diff --git a/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml b/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml index 04937cf1f..bbe5a9902 100644 --- a/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml +++ b/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml @@ -51,20 +51,6 @@ spec: name: rybbit-config-secret image: clickhouse/clickhouse-server:26.2.5 imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - CMD - - wget - - --no-verbose - - --tries=1 - - --spider - - http://localhost:8123/ping - failureThreshold: 5 - initialDelaySeconds: 10 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 name: main resources: requests: diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-backendtlspolicies.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-backendtlspolicies.gateway.networking.k8s.io.yaml index fa4c38b8e..4874fab87 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-backendtlspolicies.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-backendtlspolicies.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -81,8 +81,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -103,17 +101,42 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. - Support: Extended for Kubernetes Service + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. - Support: Implementation-specific for any other resource + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -334,8 +357,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -345,9 +368,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certificates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -718,8 +749,6 @@ spec: targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy. @@ -740,17 +769,42 @@ spec: example, a policy with a creation timestamp of "2021-07-15 01:02:03" MUST be given precedence over a policy with a creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. + * The policy appearing first in alphabetical order by {namespace}/{name}. + For example, a policy named `foo/bar` is given precedence over a + policy named `foo/baz`. For any BackendTLSPolicy that does not take precedence, the implementation MUST ensure the `Accepted` Condition is set to `status: False`, with Reason `Conflicted`. - Support: Extended for Kubernetes Service + Implementations SHOULD NOT support more than one targetRef at this + time. Although the API technically allows for this, the current guidance + for conflict resolution and status handling is lacking. Until that can be + clarified in a future release, the safest approach is to support a single + targetRef. - Support: Implementation-specific for any other resource + Support Levels: + + * Extended: Kubernetes Service referenced by HTTPRoute backendRefs. + + * Implementation-Specific: Services not connected via HTTPRoute, and any + other kind of backend. Implementations MAY use BackendTLSPolicy for: + - Services not referenced by any Route (e.g., infrastructure services) + - Gateway feature backends (e.g., ExternalAuth, rate-limiting services) + - Service mesh workload-to-service communication + - Other resource types beyond Service + + Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent, + even outside of the extended HTTPRoute -(backendRef) -> Service path. + They SHOULD clearly document how BackendTLSPolicy is interpreted in these + scenarios, including: + - Which resources beyond Service are supported + - How the policy is discovered and applied + - Any implementation-specific semantics or restrictions + + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. items: description: |- LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a @@ -971,8 +1025,8 @@ spec: x-kubernetes-list-type: atomic wellKnownCACertificates: description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. + WellKnownCACertificates specifies whether a well-known set of CA certificates + may be used in the TLS handshake between the gateway and backend pod. If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of @@ -982,9 +1036,17 @@ spec: `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with a Reason `Invalid`. + Valid values include: + * "System" - indicates that well-known system CA certificates should be used. + + Implementations MAY define their own sets of CA certificates. Such definitions + MUST use an implementation-specific, prefixed name, such as + `mycompany.com/my-custom-ca-certificates`. + Support: Implementation-specific - enum: - - System + maxLength: 253 + minLength: 1 + pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$ type: string required: - hostname @@ -1298,6 +1360,8 @@ spec: type: object served: true storage: false + subresources: + status: {} status: acceptedNames: kind: "" diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gatewayclasses.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gatewayclasses.gateway.networking.k8s.io.yaml index 3d26450ff..15414e852 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gatewayclasses.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gatewayclasses.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gateways.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gateways.gateway.networking.k8s.io.yaml index c1a0fcee1..e36908274 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gateways.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gateways.