSwpRV3B1WXlvNlliUWwrUktYUUJzaFpTSUZwQXJTNTRUYWNtREd6eWhRNXV0RDhQWUJkL3hDMDhYRXA4T3FTckhGCnh3MnFtd1ZWZ2hSY1FWOThTUUNiMGhqWWRaMHJxL0tEaXZxMnBJSlpEYmpxSWp0dHZrSGR3V0JWbnM3ZU5vU2IKVnV4QmhMcHNEU05qSFYzTE9MQ3k2R0UyCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K --- -apiVersion: gateway.networking.x-k8s.io/v1alpha1 -kind: XListenerSet +apiVersion: gateway.networking.k8s.io/v1 +kind: ListenerSet metadata: name: xlistener-set-http namespace: gateway-conformance-infra @@ -59,8 +59,8 @@ spec: namespaces: from: Same --- -apiVersion: gateway.networking.x-k8s.io/v1alpha1 -kind: XListenerSet +apiVersion: gateway.networking.k8s.io/v1 +kind: ListenerSet metadata: name: xlistener-set-grpc namespace: gateway-conformance-infra diff --git a/test/e2e/testdata/xlistenerset-grpc.yaml b/test/e2e/testdata/xlistenerset-grpc.yaml index 2d7ba06779..e7c7f0c77a 100644 --- a/test/e2e/testdata/xlistenerset-grpc.yaml +++ b/test/e2e/testdata/xlistenerset-grpc.yaml @@ -56,8 +56,8 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-conformance-infra name: xlistener-set-grpc sectionName: extra-grpc diff --git a/test/e2e/testdata/xlistenerset-http.yaml b/test/e2e/testdata/xlistenerset-http.yaml index 61da79555d..41f26c08bd 100644 --- a/test/e2e/testdata/xlistenerset-http.yaml +++ b/test/e2e/testdata/xlistenerset-http.yaml @@ -5,8 +5,8 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-conformance-infra name: xlistener-set-http sectionName: extra-http diff --git a/test/e2e/testdata/xlistenerset-https.yaml b/test/e2e/testdata/xlistenerset-https.yaml index 3ff76af501..3ddc02e0ff 100644 --- a/test/e2e/testdata/xlistenerset-https.yaml +++ b/test/e2e/testdata/xlistenerset-https.yaml @@ -7,8 +7,8 @@ spec: hostnames: - www.example.com parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-conformance-infra name: xlistener-set-http sectionName: extra-https diff --git a/test/e2e/testdata/xlistenerset-tcp.yaml b/test/e2e/testdata/xlistenerset-tcp.yaml index 105c8c6a08..1281822893 100644 --- a/test/e2e/testdata/xlistenerset-tcp.yaml +++ b/test/e2e/testdata/xlistenerset-tcp.yaml @@ -1,5 +1,5 @@ -apiVersion: gateway.networking.x-k8s.io/v1alpha1 -kind: XListenerSet +apiVersion: gateway.networking.k8s.io/v1 +kind: ListenerSet metadata: name: xlistener-set-tcp namespace: gateway-conformance-infra @@ -25,8 +25,8 @@ metadata: name: xlistener-tcproute spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-conformance-infra name: xlistener-set-tcp sectionName: extra-tcp diff --git a/test/e2e/testdata/xlistenerset-tls-passthrough.yaml b/test/e2e/testdata/xlistenerset-tls-passthrough.yaml index 59d4b13c53..deed539876 100644 --- a/test/e2e/testdata/xlistenerset-tls-passthrough.yaml +++ b/test/e2e/testdata/xlistenerset-tls-passthrough.yaml @@ -1,5 +1,5 @@ -apiVersion: gateway.networking.x-k8s.io/v1alpha1 -kind: XListenerSet +apiVersion: gateway.networking.k8s.io/v1 +kind: ListenerSet metadata: name: xlistener-set-tls-passthrough namespace: gateway-conformance-infra @@ -28,8 +28,8 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-conformance-infra name: xlistener-set-tls-passthrough sectionName: extra-tls diff --git a/test/e2e/testdata/xlistenerset-tls-termination.yaml b/test/e2e/testdata/xlistenerset-tls-termination.yaml index 9c6d765871..e44b5ab661 100644 --- a/test/e2e/testdata/xlistenerset-tls-termination.yaml +++ b/test/e2e/testdata/xlistenerset-tls-termination.yaml @@ -25,8 +25,8 @@ metadata: namespace: xlistenerset-tls-termination-secret spec: from: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-conformance-infra to: - group: "" @@ -34,8 +34,8 @@ spec: namespace: xlistenerset-tls-termination-secret name: xlistener-https-certificate --- -apiVersion: gateway.networking.x-k8s.io/v1alpha1 -kind: XListenerSet +apiVersion: gateway.networking.k8s.io/v1 +kind: ListenerSet metadata: name: xlistener-set-tls-termination namespace: gateway-conformance-infra @@ -67,8 +67,8 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-conformance-infra name: xlistener-set-tls-termination sectionName: extra-https-tls-termination diff --git a/test/e2e/testdata/xlistenerset-udp.yaml b/test/e2e/testdata/xlistenerset-udp.yaml index 2e5d2d5382..256ff7024b 100644 --- a/test/e2e/testdata/xlistenerset-udp.yaml +++ b/test/e2e/testdata/xlistenerset-udp.yaml @@ -1,5 +1,5 @@ -apiVersion: gateway.networking.x-k8s.io/v1alpha1 -kind: XListenerSet +apiVersion: gateway.networking.k8s.io/v1 +kind: ListenerSet metadata: name: xlistener-set-udp namespace: gateway-conformance-infra @@ -25,8 +25,8 @@ metadata: name: xlistener-udproute spec: parentRefs: - - group: gateway.networking.x-k8s.io - kind: XListenerSet + - group: gateway.networking.k8s.io + kind: ListenerSet namespace: gateway-conformance-infra name: xlistener-set-udp sectionName: extra-udp diff --git a/test/e2e/tests/xlistenerset.go b/test/e2e/tests/xlistenerset.go index f83b732a38..165c0431d3 100644 --- a/test/e2e/tests/xlistenerset.go +++ b/test/e2e/tests/xlistenerset.go @@ -22,7 +22,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - gwapixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1" "sigs.k8s.io/gateway-api/conformance/echo-basic/grpcechoserver" "sigs.k8s.io/gateway-api/conformance/utils/config" "sigs.k8s.io/gateway-api/conformance/utils/grpc" @@ -55,8 +54,8 @@ func getListenerAddr(gwAddrWithPort, port string) string { func createXListenerSetParent(controllerName, xlistenerSetName, sectionName string) gwapiv1.RouteParentStatus { return gwapiv1.RouteParentStatus{ ParentRef: gwapiv1.ParentReference{ - Group: gatewayapi.GroupPtr(gwapixv1a1.GroupVersion.Group), - Kind: gatewayapi.KindPtr(resource.KindXListenerSet), + Group: gatewayapi.GroupPtr(gwapiv1.GroupVersion.Group), + Kind: gatewayapi.KindPtr(resource.KindListenerSet), Name: gwapiv1.ObjectName(xlistenerSetName), Namespace: gatewayapi.NamespacePtr("gateway-conformance-infra"), SectionName: gatewayapi.SectionNamePtr(sectionName), diff --git a/test/go.mod b/test/go.mod index 83d04c15da..b358012028 100644 --- a/test/go.mod +++ b/test/go.mod @@ -4,9 +4,6 @@ go 1.25.7 replace github.com/envoyproxy/gateway => ../ -// TODO: remove this when v1.5.0 is released -replace sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.3.1-0.20260205205831-a8c4b5edbcde - require ( fortio.org/fortio v1.73.2 fortio.org/log v1.18.3 @@ -37,8 +34,8 @@ require ( k8s.io/kubectl v0.35.0 k8s.io/utils v0.0.0-20260108192941-914a6e750570 sigs.k8s.io/controller-runtime v0.23.1 - sigs.k8s.io/gateway-api v1.4.1 - sigs.k8s.io/gateway-api/conformance v0.0.0-20260205205831-a8c4b5edbcde + sigs.k8s.io/gateway-api v1.5.0-rc.1 + sigs.k8s.io/gateway-api/conformance v0.0.0-20260213022600-e0bee71fc23d sigs.k8s.io/yaml v1.6.0 ) @@ -94,7 +91,7 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/distribution/v3 v3.0.0 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v29.2.0+incompatible // indirect + github.com/docker/cli v29.2.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.4 // indirect github.com/docker/go-connections v0.6.0 // indirect @@ -104,7 +101,7 @@ require ( github.com/emicklei/go-restful/v3 v3.13.0 // indirect github.com/envoyproxy/go-control-plane v0.14.0 // indirect github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 // indirect - github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260113062649-004b9ec70a46 // indirect + github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260127060829-c81ce9094f67 // indirect github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 // indirect github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 // indirect @@ -160,7 +157,7 @@ require ( github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect @@ -260,16 +257,16 @@ require ( go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect - go.opentelemetry.io/otel v1.39.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0 // indirect + go.opentelemetry.io/otel v1.40.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect - go.opentelemetry.io/otel/exporters/prometheus v0.61.0 // indirect - go.opentelemetry.io/otel/metric v1.39.0 // indirect - go.opentelemetry.io/otel/sdk v1.39.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect - go.opentelemetry.io/otel/trace v1.39.0 // indirect + go.opentelemetry.io/otel/exporters/prometheus v0.62.0 // indirect + go.opentelemetry.io/otel/metric v1.40.0 // indirect + go.opentelemetry.io/otel/sdk v1.40.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect + go.opentelemetry.io/otel/trace v1.40.0 // indirect go.podman.io/image/v5 v5.38.0 // indirect go.podman.io/storage v1.61.1-0.20260113143440-ec033ce69f13 // indirect go.uber.org/multierr v1.11.0 // indirect @@ -288,8 +285,8 @@ require ( golang.org/x/time v0.14.0 // indirect golang.org/x/tools v0.41.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/test/go.sum b/test/go.sum index 46e2677ea2..beabee5f4c 100644 --- a/test/go.sum +++ b/test/go.sum @@ -137,8 +137,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= -github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM= -github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v29.2.1+incompatible h1:n3Jt0QVCN65eiVBoUTZQM9mcQICCJt3akW4pKAbKdJg= +github.com/docker/cli v29.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM= @@ -165,8 +165,8 @@ github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwB github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU= github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 h1:KTd1TJym7dgV1L1XlxXeJNct7rJI3xTV+iuArq40wm0= github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989/go.mod h1:+fG/snSdlOxU+5RWuuKSYxF9zusT3Duy1MDbETA44Bo= -github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260113062649-004b9ec70a46 h1:Uy4mh3OJl7dCpO0feVB887innhX51w9Utpe5X9SYW4w= -github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260113062649-004b9ec70a46/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A= +github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260127060829-c81ce9094f67 h1:f+FSOiNs8l/l9kv3Ew04Qowrds1gIrvkNdVnXHfg5yo= +github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260127060829-c81ce9094f67/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A= github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 h1:8tBwE+GI3IWMywGVrJjc2grm7SCpPMydVu+HiBYb4+E= github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989/go.mod h1:buWyXJdrI6ayYbeGm3upu3Qf/qHHrdWfUHKnVrTD+vM= github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4= @@ -318,8 +318,8 @@ github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.0 h1:FbSCl+KggFl+Ocym490i/E github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.0/go.mod h1:qOchhhIlmRcqk/O9uCo/puJlyo07YINaIqdZfZG3Jkc= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 h1:X+2YciYSxvMQK0UZ7sg45ZVabVZBeBuvMkmuI2V3Fak= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7/go.mod h1:lW34nIZuQ8UDPdkon5fmfp2l3+ZkQ2me/+oecHYLOII= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -643,42 +643,42 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.6 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= -go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= -go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms= +go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0 h1:nKP4Z2ejtHn3yShBb+2KawiXgpn8In5cT7aO2wXuOTE= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0/go.mod h1:NwjeBbNigsO4Aj9WgM0C+cKIrxsZUaRmZUO7A8I7u8o= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 h1:NOyNnS19BF2SUDApbOKbDtWZ0IK7b8FJ2uAGdIWOGb0= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0/go.mod h1:VL6EgVikRLcJa9ftukrHu/ZkkhFBSo1lzvdBC9CF1ss= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 h1:9y5sHvAxWzft1WQ4BwqcvA+IFVUJ1Ya75mSAUnFEVwE= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0/go.mod h1:eQqT90eR3X5Dbs1g9YSM30RavwLF725Ris5/XSXWvqE= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk= -go.opentelemetry.io/otel/exporters/prometheus v0.61.0 h1:cCyZS4dr67d30uDyh8etKM2QyDsQ4zC9ds3bdbrVoD0= -go.opentelemetry.io/otel/exporters/prometheus v0.61.0/go.mod h1:iivMuj3xpR2DkUrUya3TPS/Z9h3dz7h01GxU+fQBRNg= +go.opentelemetry.io/otel/exporters/prometheus v0.62.0 h1:krvC4JMfIOVdEuNPTtQ0ZjCiXrybhv+uOHMfHRmnvVo= +go.opentelemetry.io/otel/exporters/prometheus v0.62.0/go.mod h1:fgOE6FM/swEnsVQCqCnbOfRV4tOnWPg7bVeo4izBuhQ= go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU= go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 h1:5gn2urDL/FBnK8OkCfD1j3/ER79rUuTYmCvlXBKeYL8= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0/go.mod h1:0fBG6ZJxhqByfFZDwSwpZGzJU671HkwpWaNe2t4VUPI= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0 h1:ZrPRak/kS4xI3AVXy8F7pipuDXmDsrO8Lg+yQjBLjw0= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0/go.mod h1:3y6kQCWztq6hyW8Z9YxQDDm0Je9AJoFar2G0yDcmhRk= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s= go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk= go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8= -go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= -go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= -go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= -go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g= +go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc= +go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8= +go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE= go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs= go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo= -go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= -go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= -go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= -go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= +go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw= +go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg= +go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw= +go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA= go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= go.podman.io/image/v5 v5.38.0 h1:aUKrCANkPvze1bnhLJsaubcfz0d9v/bSDLnwsXJm6G4= @@ -767,10 +767,10 @@ gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0 gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= -google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= -google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M= +google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= google.golang.org/grpc/security/advancedtls v1.0.0 h1:/KQ7VP/1bs53/aopk9QhuPyFAp9Dm9Ejix3lzYkCrDA= @@ -836,10 +836,10 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUo sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE= sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= -sigs.k8s.io/gateway-api v1.3.1-0.20260205205831-a8c4b5edbcde h1:ru5uqLzzkgfmyWiJKXguUioStN4/GZq97eoGWswGITA= -sigs.k8s.io/gateway-api v1.3.1-0.20260205205831-a8c4b5edbcde/go.mod h1:GpMCTueMQOF6+p7aEvFMdQK97F0kG35whYyziGj5Lrg= -sigs.k8s.io/gateway-api/conformance v0.0.0-20260205205831-a8c4b5edbcde h1:C1XGGRkQCbmAtD2EGM6vYKMpN6pJFPIUqwl9h/mmpwg= -sigs.k8s.io/gateway-api/conformance v0.0.0-20260205205831-a8c4b5edbcde/go.mod h1:y0mg+INX3KFShJpbtmlieVVG+taRrxk5ZxEwUzTTbRM= +sigs.k8s.io/gateway-api v1.5.0-rc.1 h1:AS+IYP7NdTqDYmWlVl2J9+EcpQ8QyGsRu4kusr2W0vs= +sigs.k8s.io/gateway-api v1.5.0-rc.1/go.mod h1:GpMCTueMQOF6+p7aEvFMdQK97F0kG35whYyziGj5Lrg= +sigs.k8s.io/gateway-api/conformance v0.0.0-20260213022600-e0bee71fc23d h1:p/AtJ/CQVQ24JCx9vDqEkXidf/pBDsDH2uvyPYl/A3Y= +sigs.k8s.io/gateway-api/conformance v0.0.0-20260213022600-e0bee71fc23d/go.mod h1:y0mg+INX3KFShJpbtmlieVVG+taRrxk5ZxEwUzTTbRM= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kubectl-validate v0.0.5-0.20250915070809-d2f2d68fba09 h1:JQbPOwLjSztom+aSDQIi6UZq8V0Gbv7BjAlYQSgycCI= diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index 7f4a99e895..56baeccacd 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -8,7 +8,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -83,8 +83,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -105,9 +103,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -119,9 +117,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: - Support: Implementation-specific for any other resource + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -360,8 +377,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -371,9 +388,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -752,8 +777,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -774,9 +797,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -788,9 +811,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. - Support: Implementation-specific for any other resource + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -1029,8 +1071,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -1040,9 +1082,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1381,7 +1431,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1901,7 +1951,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2036,14 +2086,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -2056,7 +2106,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -2605,7 +2655,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2816,6 +2866,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -2845,19 +2898,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -2924,27 +2988,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3067,27 +3153,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3261,6 +3369,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3365,8 +3487,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -3445,7 +3570,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -3479,7 +3604,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -3613,14 +3737,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -3633,7 +3757,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -4182,7 +4306,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -4393,6 +4517,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -4422,19 +4549,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4501,27 +4639,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4644,27 +4804,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4838,6 +5020,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -4942,8 +5138,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -5022,7 +5221,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -5056,7 +5255,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -5087,7 +5285,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5629,293 +5827,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. + Value is the value of HTTP Header to be matched. - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5987,10 +5906,305 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6281,10 +6495,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6355,10 +6573,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6562,10 +6784,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6636,10 +6862,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6790,8 +7020,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -6978,7 +7208,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -6994,6 +7224,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' type: object maxItems: 16 type: array @@ -7085,7 +7317,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -7337,7 +7569,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -7817,7 +8049,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -7836,18 +8068,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -7871,6 +8106,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -7879,7 +8118,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -7899,18 +8138,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -7977,10 +8219,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -8028,14 +8279,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -8071,6 +8326,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -8249,6 +8507,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8287,6 +8546,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8298,6 +8558,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8402,446 +8663,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. - - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. - - If no port is specified, the redirect port MUST be derived using the - following rules: - - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. - - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: - - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. - - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Value is the value of HTTP Header to be matched. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8913,10 +8742,461 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9060,6 +9340,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -9103,11 +9388,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -9297,7 +9577,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -9316,18 +9596,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -9351,6 +9634,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -9359,7 +9646,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -9379,18 +9666,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -9457,10 +9747,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -9508,14 +9807,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -9551,6 +9854,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -9729,6 +10035,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9767,6 +10074,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9778,6 +10086,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9879,10 +10188,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9953,10 +10266,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10267,6 +10584,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10313,10 +10633,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10387,10 +10711,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10534,6 +10862,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -10574,11 +10907,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -10724,10 +11052,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10936,7 +11268,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -10979,7 +11311,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -11070,7 +11402,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -11086,6 +11418,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -11190,6 +11524,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -11273,7 +11608,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -11975,7 +12310,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -11994,18 +12329,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -12029,6 +12367,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -12037,7 +12379,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -12057,18 +12399,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -12135,10 +12480,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -12186,14 +12540,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -12229,6 +12587,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -12407,6 +12768,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12445,6 +12807,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12456,6 +12819,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12560,446 +12924,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. - - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. - - If no port is specified, the redirect port MUST be derived using the - following rules: - - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. - - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: - - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. - - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + Value is the value of HTTP Header to be matched. - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13071,10 +13003,461 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + maxLength: 4096 + minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13218,6 +13601,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -13261,11 +13649,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -13455,7 +13838,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -13474,18 +13857,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -13509,6 +13895,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -13517,7 +13907,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -13537,18 +13927,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -13615,10 +14008,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -13666,14 +14068,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -13709,6 +14115,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -13887,6 +14296,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13925,6 +14335,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13936,6 +14347,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14037,10 +14449,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14111,10 +14527,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14425,6 +14845,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14471,10 +14894,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14545,10 +14972,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14692,6 +15123,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -14732,11 +15168,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -14882,10 +15313,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15094,7 +15529,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -15137,7 +15572,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -15228,7 +15663,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -15244,6 +15679,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -15348,6 +15785,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -15431,7 +15869,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -15676,53 +16114,71 @@ status: --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml # -# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: referencegrants.gateway.networking.k8s.io + name: listenersets.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - - refgrant - singular: referencegrant + - lset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1 schema: openAPIV3Schema: description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -15742,669 +16198,597 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferenceGrant. + description: Spec defines the desired state of ListenerSet. properties: - from: + listeners: description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. + Listeners associated with this ListenerSet. Listeners define + logical endpoints that are bound on this referenced parent Gateway's addresses. - Support: Core + Listeners in a `Gateway` and their attached `ListenerSets` are concatenated + as a list when programming the underlying infrastructure. Each listener + name does not need to be unique across the Gateway and ListenerSets. + See ListenerEntry.Name for more details. + + Implementations MUST treat the parent Gateway as having the merged + list of all listeners from itself and attached ListenerSets using + the following precedence: + + 1. "parent" Gateway + 2. ListenerSet ordered by creation time (oldest first) + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". + + An implementation MAY reject listeners by setting the ListenerEntryStatus + `Accepted` condition to False with the Reason `TooManyListeners` + + If a listener has a conflict, this will be reported in the + Status.ListenerEntryStatus setting the `Conflicted` condition to True. + + Implementations SHOULD be cautious about what information from the + parent or siblings are reported to avoid accidentally leaking + sensitive information that the child would not otherwise have access + to. This can include contents of secrets etc. items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. properties: - group: + allowedRoutes: + default: + namespaces: + from: Same description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: - When used to permit a SecretObjectReference: + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. - * Gateway + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. - When used to permit a BackendObjectReference: + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: - description: |- - Namespace is the namespace of the referent. + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. - Support: Core + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - kind: + name: description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: + Name is the name of the Listener. This name MUST be unique within a + ListenerSet. - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 + Name is not required to be unique across a Gateway and ListenerSets. + Routes can attach to a Listener by having a ListenerSet as a parentRef + and setting the SectionName + maxLength: 253 minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - name: + port: description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - required: - - from - - to - type: object - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tcproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TCPRoute - listKind: TCPRouteList - plural: tcproutes - singular: tcproute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - TCPRoute provides a way to route TCP requests. When combined with a Gateway - listener, it can be used to forward connections on the port specified by the - listener to a set of backends specified by the TCPRoute. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of TCPRoute. - properties: - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - There are two kinds of parent resources with "Core" support: + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. - This API may be extended in the future to support additional kinds of parent - resources. + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. - ParentRefs must be _distinct_. This means either that: + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. - Some examples: + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: - This API may be extended in the future to support additional kinds of parent - resources. + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. - There are two kinds of parent resources with "Core" support: + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) + && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) + && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) + && !has(l2.hostname))))' + parentRef: + description: ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. If not present, + the namespace of the referent is assumed to be the same as + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the ListenerSet. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Implementations MUST express ListenerSet conditions using the + `ListenerSetConditionType` and `ListenerSetConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe ListenerSet state. - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. + Known condition types are: - Support: Core - maxLength: 253 - minLength: 1 + * "Accepted" + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - namespace: + message: description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - port: + observedGeneration: description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 type: integer - sectionName: + reason: description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - name + - lastTransitionTime + - message + - reason + - status + - type type: object - maxItems: 32 + maxItems: 8 type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of TCP matchers and actions. + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. items: - description: TCPRouteRule is the configuration for a given rule. + description: ListenerStatus is the status associated with a Listener. properties: - backendRefs: + attachedRoutes: description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Connection rejections must - respect weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. - - Support: Core for Kubernetes Service - - Support: Extended for Kubernetes ServiceImport + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. - Support: Implementation-specific for any other resource + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. - Support for weight: Extended + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. items: - description: |- - BackendRef defines how a Route should forward a request to a Kubernetes - resource. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. - - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. - - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. - - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - - Note that when the BackendTLSPolicy object is enabled by the implementation, - there are some extra rules about validity to consider here. See the fields - where this struct is used for more information about the exact behavior. + description: Condition contains details for one aspect of + the current state of this API Resource. properties: - group: - default: "" + lastTransitionTime: description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - kind: - default: Service + message: description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - backendRefs - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) - useDefaultGateways: - description: |- - UseDefaultGateways indicates the default Gateway scope to use for this - Route. If unset (the default) or set to None, the Route will not be - attached to any default Gateway; if set, it will be attached to any - default Gateway supporting the named scope, subject to the usual rules - about which Routes a Gateway is allowed to claim. - - Think carefully before using this functionality! The set of default - Gateways supporting the requested scope can change over time without - any notice to the Route author, and in many situations it will not be - appropriate to request a default Gateway for a given Route -- for - example, a Route with specific security requirements should almost - certainly not use a default Gateway. - enum: - - All - - None - type: string - required: - - rules - type: object - status: - description: Status defines the current state of TCPRoute. - properties: - parents: - description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. - - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. - items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. - properties: - conditions: - description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. - - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: - - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date @@ -16444,177 +16828,60 @@ spec: - type type: object maxItems: 8 - minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. + name: + description: Name is the name of the Listener that this status + corresponds to. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - parentRef: + supportedKinds: description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds supported by an implementation for + that Listener configuration. - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic required: + - attachedRoutes - conditions - - controllerName - - parentRef + - name type: object - maxItems: 32 + maxItems: 64 type: array - x-kubernetes-list-type: atomic - required: - - parents + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object required: - spec @@ -16632,41 +16899,53 @@ status: --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml # -# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: tlsroutes.gateway.networking.k8s.io + name: referencegrants.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: TLSRoute - listKind: TLSRouteList - plural: tlsroutes - singular: tlsroute + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1 schema: openAPIV3Schema: description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. - If you need to forward traffic to a single target for a TLS listener, you - could choose to use a TCPRoute with a TLS listener. + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. properties: apiVersion: description: |- @@ -16686,86 +16965,371 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of TLSRoute. + description: Spec defines the desired state of ReferenceGrant. properties: - hostnames: + from: description: |- - Hostnames defines a set of SNI names that should match against the - SNI attribute of TLS ClientHello message in TLS handshake. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed in SNI names per RFC 6066. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. + When used to permit a SecretObjectReference: - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: + * Gateway - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + When used to permit a BackendObjectReference: - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic - parentRefs: + to: description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. - This API may be extended in the future to support additional kinds of parent - resources. + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + TCPRoute provides a way to route TCP requests. When combined with a Gateway + listener, it can be used to forward connections on the port specified by the + listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. ParentRefs must be _distinct_. This means either that: @@ -16983,21 +17547,18 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: Rules are a list of TCP matchers and actions. items: - description: TLSRouteRule is the configuration for a given rule. + description: TCPRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or - a Service with no endpoints), the rule performs no forwarding; if no - filters are specified that would result in a response being sent, the - underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Connection rejections must + respect weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. Support: Core for Kubernetes Service @@ -17169,7 +17730,7 @@ spec: - rules type: object status: - description: Status defines the current state of TLSRoute. + description: Status defines the current state of TCPRoute. properties: parents: description: |- @@ -17212,7 +17773,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -17445,14 +18006,44 @@ spec: - spec type: object served: true - storage: false + storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha3 + name: v1 schema: openAPIV3Schema: description: |- @@ -17492,32 +18083,6 @@ spec: 1. IPs are not allowed in SNI hostnames per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have specified at least one of `test.example.com` or - `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have specified at least one hostname that matches the Listener - hostname. For example, `test.example.com` and `*.example.com` would both - match. On the other hand, `example.com` and `test.example.net` would not - match. - - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches @@ -17542,6 +18107,17 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -17924,10 +18500,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17939,10 +18513,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) useDefaultGateways: description: |- UseDefaultGateways indicates the default Gateway scope to use for this @@ -18009,7 +18579,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -18245,47 +18815,20 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: udproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: UDPRoute - listKind: UDPRouteList - plural: udproutes - singular: udproute - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. name: v1alpha2 schema: openAPIV3Schema: description: |- - UDPRoute provides a way to route UDP traffic. When combined with a Gateway - listener, it can be used to forward traffic on the port specified by the - listener to a set of backends specified by the UDPRoute. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. properties: apiVersion: description: |- @@ -18305,8 +18848,66 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of UDPRoute. + description: Spec defines the desired state of TLSRoute. properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -18544,18 +19145,21 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of UDP matchers and actions. + description: Rules are a list of TLS matchers and actions. items: - description: UDPRouteRule is the configuration for a given rule. + description: TLSRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Packet drops must - respect weight; if an invalid backend is requested to have 80% of - the packets, then 80% of packets must be dropped instead. + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. Support: Core for Kubernetes Service @@ -18686,10 +19290,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -18727,7 +19329,7 @@ spec: - rules type: object status: - description: Status defines the current state of UDPRoute. + description: Status defines the current state of TLSRoute. properties: parents: description: |- @@ -18770,7 +19372,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -19003,53 +19605,26 @@ spec: - spec type: object served: true - storage: true + storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - labels: - gateway.networking.k8s.io/policy: Direct - name: xbackendtrafficpolicies.gateway.networking.x-k8s.io -spec: - group: gateway.networking.x-k8s.io - names: - categories: - - gateway-api - kind: XBackendTrafficPolicy - listKind: XBackendTrafficPolicyList - plural: xbackendtrafficpolicies - shortNames: - - xbtrafficpolicy - singular: xbackendtrafficpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 schema: openAPIV3Schema: description: |- - XBackendTrafficPolicy defines the configuration for how traffic to a - target backend should be handled. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. properties: apiVersion: description: |- @@ -19069,320 +19644,598 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of BackendTrafficPolicy. + description: Spec defines the desired state of TLSRoute. properties: - retryConstraint: + hostnames: description: |- - RetryConstraint defines the configuration for when to allow or prevent - further retries to a target backend, by dynamically calculating a 'retry - budget'. This budget is calculated based on the percentage of incoming - traffic composed of retries over a given time interval. Once the budget - is exceeded, additional retries will be rejected. - - For example, if the retry budget interval is 10 seconds, there have been - 1000 active requests in the past 10 seconds, and the allowed percentage - of requests that can be retried is 20% (the default), then 200 of those - requests may be composed of retries. Active requests will only be - considered for the duration of the interval when calculating the retry - budget. Retrying the same original request multiple times within the - retry budget interval will lead to each retry being counted towards - calculating the budget. - - Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - HTTPRoute Retry settings for each HTTPRouteRule that targets the same - backend. While the HTTPRouteRule Retry stanza can specify whether a - request will be retried, and the number of retry attempts each client - may perform, RetryConstraint helps prevent cascading failures such as - retry storms during periods of consistent failures. - - After the retry budget has been exceeded, additional retries to the - backend MUST return a 503 response to the client. - - Additional configurations for defining a constraint on retries MAY be - defined in the future. - - Support: Extended - properties: - budget: - default: - interval: 10s - percent: 20 - description: Budget holds the details of the retry budget configuration. - properties: - interval: - default: 10s - description: |- - Interval defines the duration in which requests will be considered - for calculating the budget for retries. - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour or less - than one second - rule: '!(duration(self) < duration(''1s'') || duration(self) - > duration(''1h''))' - percent: - default: 20 - description: |- - Percent defines the maximum percentage of active requests that may - be made up of retries. - - Support: Extended - maximum: 100 - minimum: 0 - type: integer - type: object - minRetryRate: - default: - count: 10 - interval: 1s - description: |- - MinRetryRate defines the minimum rate of retries that will be allowable - over a specified duration of time. - - The effective overall minimum rate of retries targeting the backend - service may be much higher, as there can be any number of clients which - are applying this setting locally. + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - This ensures that requests can still be retried during periods of low - traffic, where the budget for retries may be calculated as a very low - value. + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - Support: Extended - properties: - count: - description: |- - Count specifies the number of requests per time interval. + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. - Support: Extended - maximum: 1000000 - minimum: 1 - type: integer - interval: - description: |- - Interval specifies the divisor of the rate of requests, the amount of - time during which the given count of requests occur. + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour - rule: '!(duration(self) == duration(''0s'') || duration(self) - > duration(''1h''))' - type: object - type: object - sessionPersistence: + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: description: |- - SessionPersistence defines and configures session persistence - for the backend. - - Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. + There are two kinds of parent resources with "Core" support: - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + This API may be extended in the future to support additional kinds of parent + resources. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. + ParentRefs must be _distinct_. This means either that: - Defaults to "Session". + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. - Support: Core for "Session" type + Some examples: - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. - Support: Core for "Cookie" type - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - targetRefs: - description: |- - TargetRefs identifies API object(s) to apply this policy to. - Currently, Backends (A grouping of like endpoints such as Service, - ServiceImport, or any implementation-specific backendRef) are the only - valid API target references. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Currently, a TargetRef can not be scoped to a specific port on a - Service. + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. items: description: |- - LocalPolicyTargetReference identifies an API object to apply a direct or - inherited policy to. This should be used as part of Policy resources - that can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer to - the policy attachment documentation for Gateway API. + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. properties: group: - description: Group is the group of the target resource. + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - description: Kind is kind of the target resource. + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: - description: Name is the name of the target resource. + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - - group - - kind - name type: object - maxItems: 16 + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 minItems: 1 type: array - x-kubernetes-list-map-keys: - - group - - kind - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string required: - - targetRefs + - hostnames + - rules type: object status: - description: Status defines the current state of BackendTrafficPolicy. + description: Status defines the current state of TLSRoute. properties: - ancestors: + parents: description: |- - Ancestors is a list of ancestor resources (usually Gateways) that are - associated with the policy, and the status of the policy with respect to - each ancestor. When this policy attaches to a parent, the controller that - manages the parent and the ancestors MUST add an entry to this list when - the controller first sees the policy and SHOULD update the entry as - appropriate when the relevant ancestor is modified. - - Note that choosing the relevant ancestor is left to the Policy designers; - an important part of Policy design is designing the right object level at - which to namespace this status. - - Note also that implementations MUST ONLY populate ancestor status for - the Ancestor resources they are responsible for. Implementations MUST - use the ControllerName field to uniquely identify the entries in this list - that they are responsible for. - - Note that to achieve this, the list of PolicyAncestorStatus structs - MUST be treated as a map with a composite key, made up of the AncestorRef - and ControllerName fields combined. + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. - A maximum of 16 ancestors will be represented in this list. An empty list - means the Policy is not relevant for any ancestors. + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. - If this slice is full, implementations MUST NOT add further entries. - Instead they MUST consider the policy unimplementable and signal that - on any related resources such as the ancestor that would be referenced - here. For example, if this list was full on BackendTLSPolicy, no - additional Gateways would be able to reference the Service targeted by - the BackendTLSPolicy. + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. items: description: |- - PolicyAncestorStatus describes the status of a route with respect to an - associated Ancestor. + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. - Ancestors refer to objects that are either the Target of a policy or above it - in terms of object hierarchy. For example, if a policy targets a Service, the - Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - useful object to place Policy status on, so we recommend that implementations - SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - have a _very_ good reason otherwise. + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. - In the context of policy attachment, the Ancestor is used to distinguish which - resource results in a distinct application of this policy. For example, if a policy - targets a Service, it may have a distinct result per attached Gateway. + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. - Policies targeting the same resource may have different effects depending on the - ancestors of those resources. For example, different Gateways targeting the same - Service may have different capabilities, especially if they have different underlying - implementations. + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: - For example, in BackendTLSPolicy, the Policy attaches to a Service that is - used as a backend in a HTTPRoute that is itself attached to a Gateway. - In this case, the relevant object for status is the Gateway, and that is the - ancestor object referred to in this status. + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Note that a parent is also an ancestor, so for objects where the parent is the - relevant object for status, this struct SHOULD still be used. + Example: "example.net/gateway-controller". - This struct is intended to be used in a slice that's effectively a map, - with a composite key made up of the AncestorRef and the ControllerName. - properties: - ancestorRef: + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: description: |- - AncestorRef corresponds with a ParentRef in the spec that this - PolicyAncestorStatus struct describes the status of. + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. properties: group: default: gateway.networking.k8s.io @@ -19516,105 +20369,22 @@ spec: required: - name type: object - conditions: - description: Conditions describes the status of the Policy with - respect to the given Ancestor. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string required: - - ancestorRef - conditions - controllerName + - parentRef type: object - maxItems: 16 + maxItems: 32 type: array x-kubernetes-list-type: atomic required: - - ancestors + - parents type: object required: - spec type: object served: true - storage: true + storage: false subresources: status: {} status: @@ -19626,70 +20396,38 @@ status: --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml # -# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml +# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: xlistenersets.gateway.networking.x-k8s.io + name: udproutes.gateway.networking.k8s.io spec: - group: gateway.networking.x-k8s.io + group: gateway.networking.k8s.io names: categories: - gateway-api - kind: XListenerSet - listKind: XListenerSetList - plural: xlistenersets - shortNames: - - lset - singular: xlistenerset + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed - type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1alpha2 schema: openAPIV3Schema: description: |- - XListenerSet defines a set of additional listeners to attach to an existing Gateway. - This resource provides a mechanism to merge multiple listeners into a single Gateway. - - The parent Gateway must explicitly allow ListenerSet attachment through its - AllowedListeners configuration. By default, Gateways do not allow ListenerSet - attachment. - - Routes can attach to a ListenerSet by specifying it as a parentRef, and can - optionally target specific listeners using the sectionName field. - - Policy Attachment: - - Policies that attach to a ListenerSet apply to all listeners defined in that resource - - Policies do not impact listeners in the parent Gateway - - Different ListenerSets attached to the same Gateway can have different policies - - If an implementation cannot apply a policy to specific listeners, it should reject the policy - - ReferenceGrant Semantics: - - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - - Gateway Integration: - - The parent Gateway's status will include an "AttachedListenerSets" condition - - This condition will be: - - True: when AllowedListeners is set and at least one child ListenerSet is attached - - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - - Unknown: when no AllowedListeners config is present + UDPRoute provides a way to route UDP traffic. When combined with a Gateway + listener, it can be used to forward traffic on the port specified by the + listener to a set of backends specified by the UDPRoute. properties: apiVersion: description: |- @@ -19709,579 +20447,1222 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ListenerSet. + description: Spec defines the desired state of UDPRoute. properties: - listeners: + parentRefs: description: |- - Listeners associated with this ListenerSet. Listeners define - logical endpoints that are bound on this referenced parent Gateway's addresses. + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. - Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - as a list when programming the underlying infrastructure. Each listener - name does not need to be unique across the Gateway and ListenerSets. - See ListenerEntry.Name for more details. + There are two kinds of parent resources with "Core" support: - Implementations MUST treat the parent Gateway as having the merged - list of all listeners from itself and attached ListenerSets using - the following precedence: + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - 1. "parent" Gateway - 2. ListenerSet ordered by creation time (oldest first) - 3. ListenerSet ordered alphabetically by "{namespace}/{name}". + This API may be extended in the future to support additional kinds of parent + resources. - An implementation MAY reject listeners by setting the ListenerEntryStatus - `Accepted` condition to False with the Reason `TooManyListeners` + ParentRefs must be _distinct_. This means either that: - If a listener has a conflict, this will be reported in the - Status.ListenerEntryStatus setting the `Conflicted` condition to True. + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. - Implementations SHOULD be cautious about what information from the - parent or siblings are reported to avoid accidentally leaking - sensitive information that the child would not otherwise have access - to. This can include contents of secrets etc. - items: - properties: - allowedRoutes: - default: - namespaces: - from: Same - description: |- - AllowedRoutes defines the types of routes that MAY be attached to a - Listener and the trusted namespaces where those Route resources MAY be - present. + Some examples: - Although a client request may match multiple route rules, only one rule - may ultimately receive the request. Matching precedence MUST be - determined in order of the following criteria: + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. - * The most specific match as defined by the Route type. - * The oldest Route based on creation timestamp. For example, a Route with - a creation timestamp of "2020-09-08 01:02:03" is given precedence over - a Route with a creation timestamp of "2020-09-08 01:02:04". - * If everything else is equivalent, the Route appearing first in - alphabetical order (namespace/name) should be given precedence. For - example, foo/bar is given precedence over foo/baz. + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. - All valid rules within a Route attached to this Listener should be - implemented. Invalid Route rules can be ignored (sometimes that will mean - the full Route). If a Route rule transitions from valid to invalid, - support for that Route rule should be dropped to ensure consistency. For - example, even if a filter specified by a Route rule is invalid, the rest - of the rules within that Route should still be supported. - properties: - kinds: - description: |- - Kinds specifies the groups and kinds of Routes that are allowed to bind - to this Gateway Listener. When unspecified or empty, the kinds of Routes - selected are determined using the Listener protocol. + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. - A RouteGroupKind MUST correspond to kinds of Routes that are compatible - with the application protocol specified in the Listener's Protocol field. - If an implementation does not support or recognize this resource type, it - MUST set the "ResolvedRefs" condition to False for this Listener with the - "InvalidRouteKinds" reason. - Support: Core - items: - description: RouteGroupKind indicates the group and kind - of a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - namespaces: - default: - from: Same - description: |- - Namespaces indicates namespaces from which Routes may be attached to this - Listener. This is restricted to the namespace of this Gateway by default. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. - Support: Core - properties: - from: - default: Same - description: |- - From indicates where Routes will be selected for this Gateway. Possible - values are: + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: - * All: Routes in all namespaces may be used by this Gateway. - * Selector: Routes in namespaces selected by the selector may be used by - this Gateway. - * Same: Only Routes in the same namespace may be used by this Gateway. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Support: Core - enum: - - All - - Selector - - Same - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only Routes in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". + This API may be extended in the future to support additional kinds of parent + resources. - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - hostname: + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io description: |- - Hostname specifies the virtual hostname to match for protocol types that - define this concept. When unspecified, all hostnames are matched. This - field is ignored for protocols that don't require hostname based - matching. + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Implementations MUST apply Hostname matching appropriately for each of - the following protocols: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - * TLS: The Listener Hostname MUST match the SNI. - * HTTP: The Listener Hostname MUST match the Host header of the request. - * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - protocol layers as described above. If an implementation does not - ensure that both the SNI and Host header match the Listener hostname, - it MUST clearly document that. + There are two kinds of parent resources with "Core" support: - For HTTPRoute and TLSRoute resources, there is an interaction with the - `spec.hostnames` array. When both listener and route specify hostnames, - there MUST be an intersection between the values for a Route to be - accepted. For more information, refer to the Route specific Hostnames - documentation. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - maxLength: 253 + Support for other resources is Implementation-Specific. + maxLength: 63 minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: |- - Name is the name of the Listener. This name MUST be unique within a - ListenerSet. + Name is the name of the referent. - Name is not required to be unique across a Gateway and ListenerSets. - Routes can attach to a Listener by having a ListenerSet as a parentRef - and setting the SectionName + Support: Core maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - port: - default: 0 + namespace: description: |- - Port is the network port. Multiple listeners may use the - same port, subject to the Listener compatibility rules. + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - If the port is not set or specified as zero, the implementation will assign - a unique port. If the implementation does not support dynamic port - assignment, it MUST set `Accepted` condition to `False` with the - `UnsupportedPort` reason. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - protocol: - description: Protocol specifies the network protocol this listener - expects to receive. - maxLength: 255 + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string - tls: + port: description: |- - TLS is the TLS configuration for the Listener. This field is required if - the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - if the Protocol field is "HTTP", "TCP", or "UDP". + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - The association of SNIs to Certificate defined in ListenerTLSConfig is - defined based on the Hostname field for this listener. + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - The GatewayClass MUST use the longest matching SNI out of all - available certificates for any TLS handshake. - properties: - certificateRefs: - description: |- - CertificateRefs contains a series of references to Kubernetes objects that - contains TLS certificates and private keys. These certificates are used to - establish a TLS handshake for requests that match the hostname of the - associated listener. - A single CertificateRef to a Kubernetes Secret has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a Listener, but this behavior is implementation-specific. + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - This field is required to have at least one element when the mode is set - to "Terminate" (default) and is optional otherwise. + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. - CertificateRefs can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: - Support: Implementation-specific (More than one reference or other resource types) - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Packet drops must + respect weight; if an invalid backend is requested to have 80% of + the packets, then 80% of packets must be dropped instead. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - mode: - default: Terminate + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. Support: Core - enum: - - Terminate - - Passthrough + maxLength: 253 + minLength: 1 type: string - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string + namespace: description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Support: Implementation-specific - maxProperties: 16 - type: object + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name type: object - x-kubernetes-validations: - - message: certificateRefs or options must be specified when - mode is Terminate - rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) - > 0 || size(self.options) > 0 : true' required: - - name - - protocol + - conditions + - controllerName + - parentRef type: object - maxItems: 64 - minItems: 1 + maxItems: 32 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: tls must not be specified for protocols ['HTTP', 'TCP', - 'UDP'] - rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? - !has(l.tls) : true)' - - message: tls mode must be Terminate for protocol HTTPS - rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode - == '''' || l.tls.mode == ''Terminate'') : true)' - - message: hostname must not be specified for protocols ['TCP', 'UDP'] - rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) - || l.hostname == '''') : true)' - - message: Listener name must be unique within the Gateway - rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) - - message: Combination of port, protocol and hostname must be unique - for each listener - rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) - && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) - && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) - && !has(l2.hostname))))' - parentRef: - description: ParentRef references the Gateway that the listeners are - attached to. + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + labels: + gateway.networking.k8s.io/policy: Direct + name: xbackendtrafficpolicies.gateway.networking.x-k8s.io +spec: + group: gateway.networking.x-k8s.io + names: + categories: + - gateway-api + kind: XBackendTrafficPolicy + listKind: XBackendTrafficPolicyList + plural: xbackendtrafficpolicies + shortNames: + - xbtrafficpolicy + singular: xbackendtrafficpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + XBackendTrafficPolicy defines the configuration for how traffic to a + target backend should be handled. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTrafficPolicy. + properties: + retryConstraint: + description: |- + RetryConstraint defines the configuration for when to allow or prevent + further retries to a target backend, by dynamically calculating a 'retry + budget'. This budget is calculated based on the percentage of incoming + traffic composed of retries over a given time interval. Once the budget + is exceeded, additional retries will be rejected. + + For example, if the retry budget interval is 10 seconds, there have been + 1000 active requests in the past 10 seconds, and the allowed percentage + of requests that can be retried is 20% (the default), then 200 of those + requests may be composed of retries. Active requests will only be + considered for the duration of the interval when calculating the retry + budget. Retrying the same original request multiple times within the + retry budget interval will lead to each retry being counted towards + calculating the budget. + + Configuring a RetryConstraint in BackendTrafficPolicy is compatible with + HTTPRoute Retry settings for each HTTPRouteRule that targets the same + backend. While the HTTPRouteRule Retry stanza can specify whether a + request will be retried, and the number of retry attempts each client + may perform, RetryConstraint helps prevent cascading failures such as + retry storms during periods of consistent failures. + + After the retry budget has been exceeded, additional retries to the + backend MUST return a 503 response to the client. + + Additional configurations for defining a constraint on retries MAY be + defined in the future. + + Support: Extended properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + budget: + default: + interval: 10s + percent: 20 + description: Budget holds the details of the retry budget configuration. + properties: + interval: + default: 10s + description: |- + Interval defines the duration in which requests will be considered + for calculating the budget for retries. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour or less + than one second + rule: '!(duration(self) < duration(''1s'') || duration(self) + > duration(''1h''))' + percent: + default: 20 + description: |- + Percent defines the maximum percentage of active requests that may + be made up of retries. + + Support: Extended + maximum: 100 + minimum: 0 + type: integer + type: object + minRetryRate: + default: + count: 10 + interval: 1s + description: |- + MinRetryRate defines the minimum rate of retries that will be allowable + over a specified duration of time. + + The effective overall minimum rate of retries targeting the backend + service may be much higher, as there can be any number of clients which + are applying this setting locally. + + This ensures that requests can still be retried during periods of low + traffic, where the budget for retries may be calculated as a very low + value. + + Support: Extended + properties: + count: + description: |- + Count specifies the number of requests per time interval. + + Support: Extended + maximum: 1000000 + minimum: 1 + type: integer + interval: + description: |- + Interval specifies the divisor of the rate of requests, the amount of + time during which the given count of requests occur. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour + rule: '!(duration(self) == duration(''0s'') || duration(self) + > duration(''1h''))' + type: object + type: object + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the backend. + + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string - kind: - default: Gateway - description: Kind is kind of the referent. For example "Gateway". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. + + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. + + Defaults to "Session". + + Support: Core for "Session" type + + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. + + Support: Implementation-specific + maxLength: 128 type: string - namespace: + type: + default: Cookie description: |- - Namespace is the namespace of the referent. If not present, - the namespace of the referent is assumed to be the same as - the namespace of the referring object. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + Type defines the type of session persistence such as through + the use of a header or cookie. Defaults to cookie based session + persistence. + + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header type: string - required: - - name type: object - required: - - listeners - - parentRef - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: Status defines the current state of ListenerSet. - properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' + targetRefs: description: |- - Conditions describe the current conditions of the ListenerSet. - - Implementations MUST express ListenerSet conditions using the - `ListenerSetConditionType` and `ListenerSetConditionReason` - constants so that operators and tools can converge on a common - vocabulary to describe ListenerSet state. - - Known condition types are: + TargetRefs identifies API object(s) to apply this policy to. + Currently, Backends (A grouping of like endpoints such as Service, + ServiceImport, or any implementation-specific backendRef) are the only + valid API target references. - * "Accepted" - * "Programmed" + Currently, a TargetRef cannot be scoped to a specific port on a + Service. items: - description: Condition contains details for one aspect of the current - state of this API Resource. + description: |- + LocalPolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 + kind: + description: Kind is kind of the target resource. + maxLength: 63 minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - group + - kind + - name type: object - maxItems: 8 + maxItems: 16 + minItems: 1 type: array x-kubernetes-list-map-keys: - - type + - group + - kind + - name x-kubernetes-list-type: map - listeners: - description: Listeners provide status for each unique listener port - defined in the Spec. + required: + - targetRefs + type: object + status: + description: Status defines the current state of BackendTrafficPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. items: - description: ListenerStatus is the status associated with a Listener. + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. properties: - attachedRoutes: + ancestorRef: description: |- - AttachedRoutes represents the total number of Routes that have been - successfully attached to this Listener. + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Successful attachment of a Route to a Listener is based solely on the - combination of the AllowedRoutes field on the corresponding Listener - and the Route's ParentRefs field. A Route is successfully attached to - a Listener when it is selected by the Listener's AllowedRoutes field - AND the Route has a valid ParentRef selecting the whole Gateway - resource or a specific Listener as a parent resource (more detail on - attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact - successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Uses for this field include troubleshooting Route attachment and - measuring blast radius/impact of changes to a Listener. - format: int32 - type: integer + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object conditions: - description: Conditions describe the current condition of this - listener. + description: Conditions describes the status of the Policy with + respect to the given Ancestor. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -20338,69 +21719,40 @@ spec: - type type: object maxItems: 8 + minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - name: - description: Name is the name of the Listener that this status - corresponds to. + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - port: - description: Port is the network port the listener is configured - to listen on. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - supportedKinds: - description: |- - SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for - that Listener configuration. - - If kinds are specified in Spec that are not supported, they MUST NOT - appear in this list and an implementation MUST set the "ResolvedRefs" - condition to "False" with the "InvalidRouteKinds" reason. If both valid - and invalid Route kinds are specified, the implementation MUST - reference the valid Route kinds that have been specified. - items: - description: RouteGroupKind indicates the group and kind of - a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic required: - - attachedRoutes + - ancestorRef - conditions - - name - - port - - supportedKinds + - controllerName type: object - maxItems: 64 + maxItems: 16 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + required: + - ancestors type: object required: - spec @@ -20425,7 +21777,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: @@ -21040,8 +22392,9 @@ spec: If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string type: object x-kubernetes-validations: @@ -23194,8 +24547,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -23268,8 +24627,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24407,8 +25772,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24459,8 +25830,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24566,8 +25943,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24628,8 +26011,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24680,8 +26069,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24787,8 +26182,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -42320,8 +43721,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -43726,8 +45133,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -45070,8 +46483,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -45685,8 +47104,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -45759,8 +47184,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -52264,7 +53695,7 @@ spec: status: {} --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# Copyright 2025 The Kubernetes Authors. +# Copyright 2026 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -52281,3 +53712,53 @@ spec: # # Gateway API Experimental channel install # +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: "safe-upgrades.gateway.networking.k8s.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + validations: + - expression: "object.spec.group != 'gateway.networking.k8s.io' || ( + has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' )" + message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." + reason: Invalid + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library + message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + reason: Invalid +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: [Deny] + matchResources: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + resources: ["customresourcedefinitions"] + operations: ["CREATE", "UPDATE"] diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml index 93e3dfefaa..6f8117798e 100644 --- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml +++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml @@ -370,8 +370,9 @@ spec: If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string type: object x-kubernetes-validations: @@ -2524,8 +2525,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -2598,8 +2605,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -3737,8 +3750,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -3789,8 +3808,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -3896,8 +3921,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -3958,8 +3989,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -4010,8 +4047,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -4117,8 +4160,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -21650,8 +21699,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -23056,8 +23111,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -24400,8 +24461,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -25015,8 +25082,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -25089,8 +25162,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be - matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string diff --git a/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml index 76654b403d..c4ca6a85ab 100644 --- a/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml +++ b/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml @@ -8,7 +8,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -83,8 +83,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -105,9 +103,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -119,9 +117,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: - Support: Implementation-specific for any other resource + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -360,8 +377,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -371,9 +388,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -752,8 +777,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -774,9 +797,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -788,9 +811,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. - Support: Implementation-specific for any other resource + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -1029,8 +1071,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -1040,9 +1082,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1381,7 +1431,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1901,7 +1951,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2036,14 +2086,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -2056,7 +2106,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -2605,7 +2655,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2816,6 +2866,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -2845,19 +2898,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -2924,27 +2988,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3067,27 +3153,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3261,6 +3369,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3365,8 +3487,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -3445,7 +3570,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -3479,7 +3604,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -3613,14 +3737,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -3633,7 +3757,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -4182,7 +4306,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -4393,6 +4517,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -4422,19 +4549,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4501,27 +4639,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4644,27 +4804,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4838,6 +5020,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -4942,8 +5138,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -5022,7 +5221,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -5056,7 +5255,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -5087,7 +5285,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5629,10 +5827,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5704,10 +5906,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5912,10 +6118,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5987,10 +6197,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6281,10 +6495,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6355,10 +6573,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6562,10 +6784,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6636,10 +6862,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6790,8 +7020,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -6978,7 +7208,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -6994,6 +7224,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' type: object maxItems: 16 type: array @@ -7085,7 +7317,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -7337,7 +7569,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -7817,7 +8049,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -7836,18 +8068,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -7871,6 +8106,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -7879,7 +8118,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -7899,18 +8138,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -7977,10 +8219,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -8028,14 +8279,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -8071,6 +8326,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -8249,6 +8507,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8287,6 +8546,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8298,6 +8558,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8402,10 +8663,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8477,10 +8742,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8791,6 +9060,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8838,10 +9110,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8913,10 +9189,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9060,6 +9340,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -9103,11 +9388,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -9297,7 +9577,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -9316,18 +9596,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -9351,6 +9634,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -9359,7 +9646,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -9379,18 +9666,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -9457,10 +9747,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -9508,14 +9807,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -9551,6 +9854,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -9729,6 +10035,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9767,6 +10074,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9778,6 +10086,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9879,10 +10188,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9953,10 +10266,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10267,6 +10584,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10313,10 +10633,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10387,10 +10711,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10534,6 +10862,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -10574,11 +10907,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -10724,10 +11052,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10936,7 +11268,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -10979,7 +11311,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -11070,7 +11402,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -11086,6 +11418,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -11190,6 +11524,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -11273,7 +11608,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -11975,7 +12310,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -11994,18 +12329,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -12029,6 +12367,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -12037,7 +12379,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -12057,18 +12399,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -12135,10 +12480,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -12186,14 +12540,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -12229,6 +12587,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -12407,6 +12768,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12445,6 +12807,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12456,6 +12819,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12560,10 +12924,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12635,10 +13003,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12949,6 +13321,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -12996,10 +13371,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13071,10 +13450,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13218,6 +13601,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -13261,11 +13649,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -13455,7 +13838,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -13474,18 +13857,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -13509,6 +13895,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -13517,7 +13907,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -13537,18 +13927,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -13615,10 +14008,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -13666,14 +14068,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -13709,6 +14115,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -13887,6 +14296,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13925,6 +14335,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13936,6 +14347,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14037,10 +14449,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14111,10 +14527,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14425,6 +14845,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14471,10 +14894,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14545,10 +14972,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14692,6 +15123,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -14732,11 +15168,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -14882,10 +15313,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15094,7 +15529,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -15137,7 +15572,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -15228,7 +15663,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -15244,6 +15679,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -15348,6 +15785,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -15431,7 +15869,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -15676,53 +16114,71 @@ status: --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml # -# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: referencegrants.gateway.networking.k8s.io + name: listenersets.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - - refgrant - singular: referencegrant + - lset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1 schema: openAPIV3Schema: description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -15742,931 +16198,917 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferenceGrant. + description: Spec defines the desired state of ListenerSet. properties: - from: + listeners: description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. + Listeners associated with this ListenerSet. Listeners define + logical endpoints that are bound on this referenced parent Gateway's addresses. - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Listeners in a `Gateway` and their attached `ListenerSets` are concatenated + as a list when programming the underlying infrastructure. Each listener + name does not need to be unique across the Gateway and ListenerSets. + See ListenerEntry.Name for more details. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. + Implementations MUST treat the parent Gateway as having the merged + list of all listeners from itself and attached ListenerSets using + the following precedence: - When used to permit a SecretObjectReference: + 1. "parent" Gateway + 2. ListenerSet ordered by creation time (oldest first) + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * Gateway + An implementation MAY reject listeners by setting the ListenerEntryStatus + `Accepted` condition to False with the Reason `TooManyListeners` - When used to permit a BackendObjectReference: + If a listener has a conflict, this will be reported in the + Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: + Implementations SHOULD be cautious about what information from the + parent or siblings are reported to avoid accidentally leaking + sensitive information that the child would not otherwise have access + to. This can include contents of secrets etc. + items: + properties: + allowedRoutes: + default: + namespaces: + from: Same description: |- - Namespace is the namespace of the referent. + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. - Support: Core + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - kind: + name: description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: + Name is the name of the Listener. This name MUST be unique within a + ListenerSet. - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 + Name is not required to be unique across a Gateway and ListenerSets. + Routes can attach to a Listener by having a ListenerSet as a parentRef + and setting the SectionName + maxLength: 253 minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - name: + port: description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - required: - - from - - to - type: object - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tcproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TCPRoute - listKind: TCPRouteList - plural: tcproutes - singular: tcproute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - TCPRoute provides a way to route TCP requests. When combined with a Gateway - listener, it can be used to forward connections on the port specified by the - listener to a set of backends specified by the TCPRoute. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of TCPRoute. - properties: - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". - There are two kinds of parent resources with "Core" support: + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. - This API may be extended in the future to support additional kinds of parent - resources. + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. - ParentRefs must be _distinct_. This means either that: + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. - Some examples: + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. - This API may be extended in the future to support additional kinds of parent - resources. + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) + && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) + && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) + && !has(l2.hostname))))' + parentRef: + description: ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. If not present, + the namespace of the referent is assumed to be the same as + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the ListenerSet. - There are two kinds of parent resources with "Core" support: + Implementations MUST express ListenerSet conditions using the + `ListenerSetConditionType` and `ListenerSetConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe ListenerSet state. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Known condition types are: - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + * "Accepted" + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - name: + message: description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - namespace: + observedGeneration: description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string - port: + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. - Support: Extended + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. format: int32 - maximum: 65535 - minimum: 1 type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of TCP matchers and actions. - items: - description: TCPRouteRule is the configuration for a given rule. - properties: - backendRefs: + supportedKinds: description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Connection rejections must - respect weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. - - Support: Core for Kubernetes Service - - Support: Extended for Kubernetes ServiceImport - - Support: Implementation-specific for any other resource + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds supported by an implementation for + that Listener configuration. - Support for weight: Extended + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. items: - description: |- - BackendRef defines how a Route should forward a request to a Kubernetes - resource. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. - - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. - - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. - - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - - Note that when the BackendTLSPolicy object is enabled by the implementation, - there are some extra rules about validity to consider here. See the fields - where this struct is used for more information about the exact behavior. + description: RouteGroupKind indicates the group and kind of + a Route resource. properties: group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. + default: gateway.networking.k8s.io + description: Group is the group of the Route. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) + description: Kind is the kind of the Route. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer required: - - name + - kind type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - minItems: 1 + maxItems: 8 type: array x-kubernetes-list-type: atomic - name: + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - Support: Extended + Support: Core maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - - backendRefs + - group + - kind + - namespace type: object maxItems: 16 minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) - useDefaultGateways: - description: |- - UseDefaultGateways indicates the default Gateway scope to use for this - Route. If unset (the default) or set to None, the Route will not be - attached to any default Gateway; if set, it will be attached to any - default Gateway supporting the named scope, subject to the usual rules - about which Routes a Gateway is allowed to claim. - - Think carefully before using this functionality! The set of default - Gateways supporting the requested scope can change over time without - any notice to the Route author, and in many situations it will not be - appropriate to request a default Gateway for a given Route -- for - example, a Route with specific security requirements should almost - certainly not use a default Gateway. - enum: - - All - - None - type: string - required: - - rules - type: object - status: - description: Status defines the current state of TCPRoute. - properties: - parents: + to: description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. + Support: Core items: description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. properties: - conditions: + group: description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object required: - - conditions - - controllerName - - parentRef + - group + - kind type: object - maxItems: 32 + maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic required: - - parents + - from + - to type: object - required: - - spec type: object served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tlsroutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TLSRoute - listKind: TLSRouteList - plural: tlsroutes - singular: tlsroute - scope: Namespaced - versions: + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1beta1 schema: openAPIV3Schema: description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. - If you need to forward traffic to a single target for a TLS listener, you - could choose to use a TCPRoute with a TLS listener. + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. properties: apiVersion: description: |- @@ -16686,66 +17128,188 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of TLSRoute. + description: Spec defines the desired state of ReferenceGrant. properties: - hostnames: + from: description: |- - Hostnames defines a set of SNI names that should match against the - SNI attribute of TLS ClientHello message in TLS handshake. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. - 1. IPs are not allowed in SNI names per RFC 6066. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. + When used to permit a SecretObjectReference: - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. + * Gateway - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. Support: Core items: description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + TCPRoute provides a way to route TCP requests. When combined with a Gateway + listener, it can be used to forward connections on the port specified by the + listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -16983,21 +17547,18 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: Rules are a list of TCP matchers and actions. items: - description: TLSRouteRule is the configuration for a given rule. + description: TCPRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or - a Service with no endpoints), the rule performs no forwarding; if no - filters are specified that would result in a response being sent, the - underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Connection rejections must + respect weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. Support: Core for Kubernetes Service @@ -17169,7 +17730,7 @@ spec: - rules type: object status: - description: Status defines the current state of TLSRoute. + description: Status defines the current state of TCPRoute. properties: parents: description: |- @@ -17212,7 +17773,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -17445,22 +18006,52 @@ spec: - spec type: object served: true - storage: false + storage: true subresources: status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. - - If you need to forward traffic to a single target for a TLS listener, you +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener. properties: apiVersion: @@ -17492,32 +18083,6 @@ spec: 1. IPs are not allowed in SNI hostnames per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have specified at least one of `test.example.com` or - `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have specified at least one hostname that matches the Listener - hostname. For example, `test.example.com` and `*.example.com` would both - match. On the other hand, `example.com` and `test.example.net` would not - match. - - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches @@ -17542,6 +18107,17 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -17924,10 +18500,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17939,10 +18513,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) useDefaultGateways: description: |- UseDefaultGateways indicates the default Gateway scope to use for this @@ -18009,7 +18579,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -18245,47 +18815,20 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: udproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: UDPRoute - listKind: UDPRouteList - plural: udproutes - singular: udproute - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. name: v1alpha2 schema: openAPIV3Schema: description: |- - UDPRoute provides a way to route UDP traffic. When combined with a Gateway - listener, it can be used to forward traffic on the port specified by the - listener to a set of backends specified by the UDPRoute. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. properties: apiVersion: description: |- @@ -18305,8 +18848,66 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of UDPRoute. + description: Spec defines the desired state of TLSRoute. properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -18544,18 +19145,21 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of UDP matchers and actions. + description: Rules are a list of TLS matchers and actions. items: - description: UDPRouteRule is the configuration for a given rule. + description: TLSRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Packet drops must - respect weight; if an invalid backend is requested to have 80% of - the packets, then 80% of packets must be dropped instead. + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. Support: Core for Kubernetes Service @@ -18686,10 +19290,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -18727,7 +19329,7 @@ spec: - rules type: object status: - description: Status defines the current state of UDPRoute. + description: Status defines the current state of TLSRoute. properties: parents: description: |- @@ -18770,7 +19372,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -19003,53 +19605,26 @@ spec: - spec type: object served: true - storage: true + storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - labels: - gateway.networking.k8s.io/policy: Direct - name: xbackendtrafficpolicies.gateway.networking.x-k8s.io -spec: - group: gateway.networking.x-k8s.io - names: - categories: - - gateway-api - kind: XBackendTrafficPolicy - listKind: XBackendTrafficPolicyList - plural: xbackendtrafficpolicies - shortNames: - - xbtrafficpolicy - singular: xbackendtrafficpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 schema: openAPIV3Schema: description: |- - XBackendTrafficPolicy defines the configuration for how traffic to a - target backend should be handled. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. properties: apiVersion: description: |- @@ -19069,320 +19644,1359 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of BackendTrafficPolicy. + description: Spec defines the desired state of TLSRoute. properties: - retryConstraint: + hostnames: description: |- - RetryConstraint defines the configuration for when to allow or prevent - further retries to a target backend, by dynamically calculating a 'retry - budget'. This budget is calculated based on the percentage of incoming - traffic composed of retries over a given time interval. Once the budget - is exceeded, additional retries will be rejected. - - For example, if the retry budget interval is 10 seconds, there have been - 1000 active requests in the past 10 seconds, and the allowed percentage - of requests that can be retried is 20% (the default), then 200 of those - requests may be composed of retries. Active requests will only be - considered for the duration of the interval when calculating the retry - budget. Retrying the same original request multiple times within the - retry budget interval will lead to each retry being counted towards - calculating the budget. + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - HTTPRoute Retry settings for each HTTPRouteRule that targets the same - backend. While the HTTPRouteRule Retry stanza can specify whether a - request will be retried, and the number of retry attempts each client - may perform, RetryConstraint helps prevent cascading failures such as - retry storms during periods of consistent failures. + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + UDPRoute provides a way to route UDP traffic. When combined with a Gateway + listener, it can be used to forward traffic on the port specified by the + listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: - After the retry budget has been exceeded, additional retries to the - backend MUST return a 503 response to the client. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Additional configurations for defining a constraint on retries MAY be - defined in the future. + This API may be extended in the future to support additional kinds of parent + resources. - Support: Extended - properties: - budget: - default: - interval: 10s - percent: 20 - description: Budget holds the details of the retry budget configuration. - properties: - interval: - default: 10s - description: |- - Interval defines the duration in which requests will be considered - for calculating the budget for retries. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour or less - than one second - rule: '!(duration(self) < duration(''1s'') || duration(self) - > duration(''1h''))' - percent: - default: 20 - description: |- - Percent defines the maximum percentage of active requests that may - be made up of retries. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Support: Extended - maximum: 100 - minimum: 0 - type: integer - type: object - minRetryRate: - default: - count: 10 - interval: 1s - description: |- - MinRetryRate defines the minimum rate of retries that will be allowable - over a specified duration of time. + There are two kinds of parent resources with "Core" support: - The effective overall minimum rate of retries targeting the backend - service may be much higher, as there can be any number of clients which - are applying this setting locally. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - This ensures that requests can still be retried during periods of low - traffic, where the budget for retries may be calculated as a very low - value. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Support: Extended - properties: - count: - description: |- - Count specifies the number of requests per time interval. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Support: Extended - maximum: 1000000 - minimum: 1 - type: integer - interval: - description: |- - Interval specifies the divisor of the rate of requests, the amount of - time during which the given count of requests occur. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour - rule: '!(duration(self) == duration(''0s'') || duration(self) - > duration(''1h''))' - type: object - type: object - sessionPersistence: - description: |- - SessionPersistence defines and configures session persistence - for the backend. - Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Packet drops must + respect weight; if an invalid backend is requested to have 80% of + the packets, then 80% of packets must be dropped instead. + + Support: Core for Kubernetes Service - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. + Support: Extended for Kubernetes ServiceImport - Support: Core - properties: - lifetimeType: - default: Session + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + BackendRef defines how a Route should forward a request to a Kubernetes + resource. - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. - Defaults to "Session". + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. - Support: Core for "Session" type + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. - Support: Core for "Cookie" type + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - targetRefs: - description: |- - TargetRefs identifies API object(s) to apply this policy to. - Currently, Backends (A grouping of like endpoints such as Service, - ServiceImport, or any implementation-specific backendRef) are the only - valid API target references. + Defaults to "Service" when not specified. - Currently, a TargetRef can not be scoped to a specific port on a - Service. - items: - description: |- - LocalPolicyTargetReference identifies an API object to apply a direct or - inherited policy to. This should be used as part of Policy resources - that can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer to - the policy attachment documentation for Gateway API. - properties: - group: - description: Group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic name: - description: Name is the name of the target resource. + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - - group - - kind - - name + - backendRefs type: object maxItems: 16 minItems: 1 type: array - x-kubernetes-list-map-keys: - - group - - kind - - name - x-kubernetes-list-type: map - required: - - targetRefs - type: object - status: - description: Status defines the current state of BackendTrafficPolicy. - properties: - ancestors: + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: description: |- - Ancestors is a list of ancestor resources (usually Gateways) that are - associated with the policy, and the status of the policy with respect to - each ancestor. When this policy attaches to a parent, the controller that - manages the parent and the ancestors MUST add an entry to this list when - the controller first sees the policy and SHOULD update the entry as - appropriate when the relevant ancestor is modified. - - Note that choosing the relevant ancestor is left to the Policy designers; - an important part of Policy design is designing the right object level at - which to namespace this status. - - Note also that implementations MUST ONLY populate ancestor status for - the Ancestor resources they are responsible for. Implementations MUST - use the ControllerName field to uniquely identify the entries in this list - that they are responsible for. + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. - Note that to achieve this, the list of PolicyAncestorStatus structs - MUST be treated as a map with a composite key, made up of the AncestorRef - and ControllerName fields combined. + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. - A maximum of 16 ancestors will be represented in this list. An empty list - means the Policy is not relevant for any ancestors. + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. - If this slice is full, implementations MUST NOT add further entries. - Instead they MUST consider the policy unimplementable and signal that - on any related resources such as the ancestor that would be referenced - here. For example, if this list was full on BackendTLSPolicy, no - additional Gateways would be able to reference the Service targeted by - the BackendTLSPolicy. + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. items: description: |- - PolicyAncestorStatus describes the status of a route with respect to an - associated Ancestor. + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. - Ancestors refer to objects that are either the Target of a policy or above it - in terms of object hierarchy. For example, if a policy targets a Service, the - Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - useful object to place Policy status on, so we recommend that implementations - SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - have a _very_ good reason otherwise. + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. - In the context of policy attachment, the Ancestor is used to distinguish which - resource results in a distinct application of this policy. For example, if a policy - targets a Service, it may have a distinct result per attached Gateway. + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. - Policies targeting the same resource may have different effects depending on the - ancestors of those resources. For example, different Gateways targeting the same - Service may have different capabilities, especially if they have different underlying - implementations. + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: - For example, in BackendTLSPolicy, the Policy attaches to a Service that is - used as a backend in a HTTPRoute that is itself attached to a Gateway. - In this case, the relevant object for status is the Gateway, and that is the - ancestor object referred to in this status. + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Note that a parent is also an ancestor, so for objects where the parent is the - relevant object for status, this struct SHOULD still be used. + Example: "example.net/gateway-controller". - This struct is intended to be used in a slice that's effectively a map, - with a composite key made up of the AncestorRef and the ControllerName. - properties: - ancestorRef: + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: description: |- - AncestorRef corresponds with a ParentRef in the spec that this - PolicyAncestorStatus struct describes the status of. + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. properties: group: default: gateway.networking.k8s.io @@ -19516,99 +21130,16 @@ spec: required: - name type: object - conditions: - description: Conditions describes the status of the Policy with - respect to the given Ancestor. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string required: - - ancestorRef - conditions - controllerName + - parentRef type: object - maxItems: 16 + maxItems: 32 type: array x-kubernetes-list-type: atomic required: - - ancestors + - parents type: object required: - spec @@ -19626,36 +21157,32 @@ status: --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml # -# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml +# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: xlistenersets.gateway.networking.x-k8s.io + labels: + gateway.networking.k8s.io/policy: Direct + name: xbackendtrafficpolicies.gateway.networking.x-k8s.io spec: group: gateway.networking.x-k8s.io names: categories: - gateway-api - kind: XListenerSet - listKind: XListenerSetList - plural: xlistenersets + kind: XBackendTrafficPolicy + listKind: XBackendTrafficPolicyList + plural: xbackendtrafficpolicies shortNames: - - lset - singular: xlistenerset + - xbtrafficpolicy + singular: xbackendtrafficpolicy scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed - type: string - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -19663,33 +21190,8 @@ spec: schema: openAPIV3Schema: description: |- - XListenerSet defines a set of additional listeners to attach to an existing Gateway. - This resource provides a mechanism to merge multiple listeners into a single Gateway. - - The parent Gateway must explicitly allow ListenerSet attachment through its - AllowedListeners configuration. By default, Gateways do not allow ListenerSet - attachment. - - Routes can attach to a ListenerSet by specifying it as a parentRef, and can - optionally target specific listeners using the sectionName field. - - Policy Attachment: - - Policies that attach to a ListenerSet apply to all listeners defined in that resource - - Policies do not impact listeners in the parent Gateway - - Different ListenerSets attached to the same Gateway can have different policies - - If an implementation cannot apply a policy to specific listeners, it should reject the policy - - ReferenceGrant Semantics: - - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - - Gateway Integration: - - The parent Gateway's status will include an "AttachedListenerSets" condition - - This condition will be: - - True: when AllowedListeners is set and at least one child ListenerSet is attached - - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - - Unknown: when no AllowedListeners config is present + XBackendTrafficPolicy defines the configuration for how traffic to a + target backend should be handled. properties: apiVersion: description: |- @@ -19709,579 +21211,458 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ListenerSet. + description: Spec defines the desired state of BackendTrafficPolicy. properties: - listeners: + retryConstraint: description: |- - Listeners associated with this ListenerSet. Listeners define - logical endpoints that are bound on this referenced parent Gateway's addresses. + RetryConstraint defines the configuration for when to allow or prevent + further retries to a target backend, by dynamically calculating a 'retry + budget'. This budget is calculated based on the percentage of incoming + traffic composed of retries over a given time interval. Once the budget + is exceeded, additional retries will be rejected. - Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - as a list when programming the underlying infrastructure. Each listener - name does not need to be unique across the Gateway and ListenerSets. - See ListenerEntry.Name for more details. + For example, if the retry budget interval is 10 seconds, there have been + 1000 active requests in the past 10 seconds, and the allowed percentage + of requests that can be retried is 20% (the default), then 200 of those + requests may be composed of retries. Active requests will only be + considered for the duration of the interval when calculating the retry + budget. Retrying the same original request multiple times within the + retry budget interval will lead to each retry being counted towards + calculating the budget. - Implementations MUST treat the parent Gateway as having the merged - list of all listeners from itself and attached ListenerSets using - the following precedence: + Configuring a RetryConstraint in BackendTrafficPolicy is compatible with + HTTPRoute Retry settings for each HTTPRouteRule that targets the same + backend. While the HTTPRouteRule Retry stanza can specify whether a + request will be retried, and the number of retry attempts each client + may perform, RetryConstraint helps prevent cascading failures such as + retry storms during periods of consistent failures. - 1. "parent" Gateway - 2. ListenerSet ordered by creation time (oldest first) - 3. ListenerSet ordered alphabetically by "{namespace}/{name}". + After the retry budget has been exceeded, additional retries to the + backend MUST return a 503 response to the client. - An implementation MAY reject listeners by setting the ListenerEntryStatus - `Accepted` condition to False with the Reason `TooManyListeners` + Additional configurations for defining a constraint on retries MAY be + defined in the future. - If a listener has a conflict, this will be reported in the - Status.ListenerEntryStatus setting the `Conflicted` condition to True. + Support: Extended + properties: + budget: + default: + interval: 10s + percent: 20 + description: Budget holds the details of the retry budget configuration. + properties: + interval: + default: 10s + description: |- + Interval defines the duration in which requests will be considered + for calculating the budget for retries. - Implementations SHOULD be cautious about what information from the - parent or siblings are reported to avoid accidentally leaking - sensitive information that the child would not otherwise have access - to. This can include contents of secrets etc. - items: - properties: - allowedRoutes: - default: - namespaces: - from: Same - description: |- - AllowedRoutes defines the types of routes that MAY be attached to a - Listener and the trusted namespaces where those Route resources MAY be - present. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour or less + than one second + rule: '!(duration(self) < duration(''1s'') || duration(self) + > duration(''1h''))' + percent: + default: 20 + description: |- + Percent defines the maximum percentage of active requests that may + be made up of retries. - Although a client request may match multiple route rules, only one rule - may ultimately receive the request. Matching precedence MUST be - determined in order of the following criteria: + Support: Extended + maximum: 100 + minimum: 0 + type: integer + type: object + minRetryRate: + default: + count: 10 + interval: 1s + description: |- + MinRetryRate defines the minimum rate of retries that will be allowable + over a specified duration of time. - * The most specific match as defined by the Route type. - * The oldest Route based on creation timestamp. For example, a Route with - a creation timestamp of "2020-09-08 01:02:03" is given precedence over - a Route with a creation timestamp of "2020-09-08 01:02:04". - * If everything else is equivalent, the Route appearing first in - alphabetical order (namespace/name) should be given precedence. For - example, foo/bar is given precedence over foo/baz. + The effective overall minimum rate of retries targeting the backend + service may be much higher, as there can be any number of clients which + are applying this setting locally. - All valid rules within a Route attached to this Listener should be - implemented. Invalid Route rules can be ignored (sometimes that will mean - the full Route). If a Route rule transitions from valid to invalid, - support for that Route rule should be dropped to ensure consistency. For - example, even if a filter specified by a Route rule is invalid, the rest - of the rules within that Route should still be supported. - properties: - kinds: - description: |- - Kinds specifies the groups and kinds of Routes that are allowed to bind - to this Gateway Listener. When unspecified or empty, the kinds of Routes - selected are determined using the Listener protocol. + This ensures that requests can still be retried during periods of low + traffic, where the budget for retries may be calculated as a very low + value. - A RouteGroupKind MUST correspond to kinds of Routes that are compatible - with the application protocol specified in the Listener's Protocol field. - If an implementation does not support or recognize this resource type, it - MUST set the "ResolvedRefs" condition to False for this Listener with the - "InvalidRouteKinds" reason. + Support: Extended + properties: + count: + description: |- + Count specifies the number of requests per time interval. - Support: Core - items: - description: RouteGroupKind indicates the group and kind - of a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - namespaces: - default: - from: Same - description: |- - Namespaces indicates namespaces from which Routes may be attached to this - Listener. This is restricted to the namespace of this Gateway by default. + Support: Extended + maximum: 1000000 + minimum: 1 + type: integer + interval: + description: |- + Interval specifies the divisor of the rate of requests, the amount of + time during which the given count of requests occur. - Support: Core - properties: - from: - default: Same - description: |- - From indicates where Routes will be selected for this Gateway. Possible - values are: + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour + rule: '!(duration(self) == duration(''0s'') || duration(self) + > duration(''1h''))' + type: object + type: object + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the backend. + + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. - * All: Routes in all namespaces may be used by this Gateway. - * Selector: Routes in namespaces selected by the selector may be used by - this Gateway. - * Same: Only Routes in the same namespace may be used by this Gateway. + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. - Support: Core - enum: - - All - - Selector - - Same - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only Routes in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". + Defaults to "Session". - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - hostname: - description: |- - Hostname specifies the virtual hostname to match for protocol types that - define this concept. When unspecified, all hostnames are matched. This - field is ignored for protocols that don't require hostname based - matching. + Support: Core for "Session" type - Implementations MUST apply Hostname matching appropriately for each of - the following protocols: + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. - * TLS: The Listener Hostname MUST match the SNI. - * HTTP: The Listener Hostname MUST match the Host header of the request. - * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - protocol layers as described above. If an implementation does not - ensure that both the SNI and Host header match the Listener hostname, - it MUST clearly document that. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. - For HTTPRoute and TLSRoute resources, there is an interaction with the - `spec.hostnames` array. When both listener and route specify hostnames, - there MUST be an intersection between the values for a Route to be - accepted. For more information, refer to the Route specific Hostnames - documentation. + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use of a header or cookie. Defaults to cookie based session + persistence. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' + targetRefs: + description: |- + TargetRefs identifies API object(s) to apply this policy to. + Currently, Backends (A grouping of like endpoints such as Service, + ServiceImport, or any implementation-specific backendRef) are the only + valid API target references. + + Currently, a TargetRef cannot be scoped to a specific port on a + Service. + items: + description: |- + LocalPolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. + properties: + group: + description: Group is the group of the target resource. maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: - description: |- - Name is the name of the Listener. This name MUST be unique within a - ListenerSet. - - Name is not required to be unique across a Gateway and ListenerSets. - Routes can attach to a Listener by having a ListenerSet as a parentRef - and setting the SectionName + description: Name is the name of the target resource. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - port: - default: 0 - description: |- - Port is the network port. Multiple listeners may use the - same port, subject to the Listener compatibility rules. + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - group + - kind + - name + x-kubernetes-list-type: map + required: + - targetRefs + type: object + status: + description: Status defines the current state of BackendTrafficPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. - If the port is not set or specified as zero, the implementation will assign - a unique port. If the implementation does not support dynamic port - assignment, it MUST set `Accepted` condition to `False` with the - `UnsupportedPort` reason. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - protocol: - description: Protocol specifies the network protocol this listener - expects to receive. - maxLength: 255 - minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ - type: string - tls: - description: |- - TLS is the TLS configuration for the Listener. This field is required if - the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - if the Protocol field is "HTTP", "TCP", or "UDP". + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. - The association of SNIs to Certificate defined in ListenerTLSConfig is - defined based on the Hostname field for this listener. + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. - The GatewayClass MUST use the longest matching SNI out of all - available certificates for any TLS handshake. - properties: - certificateRefs: - description: |- - CertificateRefs contains a series of references to Kubernetes objects that - contains TLS certificates and private keys. These certificates are used to - establish a TLS handshake for requests that match the hostname of the - associated listener. + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. - A single CertificateRef to a Kubernetes Secret has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a Listener, but this behavior is implementation-specific. + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. - This field is required to have at least one element when the mode is set - to "Terminate" (default) and is optional otherwise. + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. - CertificateRefs can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. - Support: Implementation-specific (More than one reference or other resource types) - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + There are two kinds of parent resources with "Core" support: - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - mode: - default: Terminate + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: - - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. + Name is the name of the referent. Support: Core - enum: - - Terminate - - Passthrough + maxLength: 253 + minLength: 1 type: string - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string + namespace: description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Support: Implementation-specific - maxProperties: 16 - type: object - type: object - x-kubernetes-validations: - - message: certificateRefs or options must be specified when - mode is Terminate - rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) - > 0 || size(self.options) > 0 : true' - required: - - name - - protocol - type: object - maxItems: 64 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: tls must not be specified for protocols ['HTTP', 'TCP', - 'UDP'] - rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? - !has(l.tls) : true)' - - message: tls mode must be Terminate for protocol HTTPS - rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode - == '''' || l.tls.mode == ''Terminate'') : true)' - - message: hostname must not be specified for protocols ['TCP', 'UDP'] - rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) - || l.hostname == '''') : true)' - - message: Listener name must be unique within the Gateway - rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) - - message: Combination of port, protocol and hostname must be unique - for each listener - rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) - && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) - && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) - && !has(l2.hostname))))' - parentRef: - description: ParentRef references the Gateway that the listeners are - attached to. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: Kind is kind of the referent. For example "Gateway". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. If not present, - the namespace of the referent is assumed to be the same as - the namespace of the referring object. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - listeners - - parentRef - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: Status defines the current state of ListenerSet. - properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: |- - Conditions describe the current conditions of the ListenerSet. - Implementations MUST express ListenerSet conditions using the - `ListenerSetConditionType` and `ListenerSetConditionReason` - constants so that operators and tools can converge on a common - vocabulary to describe ListenerSet state. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Known condition types are: - * "Accepted" - * "Programmed" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - listeners: - description: Listeners provide status for each unique listener port - defined in the Spec. - items: - description: ListenerStatus is the status associated with a Listener. - properties: - attachedRoutes: - description: |- - AttachedRoutes represents the total number of Routes that have been - successfully attached to this Listener. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - Successful attachment of a Route to a Listener is based solely on the - combination of the AllowedRoutes field on the corresponding Listener - and the Route's ParentRefs field. A Route is successfully attached to - a Listener when it is selected by the Listener's AllowedRoutes field - AND the Route has a valid ParentRef selecting the whole Gateway - resource or a specific Listener as a parent resource (more detail on - attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact - successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - Uses for this field include troubleshooting Route attachment and - measuring blast radius/impact of changes to a Listener. - format: int32 - type: integer + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object conditions: - description: Conditions describe the current condition of this - listener. + description: Conditions describes the status of the Policy with + respect to the given Ancestor. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -20338,69 +21719,40 @@ spec: - type type: object maxItems: 8 + minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - name: - description: Name is the name of the Listener that this status - corresponds to. + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - port: - description: Port is the network port the listener is configured - to listen on. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - supportedKinds: - description: |- - SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for - that Listener configuration. - - If kinds are specified in Spec that are not supported, they MUST NOT - appear in this list and an implementation MUST set the "ResolvedRefs" - condition to "False" with the "InvalidRouteKinds" reason. If both valid - and invalid Route kinds are specified, the implementation MUST - reference the valid Route kinds that have been specified. - items: - description: RouteGroupKind indicates the group and kind of - a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic required: - - attachedRoutes + - ancestorRef - conditions - - name - - port - - supportedKinds + - controllerName type: object - maxItems: 64 + maxItems: 16 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + required: + - ancestors type: object required: - spec @@ -20425,7 +21777,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: @@ -20670,7 +22022,7 @@ status: storedVersions: null --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# Copyright 2025 The Kubernetes Authors. +# Copyright 2026 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20687,3 +22039,53 @@ status: # # Gateway API Experimental channel install # +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: "safe-upgrades.gateway.networking.k8s.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + validations: + - expression: "object.spec.group != 'gateway.networking.k8s.io' || ( + has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' )" + message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." + reason: Invalid + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library + message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + reason: Invalid +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: [Deny] + matchResources: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + resources: ["customresourcedefinitions"] + operations: ["CREATE", "UPDATE"] diff --git a/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml index 76654b403d..c4ca6a85ab 100644 --- a/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml +++ b/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml @@ -8,7 +8,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental labels: gateway.networking.k8s.io/policy: Direct @@ -83,8 +83,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -105,9 +103,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -119,9 +117,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: - Support: Implementation-specific for any other resource + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -360,8 +377,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -371,9 +388,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -752,8 +777,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -774,9 +797,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -788,9 +811,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. - Support: Implementation-specific for any other resource + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -1029,8 +1071,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -1040,9 +1082,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1381,7 +1431,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1901,7 +1951,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: gateways.gateway.networking.k8s.io spec: @@ -2036,14 +2086,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -2056,7 +2106,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -2605,7 +2655,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2816,6 +2866,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -2845,19 +2898,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -2924,27 +2988,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3067,27 +3153,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -3261,6 +3369,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3365,8 +3487,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -3445,7 +3570,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -3479,7 +3604,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -3613,14 +3737,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -3633,7 +3757,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -4182,7 +4306,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -4393,6 +4517,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -4422,19 +4549,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -4501,27 +4639,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4644,27 +4804,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. - - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. - - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). - - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -4838,6 +5020,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -4942,8 +5138,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -5022,7 +5221,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -5056,7 +5255,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -5087,7 +5285,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: grpcroutes.gateway.networking.k8s.io spec: @@ -5629,10 +5827,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5704,10 +5906,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5912,10 +6118,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5987,10 +6197,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6281,10 +6495,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6355,10 +6573,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6562,10 +6784,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6636,10 +6862,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6790,8 +7020,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -6978,7 +7208,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -6994,6 +7224,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' type: object maxItems: 16 type: array @@ -7085,7 +7317,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -7337,7 +7569,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: httproutes.gateway.networking.k8s.io spec: @@ -7817,7 +8049,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -7836,18 +8068,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -7871,6 +8106,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -7879,7 +8118,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -7899,18 +8138,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -7977,10 +8219,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -8028,14 +8279,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -8071,6 +8326,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -8249,6 +8507,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -8287,6 +8546,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -8298,6 +8558,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -8402,10 +8663,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8477,10 +8742,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8791,6 +9060,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8838,10 +9110,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -8913,10 +9189,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9060,6 +9340,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -9103,11 +9388,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -9297,7 +9577,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -9316,18 +9596,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -9351,6 +9634,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -9359,7 +9646,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -9379,18 +9666,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -9457,10 +9747,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -9508,14 +9807,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -9551,6 +9854,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -9729,6 +10035,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -9767,6 +10074,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -9778,6 +10086,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -9879,10 +10188,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -9953,10 +10266,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10267,6 +10584,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10313,10 +10633,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10387,10 +10711,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10534,6 +10862,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -10574,11 +10907,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -10724,10 +11052,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -10936,7 +11268,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -10979,7 +11311,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -11070,7 +11402,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -11086,6 +11418,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -11190,6 +11524,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -11273,7 +11608,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -11975,7 +12310,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -11994,18 +12329,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -12029,6 +12367,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -12037,7 +12379,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -12057,18 +12399,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -12135,10 +12480,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. - When the `AllowCredentials` field is true and `AllowOrigins` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -12186,14 +12540,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -12229,6 +12587,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -12407,6 +12768,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -12445,6 +12807,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -12456,6 +12819,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -12560,10 +12924,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12635,10 +13003,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -12949,6 +13321,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -12996,10 +13371,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13071,10 +13450,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP - Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -13218,6 +13601,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -13261,11 +13649,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type - is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -13455,7 +13838,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -13474,18 +13857,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. - - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -13509,6 +13895,10 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -13517,7 +13907,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -13537,18 +13927,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -13615,10 +14008,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -13666,14 +14068,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -13709,6 +14115,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -13887,6 +14296,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -13925,6 +14335,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -13936,6 +14347,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -14037,10 +14449,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14111,10 +14527,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14425,6 +14845,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -14471,10 +14894,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14545,10 +14972,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header - to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -14692,6 +15123,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -14732,11 +15168,6 @@ spec: - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not - CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' @@ -14882,10 +15313,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to - be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -15094,7 +15529,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -15137,7 +15572,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -15228,7 +15663,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -15244,6 +15679,8 @@ spec: is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -15348,6 +15785,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -15431,7 +15869,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -15676,53 +16114,71 @@ status: --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml # -# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: referencegrants.gateway.networking.k8s.io + name: listenersets.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - - refgrant - singular: referencegrant + - lset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1 schema: openAPIV3Schema: description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -15742,931 +16198,917 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferenceGrant. + description: Spec defines the desired state of ListenerSet. properties: - from: + listeners: description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. + Listeners associated with this ListenerSet. Listeners define + logical endpoints that are bound on this referenced parent Gateway's addresses. - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Listeners in a `Gateway` and their attached `ListenerSets` are concatenated + as a list when programming the underlying infrastructure. Each listener + name does not need to be unique across the Gateway and ListenerSets. + See ListenerEntry.Name for more details. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. + Implementations MUST treat the parent Gateway as having the merged + list of all listeners from itself and attached ListenerSets using + the following precedence: - When used to permit a SecretObjectReference: + 1. "parent" Gateway + 2. ListenerSet ordered by creation time (oldest first) + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * Gateway + An implementation MAY reject listeners by setting the ListenerEntryStatus + `Accepted` condition to False with the Reason `TooManyListeners` - When used to permit a BackendObjectReference: + If a listener has a conflict, this will be reported in the + Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: + Implementations SHOULD be cautious about what information from the + parent or siblings are reported to avoid accidentally leaking + sensitive information that the child would not otherwise have access + to. This can include contents of secrets etc. + items: + properties: + allowedRoutes: + default: + namespaces: + from: Same description: |- - Namespace is the namespace of the referent. + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. - Support: Core + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - kind: + name: description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: + Name is the name of the Listener. This name MUST be unique within a + ListenerSet. - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 + Name is not required to be unique across a Gateway and ListenerSets. + Routes can attach to a Listener by having a ListenerSet as a parentRef + and setting the SectionName + maxLength: 253 minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - name: + port: description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - required: - - from - - to - type: object - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tcproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TCPRoute - listKind: TCPRouteList - plural: tcproutes - singular: tcproute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - TCPRoute provides a way to route TCP requests. When combined with a Gateway - listener, it can be used to forward connections on the port specified by the - listener to a set of backends specified by the TCPRoute. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of TCPRoute. - properties: - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". - There are two kinds of parent resources with "Core" support: + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. - This API may be extended in the future to support additional kinds of parent - resources. + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. - ParentRefs must be _distinct_. This means either that: + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. - Some examples: + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. - This API may be extended in the future to support additional kinds of parent - resources. + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) + && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) + && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) + && !has(l2.hostname))))' + parentRef: + description: ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. If not present, + the namespace of the referent is assumed to be the same as + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the ListenerSet. - There are two kinds of parent resources with "Core" support: + Implementations MUST express ListenerSet conditions using the + `ListenerSetConditionType` and `ListenerSetConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe ListenerSet state. - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) + Known condition types are: - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + * "Accepted" + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - name: + message: description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - namespace: + observedGeneration: description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string - port: + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. - Support: Extended + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. format: int32 - maximum: 65535 - minimum: 1 type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of TCP matchers and actions. - items: - description: TCPRouteRule is the configuration for a given rule. - properties: - backendRefs: + supportedKinds: description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Connection rejections must - respect weight; if an invalid backend is requested to have 80% of - connections, then 80% of connections must be rejected instead. - - Support: Core for Kubernetes Service - - Support: Extended for Kubernetes ServiceImport - - Support: Implementation-specific for any other resource + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds supported by an implementation for + that Listener configuration. - Support for weight: Extended + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. items: - description: |- - BackendRef defines how a Route should forward a request to a Kubernetes - resource. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. - - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. - - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. - - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - - Note that when the BackendTLSPolicy object is enabled by the implementation, - there are some extra rules about validity to consider here. See the fields - where this struct is used for more information about the exact behavior. + description: RouteGroupKind indicates the group and kind of + a Route resource. properties: group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. + default: gateway.networking.k8s.io + description: Group is the group of the Route. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) + description: Kind is the kind of the Route. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer required: - - name + - kind type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - minItems: 1 + maxItems: 8 type: array x-kubernetes-list-type: atomic - name: + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - Support: Extended + Support: Core maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - - backendRefs + - group + - kind + - namespace type: object maxItems: 16 minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) - useDefaultGateways: - description: |- - UseDefaultGateways indicates the default Gateway scope to use for this - Route. If unset (the default) or set to None, the Route will not be - attached to any default Gateway; if set, it will be attached to any - default Gateway supporting the named scope, subject to the usual rules - about which Routes a Gateway is allowed to claim. - - Think carefully before using this functionality! The set of default - Gateways supporting the requested scope can change over time without - any notice to the Route author, and in many situations it will not be - appropriate to request a default Gateway for a given Route -- for - example, a Route with specific security requirements should almost - certainly not use a default Gateway. - enum: - - All - - None - type: string - required: - - rules - type: object - status: - description: Status defines the current state of TCPRoute. - properties: - parents: + to: description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. + Support: Core items: description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. properties: - conditions: + group: description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object required: - - conditions - - controllerName - - parentRef + - group + - kind type: object - maxItems: 32 + maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic required: - - parents + - from + - to type: object - required: - - spec type: object served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: tlsroutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: TLSRoute - listKind: TLSRouteList - plural: tlsroutes - singular: tlsroute - scope: Namespaced - versions: + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1beta1 schema: openAPIV3Schema: description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. - If you need to forward traffic to a single target for a TLS listener, you - could choose to use a TCPRoute with a TLS listener. + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. properties: apiVersion: description: |- @@ -16686,66 +17128,188 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of TLSRoute. + description: Spec defines the desired state of ReferenceGrant. properties: - hostnames: + from: description: |- - Hostnames defines a set of SNI names that should match against the - SNI attribute of TLS ClientHello message in TLS handshake. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. - 1. IPs are not allowed in SNI names per RFC 6066. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. + When used to permit a SecretObjectReference: - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. + * Gateway - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. Support: Core items: description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + TCPRoute provides a way to route TCP requests. When combined with a Gateway + listener, it can be used to forward connections on the port specified by the + listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -16983,21 +17547,18 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: Rules are a list of TCP matchers and actions. items: - description: TLSRouteRule is the configuration for a given rule. + description: TCPRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or - a Service with no endpoints), the rule performs no forwarding; if no - filters are specified that would result in a response being sent, the - underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Connection rejections must + respect weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. Support: Core for Kubernetes Service @@ -17169,7 +17730,7 @@ spec: - rules type: object status: - description: Status defines the current state of TLSRoute. + description: Status defines the current state of TCPRoute. properties: parents: description: |- @@ -17212,7 +17773,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -17445,22 +18006,52 @@ spec: - spec type: object served: true - storage: false + storage: true subresources: status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: |- - The TLSRoute resource is similar to TCPRoute, but can be configured - to match against TLS-specific metadata. This allows more flexibility - in matching streams for a given TLS listener. - - If you need to forward traffic to a single target for a TLS listener, you +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener. properties: apiVersion: @@ -17492,32 +18083,6 @@ spec: 1. IPs are not allowed in SNI hostnames per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have specified at least one of `test.example.com` or - `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have specified at least one hostname that matches the Listener - hostname. For example, `test.example.com` and `*.example.com` would both - match. On the other hand, `example.com` and `test.example.net` would not - match. - - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches @@ -17542,6 +18107,17 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -17924,10 +18500,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17939,10 +18513,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) - && l1.name == l2.name)) useDefaultGateways: description: |- UseDefaultGateways indicates the default Gateway scope to use for this @@ -18009,7 +18579,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -18245,47 +18815,20 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - name: udproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: UDPRoute - listKind: UDPRouteList - plural: udproutes - singular: udproute - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. name: v1alpha2 schema: openAPIV3Schema: description: |- - UDPRoute provides a way to route UDP traffic. When combined with a Gateway - listener, it can be used to forward traffic on the port specified by the - listener to a set of backends specified by the UDPRoute. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. properties: apiVersion: description: |- @@ -18305,8 +18848,66 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of UDPRoute. + description: Spec defines the desired state of TLSRoute. properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -18544,18 +19145,21 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of UDP matchers and actions. + description: Rules are a list of TLS matchers and actions. items: - description: UDPRouteRule is the configuration for a given rule. + description: TLSRouteRule is the configuration for a given rule. properties: backendRefs: description: |- BackendRefs defines the backend(s) where matching requests should be - sent. If unspecified or invalid (refers to a nonexistent resource or a - Service with no endpoints), the underlying implementation MUST actively - reject connection attempts to this backend. Packet drops must - respect weight; if an invalid backend is requested to have 80% of - the packets, then 80% of packets must be dropped instead. + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. Support: Core for Kubernetes Service @@ -18686,10 +19290,8 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -18727,7 +19329,7 @@ spec: - rules type: object status: - description: Status defines the current state of UDPRoute. + description: Status defines the current state of TLSRoute. properties: parents: description: |- @@ -18770,7 +19372,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -19003,53 +19605,26 @@ spec: - spec type: object served: true - storage: true + storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# -# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 - gateway.networking.k8s.io/channel: experimental - labels: - gateway.networking.k8s.io/policy: Direct - name: xbackendtrafficpolicies.gateway.networking.x-k8s.io -spec: - group: gateway.networking.x-k8s.io - names: - categories: - - gateway-api - kind: XBackendTrafficPolicy - listKind: XBackendTrafficPolicyList - plural: xbackendtrafficpolicies - shortNames: - - xbtrafficpolicy - singular: xbackendtrafficpolicy - scope: Namespaced - versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 schema: openAPIV3Schema: description: |- - XBackendTrafficPolicy defines the configuration for how traffic to a - target backend should be handled. + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. properties: apiVersion: description: |- @@ -19069,320 +19644,1359 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of BackendTrafficPolicy. + description: Spec defines the desired state of TLSRoute. properties: - retryConstraint: + hostnames: description: |- - RetryConstraint defines the configuration for when to allow or prevent - further retries to a target backend, by dynamically calculating a 'retry - budget'. This budget is calculated based on the percentage of incoming - traffic composed of retries over a given time interval. Once the budget - is exceeded, additional retries will be rejected. - - For example, if the retry budget interval is 10 seconds, there have been - 1000 active requests in the past 10 seconds, and the allowed percentage - of requests that can be retried is 20% (the default), then 200 of those - requests may be composed of retries. Active requests will only be - considered for the duration of the interval when calculating the retry - budget. Retrying the same original request multiple times within the - retry budget interval will lead to each retry being counted towards - calculating the budget. + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: - Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - HTTPRoute Retry settings for each HTTPRouteRule that targets the same - backend. While the HTTPRouteRule Retry stanza can specify whether a - request will be retried, and the number of retry attempts each client - may perform, RetryConstraint helps prevent cascading failures such as - retry storms during periods of consistent failures. + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: experimental + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + UDPRoute provides a way to route UDP traffic. When combined with a Gateway + listener, it can be used to forward traffic on the port specified by the + listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: - After the retry budget has been exceeded, additional retries to the - backend MUST return a 503 response to the client. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Additional configurations for defining a constraint on retries MAY be - defined in the future. + This API may be extended in the future to support additional kinds of parent + resources. - Support: Extended - properties: - budget: - default: - interval: 10s - percent: 20 - description: Budget holds the details of the retry budget configuration. - properties: - interval: - default: 10s - description: |- - Interval defines the duration in which requests will be considered - for calculating the budget for retries. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour or less - than one second - rule: '!(duration(self) < duration(''1s'') || duration(self) - > duration(''1h''))' - percent: - default: 20 - description: |- - Percent defines the maximum percentage of active requests that may - be made up of retries. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - Support: Extended - maximum: 100 - minimum: 0 - type: integer - type: object - minRetryRate: - default: - count: 10 - interval: 1s - description: |- - MinRetryRate defines the minimum rate of retries that will be allowable - over a specified duration of time. + There are two kinds of parent resources with "Core" support: - The effective overall minimum rate of retries targeting the backend - service may be much higher, as there can be any number of clients which - are applying this setting locally. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - This ensures that requests can still be retried during periods of low - traffic, where the budget for retries may be calculated as a very low - value. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Support: Extended - properties: - count: - description: |- - Count specifies the number of requests per time interval. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Support: Extended - maximum: 1000000 - minimum: 1 - type: integer - interval: - description: |- - Interval specifies the divisor of the rate of requests, the amount of - time during which the given count of requests occur. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - x-kubernetes-validations: - - message: interval can not be greater than one hour - rule: '!