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -135,14 +135,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -155,7 +155,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -694,7 +694,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -899,6 +899,8 @@ spec: rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)' - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' - message: Listener name must be unique within the Gateway @@ -924,19 +926,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + A ClientCertificateRef is considered invalid if: - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. - Support: Core + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -1002,27 +1015,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. + A CACertificateRef is invalid if: - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -1144,27 +1179,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. + A CACertificateRef is invalid if: - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -1333,6 +1390,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -1435,8 +1506,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -1511,7 +1585,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -1544,7 +1618,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array @@ -1671,14 +1744,14 @@ spec: allowedListeners: description: |- AllowedListeners defines which ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: namespaces: default: from: None description: |- Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - While this feature is experimental, the default value is to allow no ListenerSets. + The default value is to allow no ListenerSets. properties: from: default: None @@ -1691,7 +1764,7 @@ spec: * All: ListenerSets in all namespaces may be attached to this Gateway. * None: Only listeners defined in the Gateway's spec are allowed - While this feature is experimental, the default value None + The default value None enum: - All - Selector @@ -2230,7 +2303,7 @@ spec: the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a + * If another Listener does match the Host, the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. @@ -2435,6 +2508,8 @@ spec: rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)' - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' - message: Listener name must be unique within the Gateway @@ -2460,19 +2535,30 @@ spec: properties: clientCertificateRef: description: |- - ClientCertificateRef is a reference to an object that contains a Client - Certificate and the associated private key. + ClientCertificateRef references an object that contains a client certificate + and its associated private key. It can reference standard Kubernetes resources, + i.e., Secret, or implementation-specific custom resources. - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + A ClientCertificateRef is considered invalid if: - ClientCertificateRef can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a Secret does not contain the keys + named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef` + and the Message of the Condition MUST indicate why the reference is invalid. - Support: Core + * It refers to a resource in another namespace UNLESS there is a ReferenceGrant + in the target namespace that allows the certificate to be attached. + If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition + on the Gateway MUST be set to False with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message MUST be set. + + Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`). + Support: Implementation-specific - Other resource kinds or Secrets with a + different type (e.g., `Opaque`). properties: group: default: "" @@ -2538,27 +2624,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. + A CACertificateRef is invalid if: - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -2680,27 +2788,49 @@ spec: properties: caCertificateRefs: description: |- - CACertificateRefs contains one or more references to - Kubernetes objects that contain TLS certificates of - the Certificate Authorities that can be used - as a trust anchor to validate the certificates presented by the client. + CACertificateRefs contains one or more references to Kubernetes + objects that contain a PEM-encoded TLS CA certificate bundle, which + is used as a trust anchor to validate the certificates presented by + the client. - A single CA certificate reference to a Kubernetes ConfigMap - has "Core" support. - Implementations MAY choose to support attaching multiple CA certificates to - a Listener, but this behavior is implementation-specific. + A CACertificateRef is invalid if: - Support: Core - A single reference to a Kubernetes ConfigMap - with the CA certificate in a key named `ca.crt`. + * It refers to a resource that cannot be resolved (e.g., the + referenced resource does not exist) or is misconfigured (e.g., a + ConfigMap does not contain a key named `ca.crt`). In this case, the + Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. - Support: Implementation-specific (More than one certificate in a ConfigMap - with different keys or more than one reference, or other kinds of resources). + * It refers to an unknown or unsupported kind of resource. In this + case, the Reason on all matching HTTPS listeners must be set to + `InvalidCACertificateKind` and the Message of the Condition must explain + which kind of resource is unknown or unsupported. - References to a resource in a different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. + * It refers to a resource in another namespace UNLESS there is a + ReferenceGrant in the target namespace that allows the CA + certificate to be attached. If a ReferenceGrant does not allow this + reference, the `ResolvedRefs` on all matching HTTPS listeners condition + MUST be set with the Reason `RefNotPermitted`. + + Implementations MAY choose to perform further validation of the + certificate content (e.g., checking expiry or enforcing specific formats). + In such cases, an implementation-specific Reason and Message MUST be set. + + In all cases, the implementation MUST ensure that the `ResolvedRefs` + condition is set to `status: False` on all targeted listeners (i.e., + listeners serving HTTPS on a matching port). The condition MUST + include a Reason and Message that indicate the cause of the error. If + ALL CACertificateRefs are invalid, the implementation MUST also ensure + the `Accepted` condition on the listener is set to `status: False`, with + the Reason `NoValidCACertificate`. + Implementations MAY choose to support attaching multiple CA certificates + to a listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap, with the + CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. items: description: |- ObjectReference identifies an API object including its namespace. @@ -2869,6 +2999,20 @@ spec: maxItems: 16 type: array x-kubernetes-list-type: atomic + attachedListenerSets: + description: |- + AttachedListenerSets represents the total number of ListenerSets that have been + successfully attached to this Gateway. + + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" + + Uses for this field include troubleshooting AttachedListenerSets attachment and + measuring blast radius/impact of changes to a Gateway. + format: int32 + type: integer conditions: default: - lastTransitionTime: "1970-01-01T00:00:00Z" @@ -2971,8 +3115,11 @@ spec: attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -3047,7 +3194,7 @@ spec: supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -3080,7 +3227,6 @@ spec: - attachedRoutes - conditions - name - - supportedKinds type: object maxItems: 64 type: array diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-grpcroutes.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-grpcroutes.gateway.networking.k8s.io.yaml index 75253e312..5fa976985 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-grpcroutes.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-grpcroutes.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -528,9 +528,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -600,9 +605,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -802,9 +812,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -874,9 +889,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1149,9 +1169,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1221,9 +1246,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1423,9 +1453,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1495,9 +1530,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1634,8 +1674,8 @@ spec: - method: type: Exact service: "foo" - headers: - - name: "version" + - headers: + name: "version" value "v1" ``` @@ -1812,7 +1852,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -1826,6 +1866,8 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' type: object maxItems: 16 type: array @@ -1898,7 +1940,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-httproutes.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-httproutes.gateway.networking.k8s.io.yaml index 579d4a776..fbb4d525d 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-httproutes.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-httproutes.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -469,7 +469,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -488,18 +488,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -523,6 +526,9 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -531,7 +537,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -551,18 +557,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -628,10 +637,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -643,12 +661,12 @@ spec: description: |- The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The CORSOrigin MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. maxLength: 253 minLength: 1 - pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array @@ -678,14 +696,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -721,6 +743,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -897,6 +922,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -935,6 +961,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -946,6 +973,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -1040,9 +1068,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1112,9 +1145,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1414,6 +1452,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -1459,9 +1500,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1531,9 +1577,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -1669,6 +1720,10 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != ''RequestHeaderModifier'')' - message: filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type @@ -1693,10 +1748,6 @@ spec: rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' - message: filter.externalAuth must be specified for ExternalAuth filter.type @@ -1707,6 +1758,8 @@ spec: x-kubernetes-validations: - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 - message: RequestHeaderModifier filter cannot be repeated rule: self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1 - message: ResponseHeaderModifier filter cannot be repeated @@ -1877,7 +1930,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -1896,18 +1949,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -1931,6 +1987,9 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -1939,7 +1998,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -1959,18 +2018,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -2036,10 +2098,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -2051,12 +2122,12 @@ spec: description: |- The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The CORSOrigin MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. maxLength: 253 minLength: 1 - pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array @@ -2086,14 +2157,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -2129,6 +2204,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -2305,6 +2383,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -2343,6 +2422,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -2354,6 +2434,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -2448,9 +2529,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -2520,9 +2606,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -2822,6 +2913,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -2867,9 +2961,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -2939,9 +3038,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -3077,6 +3181,10 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != ''RequestHeaderModifier'')' - message: filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type @@ -3101,10 +3209,6 @@ spec: rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' - message: filter.externalAuth must be specified for ExternalAuth filter.type @@ -3115,6 +3219,8 @@ spec: x-kubernetes-validations: - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 - message: RequestHeaderModifier filter cannot be repeated rule: self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1 - message: ResponseHeaderModifier filter cannot be repeated @@ -3236,9 +3342,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -3423,7 +3534,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -3466,7 +3577,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -3557,7 +3668,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -3571,6 +3682,8 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -3643,6 +3756,7 @@ spec: - message: Within backendRefs, When using URLRewrite filter with path.replacePrefixMatch, exactly one PathPrefix match must be specified rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -3713,7 +3827,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: @@ -4395,7 +4509,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -4414,18 +4528,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -4449,6 +4566,9 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -4457,7 +4577,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -4477,18 +4597,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -4554,10 +4677,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -4569,12 +4701,12 @@ spec: description: |- The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The CORSOrigin MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. maxLength: 253 minLength: 1 - pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array @@ -4604,14 +4736,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -4647,6 +4783,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -4823,6 +4962,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -4861,6 +5001,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -4872,6 +5013,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -4966,9 +5108,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5038,9 +5185,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5340,6 +5492,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -5385,9 +5540,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5457,9 +5617,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -5595,6 +5760,10 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != ''RequestHeaderModifier'')' - message: filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type @@ -5619,10 +5788,6 @@ spec: rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' - message: filter.externalAuth must be specified for ExternalAuth filter.type @@ -5633,6 +5798,8 @@ spec: x-kubernetes-validations: - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 - message: RequestHeaderModifier filter cannot be repeated rule: self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1 - message: ResponseHeaderModifier filter cannot be repeated @@ -5803,7 +5970,7 @@ spec: AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -5822,18 +5989,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. - When the `AllowCredentials` field is true and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -5857,6 +6027,9 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -5865,7 +6038,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -5885,18 +6058,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is true and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -5962,10 +6138,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is false or omitted. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is true and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -5977,12 +6162,12 @@ spec: description: |- The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in RFC3986. The CORSOrigin MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character. + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. URIs that include an authority MUST include a fully qualified domain name or IP address as the host. maxLength: 253 minLength: 1 - pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$) + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array @@ -6012,14 +6197,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is false or omitted. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -6055,6 +6244,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -6231,6 +6423,7 @@ spec: If the list has entries, only those entries must be sent. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set type: object @@ -6269,6 +6462,7 @@ spec: request must be set to the actual number of bytes forwarded. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set allowedResponseHeaders: @@ -6280,6 +6474,7 @@ spec: except Authority or Host must be copied. items: type: string + maxItems: 64 type: array x-kubernetes-list-type: set path: @@ -6374,9 +6569,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6446,9 +6646,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6748,6 +6953,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -6793,9 +7001,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -6865,9 +7078,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -7003,6 +7221,10 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != ''RequestHeaderModifier'')' - message: filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type @@ -7027,10 +7249,6 @@ spec: rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - message: filter.extensionRef must be specified for ExtensionRef filter.type rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - - message: filter.cors must be nil if the filter.type is not CORS - rule: '!(has(self.cors) && self.type != ''CORS'')' - - message: filter.cors must be specified for CORS filter.type - rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.externalAuth must be nil if the filter.type is not ExternalAuth rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')' - message: filter.externalAuth must be specified for ExternalAuth filter.type @@ -7041,6 +7259,8 @@ spec: x-kubernetes-validations: - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' + - message: CORS filter cannot be repeated + rule: self.filter(f, f.type == 'CORS').size() <= 1 - message: RequestHeaderModifier filter cannot be repeated rule: self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1 - message: ResponseHeaderModifier filter cannot be repeated @@ -7162,9 +7382,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 maxLength: 4096 minLength: 1 + pattern: ^[!-~]+([\t ]?[!-~]+)*$ type: string required: - name @@ -7349,7 +7574,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -7392,7 +7617,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -7483,7 +7708,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -7497,6 +7722,8 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -7569,6 +7796,7 @@ spec: - message: Within backendRefs, When using URLRewrite filter with path.replacePrefixMatch, exactly one PathPrefix match must be specified rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array x-kubernetes-list-type: atomic x-kubernetes-validations: @@ -7639,7 +7867,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xlistenersets.gateway.networking.x-k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-listenersets.gateway.networking.k8s.io.yaml similarity index 95% rename from clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xlistenersets.gateway.networking.x-k8s.io.yaml rename to clusters/cl01tl/manifests/traefik/CustomResourceDefinition-listenersets.gateway.networking.k8s.io.yaml index 2bd20d691..74ff20100 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xlistenersets.gateway.networking.x-k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-listenersets.gateway.networking.k8s.io.yaml @@ -2,25 +2,25 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: app.kubernetes.io/managed-by: Helm - name: xlistenersets.gateway.networking.x-k8s.io + name: listenersets.gateway.networking.k8s.io spec: - group: gateway.networking.x-k8s.io + group: gateway.networking.k8s.io names: categories: - gateway-api - kind: XListenerSet - listKind: XListenerSetList - plural: xlistenersets + kind: ListenerSet + listKind: ListenerSetList + plural: listenersets shortNames: - lset - singular: xlistenerset + singular: listenerset scope: Namespaced versions: - additionalPrinterColumns: @@ -33,11 +33,11 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v1 schema: openAPIV3Schema: description: |- - XListenerSet defines a set of additional listeners to attach to an existing Gateway. + ListenerSet defines a set of additional listeners to attach to an existing Gateway. This resource provides a mechanism to merge multiple listeners into a single Gateway. The parent Gateway must explicitly allow ListenerSet attachment through its @@ -59,11 +59,12 @@ spec: - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant Gateway Integration: - - The parent Gateway's status will include an "AttachedListenerSets" condition - - This condition will be: - - True: when AllowedListeners is set and at least one child ListenerSet is attached - - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - - Unknown: when no AllowedListeners config is present + - The parent Gateway's status will include "AttachedListenerSets" + which is the count of ListenerSets that have successfully attached to a Gateway + A ListenerSet is successfully attached to a Gateway when all the following conditions are met: + - The ListenerSet is selected by the Gateway's AllowedListeners field + - The ListenerSet has a valid ParentRef selecting the Gateway + - The ListenerSet's status has the condition "Accepted: true" properties: apiVersion: description: |- @@ -297,18 +298,12 @@ spec: pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string port: - default: 0 description: |- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. - - If the port is not set or specified as zero, the implementation will assign - a unique port. If the implementation does not support dynamic port - assignment, it MUST set `Accepted` condition to `False` with the - `UnsupportedPort` reason. format: int32 maximum: 65535 - minimum: 0 + minimum: 1 type: integer protocol: description: Protocol specifies the network protocol this listener expects to receive. @@ -456,6 +451,7 @@ spec: rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) > 0 || size(self.options) > 0 : true' required: - name + - port - protocol type: object maxItems: 64 @@ -469,6 +465,8 @@ spec: rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)' - message: tls mode must be Terminate for protocol HTTPS rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' + - message: tls mode must be set for protocol TLS + rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) && l.tls.mode != '''' : true))' - message: hostname must not be specified for protocols ['TCP', 'UDP'] rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' - message: Listener name must be unique within the Gateway @@ -626,10 +624,13 @@ spec: AND the Route has a valid ParentRef selecting the whole Gateway resource or a specific Listener as a parent resource (more detail on attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact + Route kinds ParentRefs fields). Listener status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. + for Listeners, even if the Accepted condition of an individual Listener is set + to "False". The AttachedRoutes number represents the number of Routes with + the Accepted condition set to "True" that have been attached to this Listener. + Routes with any other value for the Accepted condition MUST NOT be included + in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. @@ -701,16 +702,10 @@ spec: minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string - port: - description: Port is the network port the listener is configured to listen on. - format: int32 - maximum: 65535 - minimum: 1 - type: integer supportedKinds: description: |- SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for + listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT @@ -743,8 +738,6 @@ spec: - attachedRoutes - conditions - name - - port - - supportedKinds type: object maxItems: 64 type: array diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-referencegrants.