(duration(self) == duration(''0s'') || duration(self) - > duration(''1h''))' - type: object - type: object - sessionPersistence: - description: |- - SessionPersistence defines and configures session persistence - for the backend. - Support: Extended - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Packet drops must + respect weight; if an invalid backend is requested to have 80% of + the packets, then 80% of packets must be dropped instead. + + Support: Core for Kubernetes Service - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. + Support: Extended for Kubernetes ServiceImport - Support: Core - properties: - lifetimeType: - default: Session + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. + BackendRef defines how a Route should forward a request to a Kubernetes + resource. - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. - Defaults to "Session". + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. - Support: Core for "Session" type + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. - Support: Core for "Cookie" type + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) - || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' - targetRefs: - description: |- - TargetRefs identifies API object(s) to apply this policy to. - Currently, Backends (A grouping of like endpoints such as Service, - ServiceImport, or any implementation-specific backendRef) are the only - valid API target references. + Defaults to "Service" when not specified. - Currently, a TargetRef can not be scoped to a specific port on a - Service. - items: - description: |- - LocalPolicyTargetReference identifies an API object to apply a direct or - inherited policy to. This should be used as part of Policy resources - that can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer to - the policy attachment documentation for Gateway API. - properties: - group: - description: Group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic name: - description: Name is the name of the target resource. + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended maxLength: 253 minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - - group - - kind - - name + - backendRefs type: object maxItems: 16 minItems: 1 type: array - x-kubernetes-list-map-keys: - - group - - kind - - name - x-kubernetes-list-type: map - required: - - targetRefs - type: object - status: - description: Status defines the current state of BackendTrafficPolicy. - properties: - ancestors: + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: description: |- - Ancestors is a list of ancestor resources (usually Gateways) that are - associated with the policy, and the status of the policy with respect to - each ancestor. When this policy attaches to a parent, the controller that - manages the parent and the ancestors MUST add an entry to this list when - the controller first sees the policy and SHOULD update the entry as - appropriate when the relevant ancestor is modified. - - Note that choosing the relevant ancestor is left to the Policy designers; - an important part of Policy design is designing the right object level at - which to namespace this status. - - Note also that implementations MUST ONLY populate ancestor status for - the Ancestor resources they are responsible for. Implementations MUST - use the ControllerName field to uniquely identify the entries in this list - that they are responsible for. + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. - Note that to achieve this, the list of PolicyAncestorStatus structs - MUST be treated as a map with a composite key, made up of the AncestorRef - and ControllerName fields combined. + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. - A maximum of 16 ancestors will be represented in this list. An empty list - means the Policy is not relevant for any ancestors. + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. - If this slice is full, implementations MUST NOT add further entries. - Instead they MUST consider the policy unimplementable and signal that - on any related resources such as the ancestor that would be referenced - here. For example, if this list was full on BackendTLSPolicy, no - additional Gateways would be able to reference the Service targeted by - the BackendTLSPolicy. + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. items: description: |- - PolicyAncestorStatus describes the status of a route with respect to an - associated Ancestor. + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. - Ancestors refer to objects that are either the Target of a policy or above it - in terms of object hierarchy. For example, if a policy targets a Service, the - Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - useful object to place Policy status on, so we recommend that implementations - SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - have a _very_ good reason otherwise. + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. - In the context of policy attachment, the Ancestor is used to distinguish which - resource results in a distinct application of this policy. For example, if a policy - targets a Service, it may have a distinct result per attached Gateway. + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. - Policies targeting the same resource may have different effects depending on the - ancestors of those resources. For example, different Gateways targeting the same - Service may have different capabilities, especially if they have different underlying - implementations. + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: - For example, in BackendTLSPolicy, the Policy attaches to a Service that is - used as a backend in a HTTPRoute that is itself attached to a Gateway. - In this case, the relevant object for status is the Gateway, and that is the - ancestor object referred to in this status. + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Note that a parent is also an ancestor, so for objects where the parent is the - relevant object for status, this struct SHOULD still be used. + Example: "example.net/gateway-controller". - This struct is intended to be used in a slice that's effectively a map, - with a composite key made up of the AncestorRef and the ControllerName. - properties: - ancestorRef: + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: description: |- - AncestorRef corresponds with a ParentRef in the spec that this - PolicyAncestorStatus struct describes the status of. + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. properties: group: default: gateway.networking.k8s.io @@ -19516,99 +21130,16 @@ spec: required: - name type: object - conditions: - description: Conditions describes the status of the Policy with - respect to the given Ancestor. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string required: - - ancestorRef - conditions - controllerName + - parentRef type: object - maxItems: 16 + maxItems: 32 type: array x-kubernetes-list-type: atomic required: - - ancestors + - parents type: object required: - spec @@ -19626,36 +21157,32 @@ status: --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml # -# config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml +# config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental - name: xlistenersets.gateway.networking.x-k8s.io + labels: + gateway.networking.k8s.io/policy: Direct + name: xbackendtrafficpolicies.gateway.networking.x-k8s.io spec: group: gateway.networking.x-k8s.io names: categories: - gateway-api - kind: XListenerSet - listKind: XListenerSetList - plural: xlistenersets + kind: XBackendTrafficPolicy + listKind: XBackendTrafficPolicyList + plural: xbackendtrafficpolicies shortNames: - - lset - singular: xlistenerset + - xbtrafficpolicy + singular: xbackendtrafficpolicy scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed - type: string - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -19663,33 +21190,8 @@ spec: schema: openAPIV3Schema: description: |- - XListenerSet defines a set of additional listeners to attach to an existing Gateway. - This resource provides a mechanism to merge multiple listeners into a single Gateway. - - The parent Gateway must explicitly allow ListenerSet attachment through its - AllowedListeners configuration. By default, Gateways do not allow ListenerSet - attachment. - - Routes can attach to a ListenerSet by specifying it as a parentRef, and can - optionally target specific listeners using the sectionName field. - - Policy Attachment: - - Policies that attach to a ListenerSet apply to all listeners defined in that resource - - Policies do not impact listeners in the parent Gateway - - Different ListenerSets attached to the same Gateway can have different policies - - If an implementation cannot apply a policy to specific listeners, it should reject the policy - - ReferenceGrant Semantics: - - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - - Gateway Integration: - - The parent Gateway's status will include an "AttachedListenerSets" condition - - This condition will be: - - True: when AllowedListeners is set and at least one child ListenerSet is attached - - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - - Unknown: when no AllowedListeners config is present + XBackendTrafficPolicy defines the configuration for how traffic to a + target backend should be handled. properties: apiVersion: description: |- @@ -19709,579 +21211,458 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ListenerSet. + description: Spec defines the desired state of BackendTrafficPolicy. properties: - listeners: + retryConstraint: description: |- - Listeners associated with this ListenerSet. Listeners define - logical endpoints that are bound on this referenced parent Gateway's addresses. + RetryConstraint defines the configuration for when to allow or prevent + further retries to a target backend, by dynamically calculating a 'retry + budget'. This budget is calculated based on the percentage of incoming + traffic composed of retries over a given time interval. Once the budget + is exceeded, additional retries will be rejected. - Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - as a list when programming the underlying infrastructure. Each listener - name does not need to be unique across the Gateway and ListenerSets. - See ListenerEntry.Name for more details. + For example, if the retry budget interval is 10 seconds, there have been + 1000 active requests in the past 10 seconds, and the allowed percentage + of requests that can be retried is 20% (the default), then 200 of those + requests may be composed of retries. Active requests will only be + considered for the duration of the interval when calculating the retry + budget. Retrying the same original request multiple times within the + retry budget interval will lead to each retry being counted towards + calculating the budget. - Implementations MUST treat the parent Gateway as having the merged - list of all listeners from itself and attached ListenerSets using - the following precedence: + Configuring a RetryConstraint in BackendTrafficPolicy is compatible with + HTTPRoute Retry settings for each HTTPRouteRule that targets the same + backend. While the HTTPRouteRule Retry stanza can specify whether a + request will be retried, and the number of retry attempts each client + may perform, RetryConstraint helps prevent cascading failures such as + retry storms during periods of consistent failures. - 1. "parent" Gateway - 2. ListenerSet ordered by creation time (oldest first) - 3. ListenerSet ordered alphabetically by "{namespace}/{name}". + After the retry budget has been exceeded, additional retries to the + backend MUST return a 503 response to the client. - An implementation MAY reject listeners by setting the ListenerEntryStatus - `Accepted` condition to False with the Reason `TooManyListeners` + Additional configurations for defining a constraint on retries MAY be + defined in the future. - If a listener has a conflict, this will be reported in the - Status.ListenerEntryStatus setting the `Conflicted` condition to True. + Support: Extended + properties: + budget: + default: + interval: 10s + percent: 20 + description: Budget holds the details of the retry budget configuration. + properties: + interval: + default: 10s + description: |- + Interval defines the duration in which requests will be considered + for calculating the budget for retries. - Implementations SHOULD be cautious about what information from the - parent or siblings are reported to avoid accidentally leaking - sensitive information that the child would not otherwise have access - to. This can include contents of secrets etc. - items: - properties: - allowedRoutes: - default: - namespaces: - from: Same - description: |- - AllowedRoutes defines the types of routes that MAY be attached to a - Listener and the trusted namespaces where those Route resources MAY be - present. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour or less + than one second + rule: '!(duration(self) < duration(''1s'') || duration(self) + > duration(''1h''))' + percent: + default: 20 + description: |- + Percent defines the maximum percentage of active requests that may + be made up of retries. - Although a client request may match multiple route rules, only one rule - may ultimately receive the request. Matching precedence MUST be - determined in order of the following criteria: + Support: Extended + maximum: 100 + minimum: 0 + type: integer + type: object + minRetryRate: + default: + count: 10 + interval: 1s + description: |- + MinRetryRate defines the minimum rate of retries that will be allowable + over a specified duration of time. - * The most specific match as defined by the Route type. - * The oldest Route based on creation timestamp. For example, a Route with - a creation timestamp of "2020-09-08 01:02:03" is given precedence over - a Route with a creation timestamp of "2020-09-08 01:02:04". - * If everything else is equivalent, the Route appearing first in - alphabetical order (namespace/name) should be given precedence. For - example, foo/bar is given precedence over foo/baz. + The effective overall minimum rate of retries targeting the backend + service may be much higher, as there can be any number of clients which + are applying this setting locally. - All valid rules within a Route attached to this Listener should be - implemented. Invalid Route rules can be ignored (sometimes that will mean - the full Route). If a Route rule transitions from valid to invalid, - support for that Route rule should be dropped to ensure consistency. For - example, even if a filter specified by a Route rule is invalid, the rest - of the rules within that Route should still be supported. - properties: - kinds: - description: |- - Kinds specifies the groups and kinds of Routes that are allowed to bind - to this Gateway Listener. When unspecified or empty, the kinds of Routes - selected are determined using the Listener protocol. + This ensures that requests can still be retried during periods of low + traffic, where the budget for retries may be calculated as a very low + value. - A RouteGroupKind MUST correspond to kinds of Routes that are compatible - with the application protocol specified in the Listener's Protocol field. - If an implementation does not support or recognize this resource type, it - MUST set the "ResolvedRefs" condition to False for this Listener with the - "InvalidRouteKinds" reason. + Support: Extended + properties: + count: + description: |- + Count specifies the number of requests per time interval. - Support: Core - items: - description: RouteGroupKind indicates the group and kind - of a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - namespaces: - default: - from: Same - description: |- - Namespaces indicates namespaces from which Routes may be attached to this - Listener. This is restricted to the namespace of this Gateway by default. + Support: Extended + maximum: 1000000 + minimum: 1 + type: integer + interval: + description: |- + Interval specifies the divisor of the rate of requests, the amount of + time during which the given count of requests occur. - Support: Core - properties: - from: - default: Same - description: |- - From indicates where Routes will be selected for this Gateway. Possible - values are: + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + x-kubernetes-validations: + - message: interval cannot be greater than one hour + rule: '!(duration(self) == duration(''0s'') || duration(self) + > duration(''1h''))' + type: object + type: object + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the backend. + + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. - * All: Routes in all namespaces may be used by this Gateway. - * Selector: Routes in namespaces selected by the selector may be used by - this Gateway. - * Same: Only Routes in the same namespace may be used by this Gateway. + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. - Support: Core - enum: - - All - - Selector - - Same - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only Routes in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". + Defaults to "Session". - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - hostname: - description: |- - Hostname specifies the virtual hostname to match for protocol types that - define this concept. When unspecified, all hostnames are matched. This - field is ignored for protocols that don't require hostname based - matching. + Support: Core for "Session" type - Implementations MUST apply Hostname matching appropriately for each of - the following protocols: + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. - * TLS: The Listener Hostname MUST match the SNI. - * HTTP: The Listener Hostname MUST match the Host header of the request. - * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - protocol layers as described above. If an implementation does not - ensure that both the SNI and Host header match the Listener hostname, - it MUST clearly document that. + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. - For HTTPRoute and TLSRoute resources, there is an interaction with the - `spec.hostnames` array. When both listener and route specify hostnames, - there MUST be an intersection between the values for a Route to be - accepted. For more information, refer to the Route specific Hostnames - documentation. + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use of a header or cookie. Defaults to cookie based session + persistence. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' + targetRefs: + description: |- + TargetRefs identifies API object(s) to apply this policy to. + Currently, Backends (A grouping of like endpoints such as Service, + ServiceImport, or any implementation-specific backendRef) are the only + valid API target references. + + Currently, a TargetRef cannot be scoped to a specific port on a + Service. + items: + description: |- + LocalPolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. + properties: + group: + description: Group is the group of the target resource. maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: - description: |- - Name is the name of the Listener. This name MUST be unique within a - ListenerSet. - - Name is not required to be unique across a Gateway and ListenerSets. - Routes can attach to a Listener by having a ListenerSet as a parentRef - and setting the SectionName + description: Name is the name of the target resource. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - port: - default: 0 - description: |- - Port is the network port. Multiple listeners may use the - same port, subject to the Listener compatibility rules. + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - group + - kind + - name + x-kubernetes-list-type: map + required: + - targetRefs + type: object + status: + description: Status defines the current state of BackendTrafficPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. - If the port is not set or specified as zero, the implementation will assign - a unique port. If the implementation does not support dynamic port - assignment, it MUST set `Accepted` condition to `False` with the - `UnsupportedPort` reason. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - protocol: - description: Protocol specifies the network protocol this listener - expects to receive. - maxLength: 255 - minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ - type: string - tls: - description: |- - TLS is the TLS configuration for the Listener. This field is required if - the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - if the Protocol field is "HTTP", "TCP", or "UDP". + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. - The association of SNIs to Certificate defined in ListenerTLSConfig is - defined based on the Hostname field for this listener. + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. - The GatewayClass MUST use the longest matching SNI out of all - available certificates for any TLS handshake. - properties: - certificateRefs: - description: |- - CertificateRefs contains a series of references to Kubernetes objects that - contains TLS certificates and private keys. These certificates are used to - establish a TLS handshake for requests that match the hostname of the - associated listener. + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. - A single CertificateRef to a Kubernetes Secret has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a Listener, but this behavior is implementation-specific. + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. - This field is required to have at least one element when the mode is set - to "Terminate" (default) and is optional otherwise. + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. - CertificateRefs can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. - Support: Implementation-specific (More than one reference or other resource types) - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. + There are two kinds of parent resources with "Core" support: - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - mode: - default: Terminate + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: - - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. + Name is the name of the referent. Support: Core - enum: - - Terminate - - Passthrough + maxLength: 253 + minLength: 1 type: string - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string + namespace: description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Support: Implementation-specific - maxProperties: 16 - type: object - type: object - x-kubernetes-validations: - - message: certificateRefs or options must be specified when - mode is Terminate - rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) - > 0 || size(self.options) > 0 : true' - required: - - name - - protocol - type: object - maxItems: 64 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: tls must not be specified for protocols ['HTTP', 'TCP', - 'UDP'] - rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? - !has(l.tls) : true)' - - message: tls mode must be Terminate for protocol HTTPS - rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode - == '''' || l.tls.mode == ''Terminate'') : true)' - - message: hostname must not be specified for protocols ['TCP', 'UDP'] - rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) - || l.hostname == '''') : true)' - - message: Listener name must be unique within the Gateway - rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) - - message: Combination of port, protocol and hostname must be unique - for each listener - rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) - && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) - && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) - && !has(l2.hostname))))' - parentRef: - description: ParentRef references the Gateway that the listeners are - attached to. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: Kind is kind of the referent. For example "Gateway". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. If not present, - the namespace of the referent is assumed to be the same as - the namespace of the referring object. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - listeners - - parentRef - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: Status defines the current state of ListenerSet. - properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: |- - Conditions describe the current conditions of the ListenerSet. - Implementations MUST express ListenerSet conditions using the - `ListenerSetConditionType` and `ListenerSetConditionReason` - constants so that operators and tools can converge on a common - vocabulary to describe ListenerSet state. + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. - Known condition types are: - * "Accepted" - * "Programmed" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - listeners: - description: Listeners provide status for each unique listener port - defined in the Spec. - items: - description: ListenerStatus is the status associated with a Listener. - properties: - attachedRoutes: - description: |- - AttachedRoutes represents the total number of Routes that have been - successfully attached to this Listener. + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - Successful attachment of a Route to a Listener is based solely on the - combination of the AllowedRoutes field on the corresponding Listener - and the Route's ParentRefs field. A Route is successfully attached to - a Listener when it is selected by the Listener's AllowedRoutes field - AND the Route has a valid ParentRef selecting the whole Gateway - resource or a specific Listener as a parent resource (more detail on - attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact - successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. - Uses for this field include troubleshooting Route attachment and - measuring blast radius/impact of changes to a Listener. - format: int32 - type: integer + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object conditions: - description: Conditions describe the current condition of this - listener. + description: Conditions describes the status of the Policy with + respect to the given Ancestor. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -20338,69 +21719,40 @@ spec: - type type: object maxItems: 8 + minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - name: - description: Name is the name of the Listener that this status - corresponds to. + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - port: - description: Port is the network port the listener is configured - to listen on. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - supportedKinds: - description: |- - SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for - that Listener configuration. - - If kinds are specified in Spec that are not supported, they MUST NOT - appear in this list and an implementation MUST set the "ResolvedRefs" - condition to "False" with the "InvalidRouteKinds" reason. If both valid - and invalid Route kinds are specified, the implementation MUST - reference the valid Route kinds that have been specified. - items: - description: RouteGroupKind indicates the group and kind of - a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic required: - - attachedRoutes + - ancestorRef - conditions - - name - - port - - supportedKinds + - controllerName type: object - maxItems: 64 + maxItems: 16 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map + x-kubernetes-list-type: atomic + required: + - ancestors type: object required: - spec @@ -20425,7 +21777,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: experimental name: xmeshes.gateway.networking.x-k8s.io spec: @@ -20670,7 +22022,7 @@ status: storedVersions: null --- # Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml -# Copyright 2025 The Kubernetes Authors. +# Copyright 2026 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20687,3 +22039,53 @@ status: # # Gateway API Experimental channel install # +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +# +# config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: "safe-upgrades.gateway.networking.k8s.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + validations: + - expression: "object.spec.group != 'gateway.networking.k8s.io' || ( + has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' )" + message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." + reason: Invalid + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library + message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + reason: Invalid +--- +# Source: gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: [Deny] + matchResources: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + resources: ["customresourcedefinitions"] + operations: ["CREATE", "UPDATE"] diff --git a/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml index 9e0a0aabeb..76fa26c6d6 100644 --- a/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml +++ b/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml @@ -8,7 +8,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard labels: gateway.networking.k8s.io/policy: Direct @@ -83,8 +83,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -105,9 +103,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -119,9 +117,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: - Support: Implementation-specific for any other resource + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -360,8 +377,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -371,9 +388,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -734,8 +759,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -756,9 +779,9 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to @@ -770,9 +793,28 @@ spec: clarified in a future release, the safest approach is to support a single targetRef. - Support: Extended for Kubernetes Service + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service - Support: Implementation-specific for any other resource + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -1011,8 +1053,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -1022,9 +1064,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certifcates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1345,7 +1395,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard name: gatewayclasses.gateway.networking.k8s.io spec: @@ -1865,7 +1915,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard name: gateways.gateway.networking.k8s.io spec: @@ -1997,6 +2047,87 @@ spec: rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value == a1.value) : true )' + allowedListeners: + description: |- + AllowedListeners defines which ListenerSets can be attached to this Gateway. + The default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: |- + Namespaces defines which namespaces ListenerSets can be attached to this Gateway. + The default value is to allow no ListenerSets. + properties: + from: + default: None + description: |- + From indicates where ListenerSets can attach to this Gateway. Possible + values are: + + * Same: Only ListenerSets in the same namespace may be attached to this Gateway. + * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. + * All: ListenerSets in all namespaces may be attached to this Gateway. + * None: Only listeners defined in the Gateway's spec are allowed + + The default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only ListenerSets in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -2465,7 +2596,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2676,6 +2807,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -2686,6 +2820,421 @@ spec: rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + tls: + description: |- + TLS specifies frontend and backend tls configuration for entire gateway. + + Support: Extended + properties: + backend: + description: |- + Backend describes TLS configuration for gateway when connecting + to backends. + + Note that this contains only details for the Gateway as a TLS client, + and does _not_ imply behavior about how to choose which backend should + get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: |- + Frontend describes TLS config when client connects to Gateway. + Support: Core + properties: + default: + description: |- + Default specifies the default client certificate validation configuration + for all Listeners handling HTTPS traffic, unless a per-port configuration + is defined. + + support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: |- + PerPort specifies tls configuration assigned per port. + Per port configuration is optional. Once set this configuration overrides + the default configuration for all Listeners handling HTTPS traffic + that match this port. + Each override port requires a unique TLS configuration. + + support: Core + items: + properties: + port: + description: |- + The Port indicates the Port Number to which the TLS configuration will be + applied. This configuration will be applied to all Listeners handling HTTPS + traffic that match this port. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: |- + TLS store the configuration that will be applied to all Listeners handling + HTTPS traffic and matching given port. + + Support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + For example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Port for TLS configuration must be unique within + the Gateway + rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) + required: + - default + type: object + type: object required: - gatewayClassName - listeners @@ -2761,6 +3310,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -2865,8 +3428,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -2945,7 +3511,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -2979,7 +3545,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -3110,6 +3675,87 @@ spec: rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value == a1.value) : true )' + allowedListeners: + description: |- + AllowedListeners defines which ListenerSets can be attached to this Gateway. + The default value is to allow no ListenerSets. + properties: + namespaces: + default: + from: None + description: |- + Namespaces defines which namespaces ListenerSets can be attached to this Gateway. + The default value is to allow no ListenerSets. + properties: + from: + default: None + description: |- + From indicates where ListenerSets can attach to this Gateway. Possible + values are: + + * Same: Only ListenerSets in the same namespace may be attached to this Gateway. + * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. + * All: ListenerSets in all namespaces may be attached to this Gateway. + * None: Only listeners defined in the Gateway's spec are allowed + + The default value None + enum: + - All + - Selector + - Same + - None + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only ListenerSets in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -3578,7 +4224,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -3789,6 +4435,9 @@ spec: - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' @@ -3799,21 +4448,436 @@ spec: rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' - required: - - gatewayClassName - - listeners - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending + tls: + description: |- + TLS specifies frontend and backend tls configuration for entire gateway. + + Support: Extended + properties: + backend: + description: |- + Backend describes TLS configuration for gateway when connecting + to backends. + + Note that this contains only details for the Gateway as a TLS client, + and does _not_ imply behavior about how to choose which backend should + get a TLS connection. That is determined by the presence of a BackendTLSPolicy. + + Support: Core + properties: + clientCertificateRef: + description: |- + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. + + A ClientCertificateRef is considered invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. + + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + frontend: + description: |- + Frontend describes TLS config when client connects to Gateway. + Support: Core + properties: + default: + description: |- + Default specifies the default client certificate validation configuration + for all Listeners handling HTTPS traffic, unless a per-port configuration + is defined. + + support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + perPort: + description: |- + PerPort specifies tls configuration assigned per port. + Per port configuration is optional. Once set this configuration overrides + the default configuration for all Listeners handling HTTPS traffic + that match this port. + Each override port requires a unique TLS configuration. + + support: Core + items: + properties: + port: + description: |- + The Port indicates the Port Number to which the TLS configuration will be + applied. This configuration will be applied to all Listeners handling HTTPS + traffic that match this port. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + tls: + description: |- + TLS store the configuration that will be applied to all Listeners handling + HTTPS traffic and matching given port. + + Support: Core + properties: + validation: + description: |- + Validation holds configuration information for validating the frontend (client). + Setting this field will result in mutual authentication when connecting to the gateway. + In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Core + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When set to the empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + For example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + mode: + default: AllowValidOnly + description: |- + FrontendValidationMode defines the mode for validating the client certificate. + There are two possible modes: + + - AllowValidOnly: In this mode, the gateway will accept connections only if + the client presents a valid certificate. This certificate must successfully + pass validation against the CA certificates specified in `CACertificateRefs`. + - AllowInsecureFallback: In this mode, the gateway will accept connections + even if the client certificate is not presented or fails verification. + + This approach delegates client authorization to the backend and introduce + a significant security risk. It should be used in testing environments or + on a temporary basis in non-testing environments. + + Defaults to AllowValidOnly. + + Support: Core + enum: + - AllowValidOnly + - AllowInsecureFallback + type: string + required: + - caCertificateRefs + type: object + type: object + required: + - port + - tls + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - port + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Port for TLS configuration must be unique within + the Gateway + rule: self.all(t1, self.exists_one(t2, t1.port == t2.port)) + required: + - default + type: object + type: object + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending status: Unknown type: Programmed description: Status defines the current state of Gateway. @@ -3874,6 +4938,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -3978,8 +5056,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -4058,7 +5139,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -4092,7 +5173,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -4123,7 +5203,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard name: grpcroutes.gateway.networking.k8s.io spec: @@ -5779,8 +6859,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -5964,7 +7044,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -6198,7 +7278,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard name: httproutes.gateway.networking.k8s.io spec: @@ -6605,6 +7685,316 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. + + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). + + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). + + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). + + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. + + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. + + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. + + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. + + Method names are case-sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). + + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. + + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. + + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. + + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. + + Valid values for scheme are: `http` and `https`. + + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. + + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: + + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. + + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. + + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. + + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. + + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. + + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. + + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). + + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. + + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. + + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. + format: int32 + minimum: 1 + type: integer + type: object extensionRef: description: |- ExtensionRef is an optional, implementation-specific extension to the @@ -7074,6 +8464,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -7252,6 +8645,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -7341,6 +8735,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -7541,34 +8940,344 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. properties: - extensionRef: + cors: description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. - This filter can be used multiple times within the same rule. - - Support: Implementation-specific + Support: Extended properties: - group: + allowCredentials: description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). + + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). + + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). + + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. + + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. + + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. + + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. + + Method names are case-sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). + + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. + + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. + + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. + + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. + + Valid values for scheme are: `http` and `https`. + + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. + + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: + + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. + + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. + + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. + + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. + + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. + + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. + + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). + + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. + + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. + + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. + format: int32 + minimum: 1 + type: integer + type: object + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 minLength: 1 type: string required: @@ -8008,6 +9717,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -8184,6 +9896,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -8273,6 +9986,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -8741,6 +10459,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -8803,7 +10522,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -9414,6 +11133,316 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. + + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). + + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). + + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). + + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. + + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. + + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. + + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. + + Method names are case-sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). + + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. + + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. + + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. + + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. + + Valid values for scheme are: `http` and `https`. + + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. + + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: + + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. + + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. + + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. + + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. + + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. + + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. + + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). + + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. + + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. + + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. + format: int32 + minimum: 1 + type: integer + type: object extensionRef: description: |- ExtensionRef is an optional, implementation-specific extension to the @@ -9883,6 +11912,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10061,6 +12093,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -10150,6 +12183,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type + is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type @@ -10350,6 +12388,316 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. properties: + cors: + description: |- + CORS defines a schema for a filter that responds to the + cross-origin request based on HTTP response header. + + Support: Extended + properties: + allowCredentials: + description: |- + AllowCredentials indicates whether the actual cross-origin request allows + to include credentials. + + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). + + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). + + Support: Extended + type: boolean + allowHeaders: + description: |- + AllowHeaders indicates which HTTP request headers are supported for + accessing the requested resource. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Allow-Headers` + response header are separated by a comma (","). + + When the `AllowHeaders` field is configured with one or more headers, the + gateway must return the `Access-Control-Allow-Headers` response header + which value is present in the `AllowHeaders` field. + + If any header name in the `Access-Control-Request-Headers` request header + is not included in the list of header names specified by the response + header `Access-Control-Allow-Headers`, it will present an error on the + client side. + + If any header name in the `Access-Control-Allow-Headers` response header + does not recognize by the client, it will also occur an error on the + client side. + + A wildcard indicates that the requests with all HTTP headers are allowed. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more + HTTP headers in the value of the `Access-Control-Allow-Headers` response + header. The value of the header `Access-Control-Allow-Headers` is same as + the `Access-Control-Request-Headers` header provided by the client. If + the header `Access-Control-Request-Headers` is not included in the + request, the gateway will omit the `Access-Control-Allow-Headers` + response header, instead of specifying the `*` wildcard. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowMethods: + description: |- + AllowMethods indicates which HTTP methods are supported for accessing the + requested resource. + + Valid values are any method defined by RFC9110, along with the special + value `*`, which represents all HTTP methods are allowed. + + Method names are case-sensitive, so these values are also case-sensitive. + (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) + + Multiple method names in the value of the `Access-Control-Allow-Methods` + response header are separated by a comma (","). + + A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. + (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The + CORS-safelisted methods are always allowed, regardless of whether they + are specified in the `AllowMethods` field. + + When the `AllowMethods` field is configured with one or more methods, the + gateway must return the `Access-Control-Allow-Methods` response header + which value is present in the `AllowMethods` field. + + If the HTTP method of the `Access-Control-Request-Method` request header + is not included in the list of methods specified by the response header + `Access-Control-Allow-Methods`, it will present an error on the client + side. + + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field + specified with the `*` wildcard, the gateway must specify one HTTP method + in the value of the Access-Control-Allow-Methods response header. The + value of the header `Access-Control-Allow-Methods` is same as the + `Access-Control-Request-Method` header provided by the client. If the + header `Access-Control-Request-Method` is not included in the request, + the gateway will omit the `Access-Control-Allow-Methods` response header, + instead of specifying the `*` wildcard. + + Support: Extended + items: + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + - '*' + type: string + maxItems: 9 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowMethods cannot contain '*' alongside + other methods + rule: '!(''*'' in self && self.size() > 1)' + allowOrigins: + description: |- + AllowOrigins indicates whether the response can be shared with requested + resource from the given `Origin`. + + The `Origin` consists of a scheme and a host, with an optional port, and + takes the form `://(:)`. + + Valid values for scheme are: `http` and `https`. + + Valid values for port are any integer between 1 and 65535 (the list of + available TCP/UDP ports). Note that, if not included, port `80` is + assumed for `http` scheme origins, and port `443` is assumed for `https` + origins. This may affect origin matching. + + The host part of the origin may contain the wildcard character `*`. These + wildcard characters behave as follows: + + * `*` is a greedy match to the _left_, including any number of + DNS labels to the left of its position. This also means that + `*` will include any number of period `.` characters to the + left of its position. + * A wildcard by itself matches all hosts. + + An origin value that includes _only_ the `*` character indicates requests + from all `Origin`s are allowed. + + When the `AllowOrigins` field is configured with multiple origins, it + means the server supports clients from multiple origins. If the request + `Origin` matches the configured allowed origins, the gateway must return + the given `Origin` and sets value of the header + `Access-Control-Allow-Origin` same as the `Origin` header provided by the + client. + + The status code of a successful response to a "preflight" request is + always an OK status (i.e., 204 or 200). + + If the request `Origin` does not match the configured allowed origins, + the gateway returns 204/200 response but doesn't set the relevant + cross-origin response headers. Alternatively, the gateway responds with + 403 status to the "preflight" request is denied, coupled with omitting + the CORS headers. The cross-origin request fails on the client side. + Therefore, the client doesn't attempt the actual cross-origin request. + + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. + + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field + specified with the `*` wildcard, the gateway must return a single origin + in the value of the `Access-Control-Allow-Origin` response header, + instead of specifying the `*` wildcard. The value of the header + `Access-Control-Allow-Origin` is same as the `Origin` header provided by + the client. + + Support: Extended + items: + description: |- + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or + IP address as the host. + maxLength: 253 + minLength: 1 + pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside + other origins + rule: '!(''*'' in self && self.size() > 1)' + exposeHeaders: + description: |- + ExposeHeaders indicates which HTTP response headers can be exposed + to client-side scripts in response to a cross-origin request. + + A CORS-safelisted response header is an HTTP header in a CORS response + that it is considered safe to expose to the client scripts. + The CORS-safelisted response headers include the following headers: + `Cache-Control` + `Content-Language` + `Content-Length` + `Content-Type` + `Expires` + `Last-Modified` + `Pragma` + (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) + The CORS-safelisted response headers are exposed to client by default. + + When an HTTP header name is specified using the `ExposeHeaders` field, + this additional header will be exposed as part of the response to the + client. + + Header names are not case-sensitive. + + Multiple header names in the value of the `Access-Control-Expose-Headers` + response header are separated by a comma (","). + + A wildcard indicates that the responses with all HTTP headers are exposed + to clients. The `Access-Control-Expose-Headers` response header can only + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. + + Support: Extended + items: + description: |- + HTTPHeaderName is the name of an HTTP header. + + Valid values include: + + * "Authorization" + * "Set-Cookie" + + Invalid values include: + + - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo + headers are not currently supported by this type. + - "/invalid" - "/ " is an invalid character + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + maxAge: + default: 5 + description: |- + MaxAge indicates the duration (in seconds) for the client to cache the + results of a "preflight" request. + + The information provided by the `Access-Control-Allow-Methods` and + `Access-Control-Allow-Headers` response headers can be cached by the + client until the time specified by `Access-Control-Max-Age` elapses. + + The default value of `Access-Control-Max-Age` response header is 5 + (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. + format: int32 + minimum: 1 + type: integer + type: object extensionRef: description: |- ExtensionRef is an optional, implementation-specific extension to the @@ -10817,6 +13165,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -10993,6 +13344,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -11082,6 +13434,11 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not + CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != @@ -11550,6 +13907,7 @@ spec: != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -11612,7 +13970,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -11839,53 +14197,71 @@ status: --- # Source: gateway-crds-helm/templates/standard-gatewayapi-crds.yaml # -# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +# config/crd/standard/gateway.networking.k8s.io_listenersets.yaml # apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.1 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 gateway.networking.k8s.io/channel: standard - name: referencegrants.gateway.networking.k8s.io + name: listenersets.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io names: categories: - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - - refgrant - singular: referencegrant + - lset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1 schema: openAPIV3Schema: description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. - - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. - - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. - - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. + This resource provides a mechanism to merge multiple listeners into a single Gateway. + + The parent Gateway must explicitly allow ListenerSet attachment through its + AllowedListeners configuration. By default, Gateways do not allow ListenerSet + attachment. + + Routes can attach to a ListenerSet by specifying it as a parentRef, and can + optionally target specific listeners using the sectionName field. + + Policy Attachment: + - Policies that attach to a ListenerSet apply to all listeners defined in that resource + - Policies do not impact listeners in the parent Gateway + - Different ListenerSets attached to the same Gateway can have different policies + - If an implementation cannot apply a policy to specific listeners, it should reject the policy + + ReferenceGrant Semantics: + - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets + - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners + - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + + Gateway Integration: + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -11905,126 +14281,3178 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of ReferenceGrant. + description: Spec defines the desired state of ListenerSet. properties: - from: + listeners: description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. + Listeners associated with this ListenerSet. Listeners define + logical endpoints that are bound on this referenced parent Gateway's addresses. + + Listeners in a `Gateway` and their attached `ListenerSets` are concatenated + as a list when programming the underlying infrastructure. Each listener + name does not need to be unique across the Gateway and ListenerSets. + See ListenerEntry.Name for more details. + + Implementations MUST treat the parent Gateway as having the merged + list of all listeners from itself and attached ListenerSets using + the following precedence: + + 1. "parent" Gateway + 2. ListenerSet ordered by creation time (oldest first) + 3. ListenerSet ordered alphabetically by "{namespace}/{name}". + + An implementation MAY reject listeners by setting the ListenerEntryStatus + `Accepted` condition to False with the Reason `TooManyListeners` + + If a listener has a conflict, this will be reported in the + Status.ListenerEntryStatus setting the `Conflicted` condition to True. + + Implementations SHOULD be cautious about what information from the + parent or siblings are reported to avoid accidentally leaking + sensitive information that the child would not otherwise have access + to. This can include contents of secrets etc. + items: + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + ListenerSet. + + Name is not required to be unique across a Gateway and ListenerSets. + Routes can attach to a Listener by having a ListenerSet as a parentRef + and setting the SectionName + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: Protocol specifies the network protocol this listener + expects to receive. + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) + && l.tls.mode != '''' : true))' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) + && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) + && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) + && !has(l2.hostname))))' + parentRef: + description: ParentRef references the Gateway that the listeners are + attached to. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: Kind is kind of the referent. For example "Gateway". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. If not present, + the namespace of the referent is assumed to be the same as + the namespace of the referring object. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - listeners + - parentRef + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of ListenerSet. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the ListenerSet. + + Implementations MUST express ListenerSet conditions using the + `ListenerSetConditionType` and `ListenerSetConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe ListenerSet state. + + Known condition types are: + + * "Accepted" + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds supported by an implementation for + that Listener configuration. + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/standard-gatewayapi-crds.yaml +# +# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: standard + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: gateway-crds-helm/templates/standard-gatewayapi-crds.yaml +# +# config/crd/standard/gateway.networking.k8s.io_tlsroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.5.0-rc.1 + gateway.networking.k8s.io/channel: standard + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. Support: Core items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will + be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') + : true)' + - message: Wildcards on hostnames must be the first label, and the + rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && + h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) + : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. properties: - group: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST + be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. - Support: Core + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string - kind: + parentRef: description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). - When used to permit a SecretObjectReference: + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. - * Gateway + There are two kinds of parent resources with "Core" support: - When used to permit a BackendObjectReference: + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: - description: |- - Namespace is the namespace of the referent. + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 - minLength: 1 - type: string + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object required: - - group - - kind + - conditions + - controllerName + - parentRef type: object - maxItems: 16 - minItems: 1 + maxItems: 32 type: array x-kubernetes-list-type: atomic required: - - from - - to + - parents type: object + required: + - spec type: object - served: true - storage: true - subresources: {} + served: false + storage: false + subresources: + status: {} status: acceptedNames: kind: "" @@ -12033,7 +17461,7 @@ status: storedVersions: null --- # Source: gateway-crds-helm/templates/standard-gatewayapi-crds.yaml -# Copyright 2025 The Kubernetes Authors. +# Copyright 2026 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12050,3 +17478,53 @@ status: # # Gateway API Standard channel install # +--- +# Source: gateway-crds-helm/templates/standard-gatewayapi-crds.yaml +# +# config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: "safe-upgrades.gateway.networking.k8s.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + validations: + - expression: "object.spec.group != 'gateway.networking.k8s.io' || ( + has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && + object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' )" + message: "Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs." + reason: Invalid + - expression: "object.spec.group != 'gateway.networking.k8s.io' || + (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\\\d+') && + !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))" #TODO Kubernetes 1.37: Migrate to kubernetes semver library + message: "Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions." + reason: Invalid +--- +# Source: gateway-crds-helm/templates/standard-gatewayapi-crds.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + name: safe-upgrades.gateway.networking.k8s.io +spec: + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: [Deny] + matchResources: + resourceRules: + - apiGroups: ["apiextensions.k8s.io"] + apiVersions: ["v1"] + resources: ["customresourcedefinitions"] + operations: ["CREATE", "UPDATE"] diff --git a/test/helm/gateway-helm/certgen-annotations.out.yaml b/test/helm/gateway-helm/certgen-annotations.out.yaml index 03ee82a7f6..735029cf02 100644 --- a/test/helm/gateway-helm/certgen-annotations.out.yaml +++ b/test/helm/gateway-helm/certgen-annotations.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/certgen-args.out.yaml b/test/helm/gateway-helm/certgen-args.out.yaml index ecc0cf75d1..5802af648f 100644 --- a/test/helm/gateway-helm/certgen-args.out.yaml +++ b/test/helm/gateway-helm/certgen-args.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/certgen-labels.out.yaml b/test/helm/gateway-helm/certgen-labels.out.yaml index be57364b76..3267584bb0 100644 --- a/test/helm/gateway-helm/certgen-labels.out.yaml +++ b/test/helm/gateway-helm/certgen-labels.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 0939991c77..8eda6fef7b 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/common-labels.out.yaml b/test/helm/gateway-helm/common-labels.out.yaml index d90f736123..51c8068b3e 100644 --- a/test/helm/gateway-helm/common-labels.out.yaml +++ b/test/helm/gateway-helm/common-labels.out.yaml @@ -157,6 +157,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -172,6 +173,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -180,20 +182,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 79469e92b1..498bf6aee5 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -164,6 +164,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -179,6 +180,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -187,20 +189,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index feae839a31..f97080a7a6 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/deployment-annotations.out.yaml b/test/helm/gateway-helm/deployment-annotations.out.yaml index 3105da3cf3..93c60acf75 100644 --- a/test/helm/gateway-helm/deployment-annotations.out.yaml +++ b/test/helm/gateway-helm/deployment-annotations.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 2fc06be12b..bc94968a88 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index a5d515ce07..f39f926806 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 1b18a9c38d..ff1cc07398 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml index fb1ac4e9af..f6b3e902f8 100644 --- a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml +++ b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml index c3cb2e8724..2d0c036cf1 100644 --- a/test/helm/gateway-helm/deployment-securitycontext.out.yaml +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 4846bda8d1..c6338fd836 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -151,6 +151,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -166,6 +167,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -174,20 +176,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml index b81f450b4c..d31620574b 100644 --- a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml @@ -217,6 +217,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -232,6 +233,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -240,20 +242,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: @@ -331,6 +319,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -346,6 +335,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -354,20 +344,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config.out.yaml index 2bc245ea90..e447b91939 100644 --- a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config.out.yaml @@ -151,6 +151,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -166,6 +167,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -174,20 +176,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-namespaceselector.out.yaml b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-namespaceselector.out.yaml index bf2c47fea4..180ba2ddd7 100644 --- a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-namespaceselector.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-namespaceselector.out.yaml @@ -156,6 +156,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -171,6 +172,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -179,20 +181,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 63f0d8f78c..2c0d029f0a 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -153,6 +153,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -168,6 +169,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -176,20 +178,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml index c087d171ba..034b49d2b3 100644 --- a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml @@ -153,6 +153,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -168,6 +169,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -176,20 +178,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml index 0c2ef53ea6..bbace64ac6 100644 --- a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml +++ b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml @@ -153,6 +153,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -168,6 +169,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -176,20 +178,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml index 75ed295a20..8e41f3f08d 100644 --- a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/global-registry-override-global.out.yaml b/test/helm/gateway-helm/global-registry-override-global.out.yaml index 339fa2436b..0244d2aa83 100644 --- a/test/helm/gateway-helm/global-registry-override-global.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-global.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/horizontal-pod-autoscaler-disabled.out.yaml b/test/helm/gateway-helm/horizontal-pod-autoscaler-disabled.out.yaml index 4c425eaaa1..8681e4db7f 100644 --- a/test/helm/gateway-helm/horizontal-pod-autoscaler-disabled.out.yaml +++ b/test/helm/gateway-helm/horizontal-pod-autoscaler-disabled.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml index 2d2e2599a3..c9635d7742 100644 --- a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml +++ b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/service-customization.out.yaml b/test/helm/gateway-helm/service-customization.out.yaml index e75e85cb4c..77230a2fcf 100644 --- a/test/helm/gateway-helm/service-customization.out.yaml +++ b/test/helm/gateway-helm/service-customization.out.yaml @@ -149,6 +149,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -164,6 +165,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -172,20 +174,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update - apiGroups: - "" resources: diff --git a/test/helm/gateway-helm/webhook-disabled.out.yaml b/test/helm/gateway-helm/webhook-disabled.out.yaml index 796cd5f0b5..e1fc5caebf 100644 --- a/test/helm/gateway-helm/webhook-disabled.out.yaml +++ b/test/helm/gateway-helm/webhook-disabled.out.yaml @@ -151,6 +151,7 @@ rules: - gateway.networking.k8s.io resources: - gateways + - listenersets - grpcroutes - httproutes - referencegrants @@ -166,6 +167,7 @@ rules: - gateway.networking.k8s.io resources: - gateways/status + - listenersets/status - grpcroutes/status - httproutes/status - tcproutes/status @@ -174,20 +176,6 @@ rules: - backendtlspolicies/status verbs: - update -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.x-k8s.io - resources: - - xlistenersets/status - verbs: - - update --- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/tools/linter/codespell/.codespell.skip b/tools/linter/codespell/.codespell.skip index 91f15efdad..b654ecf79a 100644 --- a/tools/linter/codespell/.codespell.skip +++ b/tools/linter/codespell/.codespell.skip @@ -18,3 +18,4 @@ bin */testdata/*.yaml ./site/public/* ./site/node_modules/* +gatewayapi-crds.yaml \ No newline at end of file diff --git a/tools/linter/yamllint/.yamllint b/tools/linter/yamllint/.yamllint index ae2e0b76bd..a670bdc58b 100644 --- a/tools/linter/yamllint/.yamllint +++ b/tools/linter/yamllint/.yamllint @@ -15,6 +15,7 @@ ignore: | examples/extension-server/charts/extension-server site/node_modules/ .vscode/ + gatewayapi-crds.yaml rules: braces: diff --git a/tools/make/helm.mk b/tools/make/helm.mk index b37f39315b..ee9e37659e 100644 --- a/tools/make/helm.mk +++ b/tools/make/helm.mk @@ -73,11 +73,12 @@ helm-generate.%: helm-template: ## Render helm chart templates with test values. @for chart in $(CHARTS); do \ $(LOG_TARGET); \ - $(MAKE) $(addprefix helm-generate., $$(basename $${chart})); \ + $(MAKE) $(addprefix helm-template., $$(basename $${chart})); \ done .PHONY: helm-template.% helm-template.%: ## Render helm chart templates with test values. + $(eval COMMAND := $(word 1,$(subst ., ,$*))) $(eval CHART_NAME := $(COMMAND)) $(call log, "Run helm template for chart: ${CHART_NAME}!"); @for file in $(wildcard test/helm/${CHART_NAME}/*.in.yaml); do \ diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 973eb272e5..19ef42c51d 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -8,8 +8,8 @@ ENVTEST_K8S_VERSIONS ?= 1.32.0 1.33.0 1.34.1 1.35.0 # GATEWAY_API_VERSION refers to the version of Gateway API CRDs. # For more details, see https://gateway-api.sigs.k8s.io/guides/getting-started/#installing-gateway-api -GATEWAY_API_MINOR_VERSION ?= 1.4 -GATEWAY_API_VERSION ?= v$(GATEWAY_API_MINOR_VERSION).1 +GATEWAY_API_MINOR_VERSION ?= 1.5 +GATEWAY_API_VERSION ?= v$(GATEWAY_API_MINOR_VERSION).0-rc.1 GATEWAY_API_RELEASE_URL ?= https://github.com/kubernetes-sigs/gateway-api/releases/download/${GATEWAY_API_VERSION} EXPERIMENTAL_GATEWAY_API_RELEASE_URL ?= ${GATEWAY_API_RELEASE_URL}/experimental-install.yaml @@ -102,7 +102,11 @@ generate-gwapi-manifests: ## Generate Gateway API manifests and make it consiste @mkdir -p $(OUTPUT_DIR)/ @curl -sLo $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml ${EXPERIMENTAL_GATEWAY_API_RELEASE_URL} @curl -sLo $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml ${STANDARD_GATEWAY_API_RELEASE_URL} - cp $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml charts/gateway-helm/crds/gatewayapi-crds.yaml + # Remove from the charts/gateway-helm/crds since helm has a limit of 1MB for rendered secret, + # and the gatewayapi crds are too big to be rendered into secret. + # We will render them as separate yaml files and apply them before installing EG. + # Needed by embed.go + cp $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml ./gatewayapi-crds.yaml @sed -i.bak '1s/^/{{- if and .Values.crds.gatewayAPI.enabled (eq .Values.crds.gatewayAPI.channel "standard") }}\n/' $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml && \ echo '{{- end }}' >> $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml && \ sed -i.bak '1s/^/{{- if and .Values.crds.gatewayAPI.enabled (or (eq .Values.crds.gatewayAPI.channel "experimental") (eq .Values.crds.gatewayAPI.channel "")) }}\n/' $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml && \ @@ -213,7 +217,7 @@ kube-deploy-for-benchmark-test: manifests helm-generate ## Install Envoy Gateway .PHONY: kube-undeploy kube-undeploy: manifests helm-generate ## Uninstall the Envoy Gateway into the Kubernetes cluster specified in ~/.kube/config. @$(LOG_TARGET) - $(GO_TOOL) helm uninstall eg -n envoy-gateway-system + $(GO_TOOL) helm uninstall eg -n envoy-gateway-system || true # Uninstall CRDs $(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \ --set crds.gatewayAPI.enabled=true \ From 0e211a9555a1d37a6ba776dcc1d6eac602c01ae6 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 14 Feb 2026 20:19:37 +0800 Subject: [PATCH 17/22] fix Signed-off-by: zirain --- test/e2e/tests/eg_upgrade.go | 89 ++++++++++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 18 deletions(-) diff --git a/test/e2e/tests/eg_upgrade.go b/test/e2e/tests/eg_upgrade.go index b66074fe44..7d380438b3 100644 --- a/test/e2e/tests/eg_upgrade.go +++ b/test/e2e/tests/eg_upgrade.go @@ -10,7 +10,9 @@ package tests import ( "bytes" "context" + "errors" "fmt" + "io" "strings" "testing" "time" @@ -20,17 +22,18 @@ import ( "helm.sh/helm/v3/pkg/chart" "helm.sh/helm/v3/pkg/chart/loader" "helm.sh/helm/v3/pkg/cli" - "helm.sh/helm/v3/pkg/kube" + "helm.sh/helm/v3/pkg/engine" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/apimachinery/pkg/util/yaml" "k8s.io/cli-runtime/pkg/resource" - "k8s.io/kubectl/pkg/cmd/util" "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -87,13 +90,12 @@ var EGUpgradeTest = suite.ConformanceTest{ t.Fatalf("failed to uninstall envoy-gateway: %v", err) } - err := deleteChartCRDsFromPath(depNS, chartPath, t, suite.TimeoutConfig.NamespacesMustBeReady) + err := deleteCRDsFromPath(t, suite.Client) if err != nil { t.Fatalf("Failed to delete chart CRDs: %s", err.Error()) } t.Log("success to uninstall envoy gateway resources") - // Install latest version if err := ht.RunInstall(&helm.PackageOptions{ Version: lastVersionTag, @@ -102,7 +104,7 @@ var EGUpgradeTest = suite.ConformanceTest{ Wait: true, Timeout: suite.TimeoutConfig.NamespacesMustBeReady, }); err != nil { - t.Fatalf("failed to install envoy-gateway: %v", err) + t.Fatalf("failed to install envoy-gateway: %v", err) } // Apply base and test manifests deleted during uninstall phase; Manifests in current branch must be compatible with the latestVersion @@ -153,6 +155,8 @@ var EGUpgradeTest = suite.ConformanceTest{ // Perform helm upgrade of EG t.Log("Attempting to upgrade to current version of eg deployment") + // Install gateway-crds-helm + suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, "../../../gatewayapi-crds.yaml", false) // TODO: when helm tool supports upgrade-from-source action, use it err = upgradeChartFromPath(relName, depNS, chartPath, suite.TimeoutConfig.NamespacesMustBeReady, t) if err != nil { @@ -334,36 +338,85 @@ func migrateChartCRDs(actionConfig *action.Configuration, gatewayChart *chart.Ch return nil } -func deleteChartCRDsFromPath(relNamespace, chartPath string, t *testing.T, timeout time.Duration) error { - actionConfig := new(action.Configuration) - if err := actionConfig.Init(cli.New().RESTClientGetter(), relNamespace, "secret", t.Logf); err != nil { +func deleteCRDsFromPath(t *testing.T, cl client.Client) error { + // get rources from gateway-crds-helm then delete it + crdChart, err := loader.Load("../../../charts/gateway-crds-helm") + if err != nil { return err } - // Load the chart from a local directory. - gatewayChart, err := loader.Load(chartPath) + values := map[string]any{ + "Values": map[string]any{ + "crds": map[string]any{ + "gatewayAPI": map[string]any{ + "enabled": true, + "channel": "experimental", + }, + "envoyGateway": map[string]any{ + "enabled": true, + }, + }, + }, + } + + renderedFiles, err := engine.Render(crdChart, values) if err != nil { - return err + panic(err) + } + var data strings.Builder + for _, f := range renderedFiles { + data.WriteString(f) } + r := bytes.NewBufferString(data.String()) + decoder := yaml.NewYAMLOrJSONDecoder(r, 4096) - crds, err := extractCRDs(actionConfig, gatewayChart) + resources, err := prepareResources(decoder) if err != nil { return err } - if _, errors := actionConfig.KubeClient.Delete(crds); len(errors) != 0 { - return fmt.Errorf("failed to delete CRDs error: %s", util.MultipleErrors("", errors)) + for i := range resources { + uObj := &resources[i] + tlog.Logf(t, "delete CRD: %s", uObj.GetName()) + _ = cl.Delete(t.Context(), uObj) } - if kubeClient, ok := actionConfig.KubeClient.(kube.InterfaceExt); ok { - if err := kubeClient.WaitForDelete(crds, timeout); err != nil { - return fmt.Errorf("failed to wait for crds deletion: %s", err.Error()) - } + // XListenerSets exits in v1.4, and promote to v1.ListenerSet in v1.5 + xls := &apiextensionsv1.CustomResourceDefinition{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "apiextensions.k8s.io/v1", + Kind: "CustomResourceDefinition", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "xlistenersets.gateway.networking.x-k8s.io", + }, } + _ = cl.Delete(t.Context(), xls) return nil } +func prepareResources(decoder *yaml.YAMLOrJSONDecoder) ([]unstructured.Unstructured, error) { + var resources []unstructured.Unstructured + + for { + uObj := unstructured.Unstructured{} + if err := decoder.Decode(&uObj); err != nil { + if errors.Is(err, io.EOF) { + break + } + return nil, err + } + if len(uObj.Object) == 0 { + continue + } + + resources = append(resources, uObj) + } + + return resources, nil +} + func getGWAPIVersion(object runtime.Object) (string, error) { accessor, err := meta.Accessor(object) if err != nil { From fd404a86f043e17b3cddc20d8d20a41857dfd74b Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 14 Feb 2026 20:42:51 +0800 Subject: [PATCH 18/22] remove FailFast Signed-off-by: zirain --- test/conformance/conformance_test.go | 1 - test/conformance/experimental_conformance_test.go | 1 - test/e2e/e2e_test.go | 1 - 3 files changed, 3 deletions(-) diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index 4c17f9805c..244aaff8f1 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -45,7 +45,6 @@ func TestGatewayAPIConformance(t *testing.T) { opts.ExemptFeatures = internalSuite.ExemptFeatures opts.RunTest = *flags.RunTest opts.Hook = e2e.Hook - opts.FailFast = true // I don't know why this happens, but the UDPRoute test failed on dual stack // because on some VM(e.g. Ubuntu 22.04), the ipv4 address for UDP gateway is not diff --git a/test/conformance/experimental_conformance_test.go b/test/conformance/experimental_conformance_test.go index 8c5907d472..64c6378078 100644 --- a/test/conformance/experimental_conformance_test.go +++ b/test/conformance/experimental_conformance_test.go @@ -37,7 +37,6 @@ func TestExperimentalConformance(t *testing.T) { opts.SkipTests = internalSuite.SkipTests opts.SupportedFeatures = internalSuite.SupportedFeatures opts.ExemptFeatures = internalSuite.ExemptFeatures - opts.FailFast = true opts.ConformanceProfiles = sets.New( suite.GatewayHTTPConformanceProfileName, diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index ce62df06d7..f72f8b9a48 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -96,7 +96,6 @@ func TestE2E(t *testing.T) { SkipTests: skipTests, AllowCRDsMismatch: *flags.AllowCRDsMismatch, Hook: Hook, - FailFast: true, }) if err != nil { t.Fatalf("Failed to create ConformanceTestSuite: %v", err) From 84ba787e313bb9df85fdba4bb50cceb02c4c8eb5 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 14 Feb 2026 21:20:10 +0800 Subject: [PATCH 19/22] skip more Signed-off-by: zirain --- test/conformance/suite.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/conformance/suite.go b/test/conformance/suite.go index 39abf5e31c..cc37014787 100644 --- a/test/conformance/suite.go +++ b/test/conformance/suite.go @@ -26,11 +26,14 @@ func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { tests.TLSRouteListenerTerminateSupportedKinds, tests.TLSRouteSimpleSameNamespace, tests.TLSRouteTerminateSimpleSameNamespace, + tests.TLSRouteMixedTerminationSameNamespace, tests.GatewayInvalidTLSBackendConfiguration, tests.GatewayWithAttachedRoutes, tests.GatewayTLSBackendClientCertificate, tests.GatewayFrontendClientCertificateValidation, tests.GatewayInvalidFrontendClientCertificateValidation, + tests.GatewayFrontendInvalidDefaultClientCertificateValidation, + tests.HTTPRouteHTTPSListenerDetectMisdirectedRequests, tests.HTTPRoute303Redirect, tests.HTTPRoute307Redirect, tests.HTTPRoute308Redirect, From 3ff3fffadb837f0a36dd3580b40d87593c38f36b Mon Sep 17 00:00:00 2001 From: zirain Date: Sun, 15 Feb 2026 09:57:14 +0800 Subject: [PATCH 20/22] gomod tidy Signed-off-by: zirain --- test/go.mod | 30 ++++++++++++------------- test/go.sum | 64 ++++++++++++++++++++++++++--------------------------- 2 files changed, 47 insertions(+), 47 deletions(-) diff --git a/test/go.mod b/test/go.mod index b358012028..70bcc8dba3 100644 --- a/test/go.mod +++ b/test/go.mod @@ -13,7 +13,7 @@ require ( github.com/go-logfmt/logfmt v0.6.1 github.com/google/go-cmp v0.7.0 github.com/google/go-containerregistry v0.20.6 - github.com/klauspost/compress v1.18.3 + github.com/klauspost/compress v1.18.4 github.com/miekg/dns v1.1.72 github.com/prometheus/client_golang v1.23.2 github.com/prometheus/client_model v0.6.2 @@ -21,17 +21,17 @@ require ( github.com/quic-go/quic-go v0.59.0 github.com/stretchr/testify v1.11.1 go.opentelemetry.io/proto/otlp v1.9.0 - golang.org/x/net v0.49.0 + golang.org/x/net v0.50.0 gonum.org/v1/gonum v0.17.0 google.golang.org/grpc v1.78.0 google.golang.org/protobuf v1.36.11 helm.sh/helm/v3 v3.20.0 - k8s.io/api v0.35.0 - k8s.io/apiextensions-apiserver v0.35.0 - k8s.io/apimachinery v0.35.0 - k8s.io/cli-runtime v0.35.0 - k8s.io/client-go v0.35.0 - k8s.io/kubectl v0.35.0 + k8s.io/api v0.35.1 + k8s.io/apiextensions-apiserver v0.35.1 + k8s.io/apimachinery v0.35.1 + k8s.io/cli-runtime v0.35.1 + k8s.io/client-go v0.35.1 + k8s.io/kubectl v0.35.1 k8s.io/utils v0.0.0-20260108192941-914a6e750570 sigs.k8s.io/controller-runtime v0.23.1 sigs.k8s.io/gateway-api v1.5.0-rc.1 @@ -273,15 +273,15 @@ require ( go.uber.org/zap v1.27.1 // indirect go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/crypto v0.47.0 // indirect + golang.org/x/crypto v0.48.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb // indirect golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect golang.org/x/mod v0.32.0 // indirect golang.org/x/oauth2 v0.34.0 // indirect golang.org/x/sync v0.19.0 // indirect - golang.org/x/sys v0.40.0 // indirect - golang.org/x/term v0.39.0 // indirect - golang.org/x/text v0.33.0 // indirect + golang.org/x/sys v0.41.0 // indirect + golang.org/x/term v0.40.0 // indirect + golang.org/x/text v0.34.0 // indirect golang.org/x/time v0.14.0 // indirect golang.org/x/tools v0.41.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect @@ -291,11 +291,11 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiserver v0.35.0 // indirect - k8s.io/component-base v0.35.0 // indirect + k8s.io/apiserver v0.35.1 // indirect + k8s.io/component-base v0.35.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect - k8s.io/metrics v0.35.0 // indirect + k8s.io/metrics v0.35.1 // indirect oras.land/oras-go/v2 v2.6.0 // indirect periph.io/x/host/v3 v3.8.5 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect diff --git a/test/go.sum b/test/go.sum index beabee5f4c..269cf3e58d 100644 --- a/test/go.sum +++ b/test/go.sum @@ -360,8 +360,8 @@ github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dv github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.18.3 h1:9PJRvfbmTabkOX8moIpXPbMMbYN60bWImDDU7L+/6zw= -github.com/klauspost/compress v1.18.3/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4= +github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c= +github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -701,8 +701,8 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= -golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= +golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= +golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb h1:Iu0p/klM0SM7atONioa/bPhLS7cjhnip99x1OIGibwg= golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb/go.mod h1:lxN5T34bK4Z/i6cMaU7frUU57VkDXFD4Kamfl/cp9oU= golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4= @@ -717,8 +717,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= -golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= +golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60= +golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM= golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -742,15 +742,15 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= -golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY= -golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww= +golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= +golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= +golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= -golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= +golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= +golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -802,30 +802,30 @@ gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= helm.sh/helm/v3 v3.20.0 h1:2M+0qQwnbI1a2CxN7dbmfsWHg/MloeaFMnZCY56as50= helm.sh/helm/v3 v3.20.0/go.mod h1:rTavWa0lagZOxGfdhu4vgk1OjH2UYCnrDKE2PVC4N0o= -k8s.io/api v0.35.0 h1:iBAU5LTyBI9vw3L5glmat1njFK34srdLmktWwLTprlY= -k8s.io/api v0.35.0/go.mod h1:AQ0SNTzm4ZAczM03QH42c7l3bih1TbAXYo0DkF8ktnA= -k8s.io/apiextensions-apiserver v0.35.0 h1:3xHk2rTOdWXXJM+RDQZJvdx0yEOgC0FgQ1PlJatA5T4= -k8s.io/apiextensions-apiserver v0.35.0/go.mod h1:E1Ahk9SADaLQ4qtzYFkwUqusXTcaV2uw3l14aqpL2LU= -k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8= -k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= -k8s.io/apiserver v0.35.0 h1:CUGo5o+7hW9GcAEF3x3usT3fX4f9r8xmgQeCBDaOgX4= -k8s.io/apiserver v0.35.0/go.mod h1:QUy1U4+PrzbJaM3XGu2tQ7U9A4udRRo5cyxkFX0GEds= -k8s.io/cli-runtime v0.35.0 h1:PEJtYS/Zr4p20PfZSLCbY6YvaoLrfByd6THQzPworUE= -k8s.io/cli-runtime v0.35.0/go.mod h1:VBRvHzosVAoVdP3XwUQn1Oqkvaa8facnokNkD7jOTMY= -k8s.io/client-go v0.35.0 h1:IAW0ifFbfQQwQmga0UdoH0yvdqrbwMdq9vIFEhRpxBE= -k8s.io/client-go v0.35.0/go.mod h1:q2E5AAyqcbeLGPdoRB+Nxe3KYTfPce1Dnu1myQdqz9o= -k8s.io/component-base v0.35.0 h1:+yBrOhzri2S1BVqyVSvcM3PtPyx5GUxCK2tinZz1G94= -k8s.io/component-base v0.35.0/go.mod h1:85SCX4UCa6SCFt6p3IKAPej7jSnF3L8EbfSyMZayJR0= +k8s.io/api v0.35.1 h1:0PO/1FhlK/EQNVK5+txc4FuhQibV25VLSdLMmGpDE/Q= +k8s.io/api v0.35.1/go.mod h1:28uR9xlXWml9eT0uaGo6y71xK86JBELShLy4wR1XtxM= +k8s.io/apiextensions-apiserver v0.35.1 h1:p5vvALkknlOcAqARwjS20kJffgzHqwyQRM8vHLwgU7w= +k8s.io/apiextensions-apiserver v0.35.1/go.mod h1:2CN4fe1GZ3HMe4wBr25qXyJnJyZaquy4nNlNmb3R7AQ= +k8s.io/apimachinery v0.35.1 h1:yxO6gV555P1YV0SANtnTjXYfiivaTPvCTKX6w6qdDsU= +k8s.io/apimachinery v0.35.1/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= +k8s.io/apiserver v0.35.1 h1:potxdhhTL4i6AYAa2QCwtlhtB1eCdWQFvJV6fXgJzxs= +k8s.io/apiserver v0.35.1/go.mod h1:BiL6Dd3A2I/0lBnteXfWmCFobHM39vt5+hJQd7Lbpi4= +k8s.io/cli-runtime v0.35.1 h1:uKcXFe8J7AMAM4Gm2JDK4mp198dBEq2nyeYtO+JfGJE= +k8s.io/cli-runtime v0.35.1/go.mod h1:55/hiXIq1C8qIJ3WBrWxEwDLdHQYhBNRdZOz9f7yvTw= +k8s.io/client-go v0.35.1 h1:+eSfZHwuo/I19PaSxqumjqZ9l5XiTEKbIaJ+j1wLcLM= +k8s.io/client-go v0.35.1/go.mod h1:1p1KxDt3a0ruRfc/pG4qT/3oHmUj1AhSHEcxNSGg+OA= +k8s.io/component-base v0.35.1 h1:XgvpRf4srp037QWfGBLFsYMUQJkE5yMa94UsJU7pmcE= +k8s.io/component-base v0.35.1/go.mod h1:HI/6jXlwkiOL5zL9bqA3en1Ygv60F03oEpnuU1G56Bs= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.35.0 h1:/x87FED2kDSo66csKtcYCEHsxF/DBlNl7LfJ1fVQs1o= -k8s.io/kms v0.35.0/go.mod h1:VT+4ekZAdrZDMgShK37vvlyHUVhwI9t/9tvh0AyCWmQ= +k8s.io/kms v0.35.1 h1:kjv2r9g1mY7uL+l1RhyAZvWVZIA/4qIfBHXyjFGLRhU= +k8s.io/kms v0.35.1/go.mod h1:VT+4ekZAdrZDMgShK37vvlyHUVhwI9t/9tvh0AyCWmQ= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= -k8s.io/kubectl v0.35.0 h1:cL/wJKHDe8E8+rP3G7avnymcMg6bH6JEcR5w5uo06wc= -k8s.io/kubectl v0.35.0/go.mod h1:VR5/TSkYyxZwrRwY5I5dDq6l5KXmiCb+9w8IKplk3Qo= -k8s.io/metrics v0.35.0 h1:xVFoqtAGm2dMNJAcB5TFZJPCen0uEqqNt52wW7ABbX8= -k8s.io/metrics v0.35.0/go.mod h1:g2Up4dcBygZi2kQSEQVDByFs+VUwepJMzzQLJJLpq4M= +k8s.io/kubectl v0.35.1 h1:zP3Er8C5i1dcAFUMh9Eva0kVvZHptXIn/+8NtRWMxwg= +k8s.io/kubectl v0.35.1/go.mod h1:cQ2uAPs5IO/kx8R5s5J3Ihv3VCYwrx0obCXum0CvnXo= +k8s.io/metrics v0.35.1 h1:MUcrUcWlq81XiripkydzCGsY9zQawDXfP9IICNNcVVw= +k8s.io/metrics v0.35.1/go.mod h1:9x7xWOAOiWzHA0vaqLgSE4PXF3vyT5ts5XIbx8OSjiI= k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY= k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= From 329490ab2407533f6a04c27f7cf653ead9f2c9a7 Mon Sep 17 00:00:00 2001 From: zirain Date: Sun, 15 Feb 2026 10:09:12 +0800 Subject: [PATCH 21/22] fix gen Signed-off-by: zirain --- .../helm/gateway-addons-helm/default.out.yaml | 56 ++++----- test/helm/gateway-addons-helm/e2e.out.yaml | 110 +++++++++--------- 2 files changed, 85 insertions(+), 81 deletions(-) diff --git a/test/helm/gateway-addons-helm/default.out.yaml b/test/helm/gateway-addons-helm/default.out.yaml index 91bd54b028..f9100e5c0a 100644 --- a/test/helm/gateway-addons-helm/default.out.yaml +++ b/test/helm/gateway-addons-helm/default.out.yaml @@ -32,10 +32,10 @@ metadata: name: loki namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" automountServiceAccountToken: true --- # Source: gateway-addons-helm/charts/prometheus/templates/serviceaccount.yaml @@ -47,7 +47,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus namespace: monitoring @@ -197,10 +197,10 @@ metadata: name: loki namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" data: config.yaml: | @@ -297,10 +297,10 @@ metadata: name: loki-runtime namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" data: runtime-config.yaml: | {} @@ -314,7 +314,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus namespace: monitoring @@ -354,6 +354,7 @@ data: scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true - job_name: kubernetes-nodes-cadvisor bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: @@ -368,6 +369,7 @@ data: scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true - job_name: kubernetes-pods honor_labels: true kubernetes_sd_configs: @@ -9980,10 +9982,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" name: loki-clusterrole rules: - apiGroups: [""] # "" indicates the core API group @@ -9999,7 +10001,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus rules: @@ -10084,10 +10086,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: loki-clusterrolebinding labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" subjects: - kind: ServiceAccount name: loki @@ -10106,7 +10108,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus subjects: @@ -10203,10 +10205,10 @@ metadata: name: loki-memberlist namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" annotations: spec: type: ClusterIP @@ -10228,10 +10230,10 @@ metadata: name: loki-headless namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" variant: headless prometheus.io/service-monitor: "false" annotations: @@ -10253,10 +10255,10 @@ metadata: name: loki namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" annotations: spec: type: ClusterIP @@ -10283,7 +10285,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus namespace: monitoring @@ -10582,7 +10584,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus namespace: monitoring @@ -10604,14 +10606,14 @@ spec: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus spec: enableServiceLinks: true serviceAccountName: prometheus containers: - name: prometheus-server-configmap-reload - image: "quay.io/prometheus-operator/prometheus-config-reloader:v0.88.1" + image: "quay.io/prometheus-operator/prometheus-config-reloader:v0.89.0" imagePullPolicy: "IfNotPresent" args: - --watched-dir=/etc/config @@ -10698,10 +10700,10 @@ metadata: name: loki namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" app.kubernetes.io/component: single-binary app.kubernetes.io/part-of: memberlist spec: @@ -10741,7 +10743,7 @@ spec: terminationGracePeriodSeconds: 30 containers: - name: loki - image: docker.io/grafana/loki:3.6.3 + image: docker.io/grafana/loki:3.6.5 imagePullPolicy: IfNotPresent args: - -config.file=/etc/loki/config/config.yaml diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index aff19c2b1f..9695f514c1 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -7,10 +7,10 @@ metadata: name: alloy namespace: monitoring labels: - helm.sh/chart: alloy-1.5.3 + helm.sh/chart: alloy-1.6.0 app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "v1.12.2" + app.kubernetes.io/version: "v1.13.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: alloy app.kubernetes.io/component: rbac @@ -22,10 +22,10 @@ metadata: name: loki namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" automountServiceAccountToken: true --- # Source: gateway-addons-helm/charts/opentelemetry-collector/templates/serviceaccount.yaml @@ -35,10 +35,10 @@ metadata: name: otel-collector namespace: monitoring labels: - helm.sh/chart: opentelemetry-collector-0.144.0 + helm.sh/chart: opentelemetry-collector-0.145.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.144.0" + app.kubernetes.io/version: "0.145.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: opentelemetry-collector app.kubernetes.io/component: standalone-collector @@ -52,7 +52,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus namespace: monitoring @@ -80,10 +80,10 @@ metadata: name: alloy namespace: monitoring labels: - helm.sh/chart: alloy-1.5.3 + helm.sh/chart: alloy-1.6.0 app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "v1.12.2" + app.kubernetes.io/version: "v1.13.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: alloy app.kubernetes.io/component: config @@ -192,10 +192,10 @@ metadata: name: loki namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" data: config.yaml: | @@ -292,10 +292,10 @@ metadata: name: loki-runtime namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" data: runtime-config.yaml: | {} @@ -307,10 +307,10 @@ metadata: name: otel-collector namespace: monitoring labels: - helm.sh/chart: opentelemetry-collector-0.144.0 + helm.sh/chart: opentelemetry-collector-0.145.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.144.0" + app.kubernetes.io/version: "0.145.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: opentelemetry-collector app.kubernetes.io/component: standalone-collector @@ -462,7 +462,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus namespace: monitoring @@ -502,6 +502,7 @@ data: scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true - job_name: kubernetes-nodes-cadvisor bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: @@ -516,6 +517,7 @@ data: scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true - job_name: kubernetes-pods honor_labels: true kubernetes_sd_configs: @@ -10096,10 +10098,10 @@ kind: ClusterRole metadata: name: alloy labels: - helm.sh/chart: alloy-1.5.3 + helm.sh/chart: alloy-1.6.0 app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "v1.12.2" + app.kubernetes.io/version: "v1.13.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: alloy app.kubernetes.io/component: rbac @@ -10223,10 +10225,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" name: loki-clusterrole rules: - apiGroups: [""] # "" indicates the core API group @@ -10239,10 +10241,10 @@ kind: ClusterRole metadata: name: otel-collector labels: - helm.sh/chart: opentelemetry-collector-0.144.0 + helm.sh/chart: opentelemetry-collector-0.145.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.144.0" + app.kubernetes.io/version: "0.145.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: opentelemetry-collector app.kubernetes.io/component: standalone-collector @@ -10266,7 +10268,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus rules: @@ -10312,10 +10314,10 @@ kind: ClusterRoleBinding metadata: name: alloy labels: - helm.sh/chart: alloy-1.5.3 + helm.sh/chart: alloy-1.6.0 app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "v1.12.2" + app.kubernetes.io/version: "v1.13.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: alloy app.kubernetes.io/component: rbac @@ -10334,10 +10336,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: loki-clusterrolebinding labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" subjects: - kind: ServiceAccount name: loki @@ -10353,10 +10355,10 @@ kind: ClusterRoleBinding metadata: name: otel-collector labels: - helm.sh/chart: opentelemetry-collector-0.144.0 + helm.sh/chart: opentelemetry-collector-0.145.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.144.0" + app.kubernetes.io/version: "0.145.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: opentelemetry-collector app.kubernetes.io/component: standalone-collector @@ -10378,7 +10380,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus subjects: @@ -10397,10 +10399,10 @@ metadata: name: alloy namespace: monitoring labels: - helm.sh/chart: alloy-1.5.3 + helm.sh/chart: alloy-1.6.0 app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "v1.12.2" + app.kubernetes.io/version: "v1.13.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: alloy app.kubernetes.io/component: networking @@ -10422,10 +10424,10 @@ metadata: name: loki-memberlist namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" annotations: spec: type: ClusterIP @@ -10447,10 +10449,10 @@ metadata: name: loki-headless namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" variant: headless prometheus.io/service-monitor: "false" annotations: @@ -10472,10 +10474,10 @@ metadata: name: loki namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" annotations: spec: type: ClusterIP @@ -10500,10 +10502,10 @@ metadata: name: otel-collector namespace: monitoring labels: - helm.sh/chart: opentelemetry-collector-0.144.0 + helm.sh/chart: opentelemetry-collector-0.145.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.144.0" + app.kubernetes.io/version: "0.145.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: opentelemetry-collector app.kubernetes.io/component: standalone-collector @@ -10561,7 +10563,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus namespace: monitoring @@ -10647,10 +10649,10 @@ metadata: name: alloy namespace: monitoring labels: - helm.sh/chart: alloy-1.5.3 + helm.sh/chart: alloy-1.6.0 app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "v1.12.2" + app.kubernetes.io/version: "v1.13.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: alloy spec: @@ -10669,7 +10671,7 @@ spec: serviceAccountName: alloy containers: - name: alloy - image: docker.io/grafana/alloy:v1.12.2 + image: docker.io/grafana/alloy:v1.13.0 imagePullPolicy: IfNotPresent args: - run @@ -10723,10 +10725,10 @@ metadata: name: otel-collector namespace: monitoring labels: - helm.sh/chart: opentelemetry-collector-0.144.0 + helm.sh/chart: opentelemetry-collector-0.145.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.144.0" + app.kubernetes.io/version: "0.145.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: opentelemetry-collector app.kubernetes.io/component: standalone-collector @@ -10743,7 +10745,7 @@ spec: template: metadata: annotations: - checksum/config: c77165e7a80ad52ad2348c14670653d38bc83f20882e00d7622fe7bfabbf0f1e + checksum/config: d648a35e32e4f636184a961f0ca11602a78f6b48660e80eafda078b04373e02e labels: app.kubernetes.io/name: opentelemetry-collector @@ -10762,7 +10764,7 @@ spec: - --config=/conf/relay.yaml securityContext: {} - image: "otel/opentelemetry-collector-contrib:0.144.0" + image: "otel/opentelemetry-collector-contrib:0.145.0" imagePullPolicy: IfNotPresent ports: @@ -10826,7 +10828,7 @@ metadata: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus name: prometheus namespace: monitoring @@ -10848,14 +10850,14 @@ spec: app.kubernetes.io/name: prometheus app.kubernetes.io/instance: gateway-addons-helm app.kubernetes.io/version: v3.9.1 - helm.sh/chart: prometheus-28.8.0 + helm.sh/chart: prometheus-28.9.0 app.kubernetes.io/part-of: prometheus spec: enableServiceLinks: true serviceAccountName: prometheus containers: - name: prometheus-server-configmap-reload - image: "quay.io/prometheus-operator/prometheus-config-reloader:v0.88.1" + image: "quay.io/prometheus-operator/prometheus-config-reloader:v0.89.0" imagePullPolicy: "IfNotPresent" args: - --watched-dir=/etc/config @@ -10942,10 +10944,10 @@ metadata: name: loki namespace: monitoring labels: - helm.sh/chart: loki-6.51.0 + helm.sh/chart: loki-6.53.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "3.6.3" + app.kubernetes.io/version: "3.6.5" app.kubernetes.io/component: single-binary app.kubernetes.io/part-of: memberlist spec: @@ -10985,7 +10987,7 @@ spec: terminationGracePeriodSeconds: 30 containers: - name: loki - image: docker.io/grafana/loki:3.6.3 + image: docker.io/grafana/loki:3.6.5 imagePullPolicy: IfNotPresent args: - -config.file=/etc/loki/config/config.yaml From c8744e0f1fa7d3d976355e7a0e1562865effc358 Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 16 Feb 2026 08:23:29 +0800 Subject: [PATCH 22/22] skip ListenerSet Signed-off-by: zirain --- test/conformance/suite.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/test/conformance/suite.go b/test/conformance/suite.go index cc37014787..2feaa29473 100644 --- a/test/conformance/suite.go +++ b/test/conformance/suite.go @@ -52,12 +52,17 @@ func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { // SkipFeatures is a list of features that are skipped in the conformance report. func SkipFeatures(gatewayNamespaceMode bool) sets.Set[features.FeatureName] { if gatewayNamespaceMode { - return sets.New(features.GatewayStaticAddressesFeature.Name) + return sets.New( + features.GatewayStaticAddressesFeature.Name, + // TODO: fix ListenerSet conformance tests and remove this from the skipped features list. + features.ListenerSetFeature.Name, + ) } return sets.New( features.GatewayStaticAddressesFeature.Name, features.GatewayInfrastructurePropagationFeature.Name, + // TODO: fix ListenerSet conformance tests and remove this from the skipped features list. features.ListenerSetFeature.Name, ) }