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-referencegrants.gateway.networking.k8s.io.yaml index af05aa7da..27352239d 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-referencegrants.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-referencegrants.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -23,6 +23,168 @@ spec: singular: referencegrant scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tcproutes.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tcproutes.gateway.networking.k8s.io.yaml index 6a79021d0..c8c233a51 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tcproutes.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tcproutes.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -496,7 +496,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tlsroutes.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tlsroutes.gateway.networking.k8s.io.yaml index 2705ca78c..30f472b39 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tlsroutes.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tlsroutes.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -25,7 +25,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1 schema: openAPIV3Schema: description: |- @@ -35,6 +35,754 @@ spec: If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of SNI hostnames that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI hostnames per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') : true)' + - message: Wildcards on hostnames must be the first label, and the rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) : true)' + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a nonexistent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection. Request rejections must respect + weight; if an invalid backend is requested to have 80% of requests, then + 80% of requests must be rejected instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: Name is the name of the route rule. This name MUST be unique within a Route if it is set. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + enum: + - All + - None + type: string + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace to which the controller does not have access. + items: + description: Condition contains details for one aspect of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. properties: apiVersion: description: |- @@ -344,10 +1092,9 @@ spec: a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + backend, by rejecting the connection. Request rejections must respect + weight; if an invalid backend is requested to have 80% of requests, then + 80% of requests must be rejected instead. Support: Core for Kubernetes Service @@ -477,10 +1224,7 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -560,7 +1304,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: @@ -798,6 +1542,8 @@ spec: - jsonPath: .metadata.creationTimestamp name: Age type: date + deprecated: true + deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1. name: v1alpha3 schema: openAPIV3Schema: @@ -838,32 +1584,6 @@ spec: 1. IPs are not allowed in SNI hostnames per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - - If a hostname is specified by both the Listener and TLSRoute, there - must be at least one intersecting hostname for the TLSRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches TLSRoutes - that have specified at least one of `test.example.com` or - `*.example.com`. - * A Listener with `*.example.com` as the hostname matches TLSRoutes - that have specified at least one hostname that matches the Listener - hostname. For example, `test.example.com` and `*.example.com` would both - match. On the other hand, `example.com` and `test.example.net` would not - match. - - If both the Listener and TLSRoute have specified hostnames, any - TLSRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - TLSRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and TLSRoute have specified hostnames, and none - match with the criteria above, then the TLSRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches @@ -888,6 +1608,13 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Hostnames cannot contain an IP + rule: self.all(h, !isIP(h)) + - message: Hostnames must be valid based on RFC-1123 + rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') : true)' + - message: Wildcards on hostnames must be the first label, and the rest of hostname must be valid based on RFC-1123 + rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) : true)' parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -1118,10 +1845,9 @@ spec: a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this - backend, by rejecting the connection or returning a 500 status code. - Request rejections must respect weight; if an invalid backend is - requested to have 80% of requests, then 80% of requests must be rejected - instead. + backend, by rejecting the connection. Request rejections must respect + weight; if an invalid backend is requested to have 80% of requests, then + 80% of requests must be rejected instead. Support: Core for Kubernetes Service @@ -1251,10 +1977,7 @@ spec: type: array x-kubernetes-list-type: atomic name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended + description: Name is the name of the route rule. This name MUST be unique within a Route if it is set. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -1266,9 +1989,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: Rule name must be unique within the route - rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) && l1.name == l2.name)) useDefaultGateways: description: |- UseDefaultGateways indicates the default Gateway scope to use for this @@ -1335,7 +2055,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: @@ -1566,7 +2286,7 @@ spec: - spec type: object served: true - storage: true + storage: false subresources: status: {} status: diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-udproutes.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-udproutes.gateway.networking.k8s.io.yaml index cd254410b..12995814f 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-udproutes.gateway.networking.k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-udproutes.gateway.networking.k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -496,7 +496,7 @@ spec: * The Route refers to a nonexistent parent. * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. + * The Route is in a namespace to which the controller does not have access. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xbackendtrafficpolicies.gateway.networking.x-k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xbackendtrafficpolicies.gateway.networking.x-k8s.io.yaml index 753d89a25..122ca7bfa 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xbackendtrafficpolicies.gateway.networking.x-k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xbackendtrafficpolicies.gateway.networking.x-k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: @@ -103,7 +103,7 @@ spec: pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string x-kubernetes-validations: - - message: interval can not be greater than one hour or less than one second + - message: interval cannot be greater than one hour or less than one second rule: '!(duration(self) < duration(''1s'') || duration(self) > duration(''1h''))' percent: default: 20 @@ -151,7 +151,7 @@ spec: pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string x-kubernetes-validations: - - message: interval can not be greater than one hour + - message: interval cannot be greater than one hour rule: '!(duration(self) == duration(''0s'') || duration(self) > duration(''1h''))' type: object type: object @@ -228,7 +228,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -242,6 +242,8 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' targetRefs: description: |- TargetRefs identifies API object(s) to apply this policy to. @@ -249,7 +251,7 @@ spec: ServiceImport, or any implementation-specific backendRef) are the only valid API target references. - Currently, a TargetRef can not be scoped to a specific port on a + Currently, a TargetRef cannot be scoped to a specific port on a Service. items: description: |- diff --git a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xmeshes.gateway.networking.x-k8s.io.yaml b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xmeshes.gateway.networking.x-k8s.io.yaml index fccf6117d..fd2e9b7d4 100644 --- a/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xmeshes.gateway.networking.x-k8s.io.yaml +++ b/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xmeshes.gateway.networking.x-k8s.io.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530 app.kubernetes.io/managed-by: Helm - gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/bundle-version: v1.5.1 gateway.networking.k8s.io/channel: experimental helm.sh/resource-policy: keep labels: diff --git a/clusters/cl01tl/manifests/traefik/ValidatingAdmissionPolicy-safe-upgrades.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/ValidatingAdmissionPolicy-safe-upgrades.gateway.networking.k8s.io.yaml new file mode 100644 index 000000000..91452f933 --- /dev/null +++ b/clusters/cl01tl/manifests/traefik/ValidatingAdmissionPolicy-safe-upgrades.gateway.networking.k8s.io.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + annotations: + app.kubernetes.io/managed-by: Helm + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/managed-by: Helm + name: safe-upgrades.gateway.networking.k8s.io +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - apiextensions.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - '*' + validations: + - expression: object.spec.group != 'gateway.networking.k8s.io' || oldObject == null || ( has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' ) || ( oldObject != null && has(oldObject.metadata.annotations) && oldObject.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == 'experimental' ) + message: Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs. + reason: Invalid + - expression: object.spec.group != 'gateway.networking.k8s.io' || (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\d+') && !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0')) + message: Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions. + reason: Invalid diff --git a/clusters/cl01tl/manifests/traefik/ValidatingAdmissionPolicyBinding-safe-upgrades.gateway.networking.k8s.io.yaml b/clusters/cl01tl/manifests/traefik/ValidatingAdmissionPolicyBinding-safe-upgrades.gateway.networking.k8s.io.yaml new file mode 100644 index 000000000..de44289a7 --- /dev/null +++ b/clusters/cl01tl/manifests/traefik/ValidatingAdmissionPolicyBinding-safe-upgrades.gateway.networking.k8s.io.yaml @@ -0,0 +1,26 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + annotations: + app.kubernetes.io/managed-by: Helm + gateway.networking.k8s.io/bundle-version: v1.5.0-dev + gateway.networking.k8s.io/channel: standard + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/managed-by: Helm + name: safe-upgrades.gateway.networking.k8s.io +spec: + matchResources: + resourceRules: + - apiGroups: + - apiextensions.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - customresourcedefinitions + policyName: safe-upgrades.gateway.networking.k8s.io + validationActions: + - Deny diff --git a/clusters/cl01tl/manifests/unpoller/Deployment-unpoller.yaml b/clusters/cl01tl/manifests/unpoller/Deployment-unpoller.yaml index 6fccd66e4..5dfedb94e 100644 --- a/clusters/cl01tl/manifests/unpoller/Deployment-unpoller.yaml +++ b/clusters/cl01tl/manifests/unpoller/Deployment-unpoller.yaml @@ -64,7 +64,7 @@ spec: envFrom: - secretRef: name: unpoller-unifi-secret - image: ghcr.io/unpoller/unpoller:v2.37.0 + image: ghcr.io/unpoller/unpoller:v2.38.0 imagePullPolicy: IfNotPresent name: main resources: