alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions 3 Activity

Automated Manifest Update (#5043)

Browse Source 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

### Details
- **Trigger**: `pull_request` by `@alexlebens`
- **Commit**: `2280df1` (on `2280df1e16abf2c300e4d2782ce0b44463337e86`)
- **Charts Updated**: `rybbit`

### Update Details (2026-03-24 15:27 UTC)
- **Trigger**: `pull_request` by `@alexlebens`
- **Commit**: `3d24db8` (on `3d24db859a4c3a0fccdbbb98f78ca11acec2b0fb`)
- **Charts Updated**: `traefik`

### Update Details (2026-03-24 15:28 UTC)
- **Trigger**: `pull_request` by `@alexlebens`
- **Commit**: `e0f4b4b` (on `e0f4b4b62976e07ecc4778bf872c6efeab1247ba`)
- **Charts Updated**: `unpoller`

Reviewed-on: #5043
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
This commit was merged in pull request #5043.
This commit is contained in:
Gitea
2026-03-24 16:09:57 +00:00
committed by Alex Lebens
parent eda0e571f2
commit 7061dbd5e4
16 changed files with 1786 additions and 386 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml
View File

@@ -51,20 +51,6 @@ spec:
name: rybbit-config-secret name: rybbit-config-secret
image: clickhouse/clickhouse-server:26.2.5 image: clickhouse/clickhouse-server:26.2.5
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- CMD
- wget
- --no-verbose
- --tries=1
- --spider
- http://localhost:8123/ping
failureThreshold: 5
initialDelaySeconds: 10
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
name: main name: main
resources: resources:
requests: requests:

112
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-backendtlspolicies.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
@@ -81,8 +81,6 @@ spec:
targetRefs: targetRefs:
description: |- description: |-
TargetRefs identifies an API object to apply the policy to. TargetRefs identifies an API object to apply the policy to.
Only Services have Extended support. Implementations MAY support
additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide by default, but this default may change in the future to provide
a more granular application of the policy. a more granular application of the policy.
@@ -103,17 +101,42 @@ spec:
example, a policy with a creation timestamp of "2021-07-15 example, a policy with a creation timestamp of "2021-07-15
01:02:03" MUST be given precedence over a policy with a 01:02:03" MUST be given precedence over a policy with a
creation timestamp of "2021-07-15 01:02:04". creation timestamp of "2021-07-15 01:02:04".
* The policy appearing first in alphabetical order by {name}. * The policy appearing first in alphabetical order by {namespace}/{name}.
For example, a policy named `bar` is given precedence over a For example, a policy named `foo/bar` is given precedence over a
policy named `baz`. policy named `foo/baz`.
For any BackendTLSPolicy that does not take precedence, the For any BackendTLSPolicy that does not take precedence, the
implementation MUST ensure the `Accepted` Condition is set to implementation MUST ensure the `Accepted` Condition is set to
`status: False`, with Reason `Conflicted`. `status: False`, with Reason `Conflicted`.
Support: Extended for Kubernetes Service Implementations SHOULD NOT support more than one targetRef at this
time. Although the API technically allows for this, the current guidance
for conflict resolution and status handling is lacking. Until that can be
clarified in a future release, the safest approach is to support a single
targetRef.
Support: Implementation-specific for any other resource Support Levels:
* Extended: Kubernetes Service referenced by HTTPRoute backendRefs.
* Implementation-Specific: Services not connected via HTTPRoute, and any
other kind of backend. Implementations MAY use BackendTLSPolicy for:
- Services not referenced by any Route (e.g., infrastructure services)
- Gateway feature backends (e.g., ExternalAuth, rate-limiting services)
- Service mesh workload-to-service communication
- Other resource types beyond Service
Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent,
even outside of the extended HTTPRoute -(backendRef) -> Service path.
They SHOULD clearly document how BackendTLSPolicy is interpreted in these
scenarios, including:
- Which resources beyond Service are supported
- How the policy is discovered and applied
- Any implementation-specific semantics or restrictions
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
items: items:
description: |- description: |-
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
@@ -334,8 +357,8 @@ spec:
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
wellKnownCACertificates: wellKnownCACertificates:
description: |- description: |-
WellKnownCACertificates specifies whether system CA certificates may be used in WellKnownCACertificates specifies whether a well-known set of CA certificates
the TLS handshake between the gateway and backend pod. may be used in the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of must be specified with at least one entry for a valid configuration. Only one of
@@ -345,9 +368,17 @@ spec:
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
a Reason `Invalid`. a Reason `Invalid`.
Valid values include:
* "System" - indicates that well-known system CA certificates should be used.
Implementations MAY define their own sets of CA certificates. Such definitions
MUST use an implementation-specific, prefixed name, such as
`mycompany.com/my-custom-ca-certificates`.
Support: Implementation-specific Support: Implementation-specific
enum: maxLength: 253
- System minLength: 1
pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$
type: string type: string
required: required:
- hostname - hostname
@@ -718,8 +749,6 @@ spec:
targetRefs: targetRefs:
description: |- description: |-
TargetRefs identifies an API object to apply the policy to. TargetRefs identifies an API object to apply the policy to.
Only Services have Extended support. Implementations MAY support
additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide by default, but this default may change in the future to provide
a more granular application of the policy. a more granular application of the policy.
@@ -740,17 +769,42 @@ spec:
example, a policy with a creation timestamp of "2021-07-15 example, a policy with a creation timestamp of "2021-07-15
01:02:03" MUST be given precedence over a policy with a 01:02:03" MUST be given precedence over a policy with a
creation timestamp of "2021-07-15 01:02:04". creation timestamp of "2021-07-15 01:02:04".
* The policy appearing first in alphabetical order by {name}. * The policy appearing first in alphabetical order by {namespace}/{name}.
For example, a policy named `bar` is given precedence over a For example, a policy named `foo/bar` is given precedence over a
policy named `baz`. policy named `foo/baz`.
For any BackendTLSPolicy that does not take precedence, the For any BackendTLSPolicy that does not take precedence, the
implementation MUST ensure the `Accepted` Condition is set to implementation MUST ensure the `Accepted` Condition is set to
`status: False`, with Reason `Conflicted`. `status: False`, with Reason `Conflicted`.
Support: Extended for Kubernetes Service Implementations SHOULD NOT support more than one targetRef at this
time. Although the API technically allows for this, the current guidance
for conflict resolution and status handling is lacking. Until that can be
clarified in a future release, the safest approach is to support a single
targetRef.
Support: Implementation-specific for any other resource Support Levels:
* Extended: Kubernetes Service referenced by HTTPRoute backendRefs.
* Implementation-Specific: Services not connected via HTTPRoute, and any
other kind of backend. Implementations MAY use BackendTLSPolicy for:
- Services not referenced by any Route (e.g., infrastructure services)
- Gateway feature backends (e.g., ExternalAuth, rate-limiting services)
- Service mesh workload-to-service communication
- Other resource types beyond Service
Implementations SHOULD aim to ensure that BackendTLSPolicy behavior is consistent,
even outside of the extended HTTPRoute -(backendRef) -> Service path.
They SHOULD clearly document how BackendTLSPolicy is interpreted in these
scenarios, including:
- Which resources beyond Service are supported
- How the policy is discovered and applied
- Any implementation-specific semantics or restrictions
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
items: items:
description: |- description: |-
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
@@ -971,8 +1025,8 @@ spec:
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
wellKnownCACertificates: wellKnownCACertificates:
description: |- description: |-
WellKnownCACertificates specifies whether system CA certificates may be used in WellKnownCACertificates specifies whether a well-known set of CA certificates
the TLS handshake between the gateway and backend pod. may be used in the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of must be specified with at least one entry for a valid configuration. Only one of
@@ -982,9 +1036,17 @@ spec:
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
a Reason `Invalid`. a Reason `Invalid`.
Valid values include:
* "System" - indicates that well-known system CA certificates should be used.
Implementations MAY define their own sets of CA certificates. Such definitions
MUST use an implementation-specific, prefixed name, such as
`mycompany.com/my-custom-ca-certificates`.
Support: Implementation-specific Support: Implementation-specific
enum: maxLength: 253
- System minLength: 1
pattern: ^(System|([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]))$
type: string type: string
required: required:
- hostname - hostname
@@ -1298,6 +1360,8 @@ spec:
type: object type: object
served: true served: true
storage: false storage: false
subresources:
status: {}
status: status:
acceptedNames: acceptedNames:
kind: "" kind: ""

4
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gatewayclasses.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:

358
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gateways.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
@@ -135,14 +135,14 @@ spec:
allowedListeners: allowedListeners:
description: |- description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway. AllowedListeners defines which ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets. The default value is to allow no ListenerSets.
properties: properties:
namespaces: namespaces:
default: default:
from: None from: None
description: |- description: |-
Namespaces defines which namespaces ListenerSets can be attached to this Gateway. Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets. The default value is to allow no ListenerSets.
properties: properties:
from: from:
default: None default: None
@@ -155,7 +155,7 @@ spec:
* All: ListenerSets in all namespaces may be attached to this Gateway. * All: ListenerSets in all namespaces may be attached to this Gateway.
* None: Only listeners defined in the Gateway's spec are allowed * None: Only listeners defined in the Gateway's spec are allowed
While this feature is experimental, the default value None The default value None
enum: enum:
- All - All
- Selector - Selector
@@ -694,7 +694,7 @@ spec:
the Gateway SHOULD return a 421. the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello) * If the current Listener (selected by SNI matching during ClientHello)
does not match the Host: does not match the Host:
* If another Listener does match the Host the Gateway SHOULD return a * If another Listener does match the Host, the Gateway SHOULD return a
421. 421.
* If no other Listener matches the Host, the Gateway MUST return a * If no other Listener matches the Host, the Gateway MUST return a
404. 404.
@@ -899,6 +899,8 @@ spec:
rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)' rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)'
- message: tls mode must be Terminate for protocol HTTPS - message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)'
- message: tls mode must be set for protocol TLS
rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP'] - message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)'
- message: Listener name must be unique within the Gateway - message: Listener name must be unique within the Gateway
@@ -924,19 +926,30 @@ spec:
properties: properties:
clientCertificateRef: clientCertificateRef:
description: |- description: |-
ClientCertificateRef is a reference to an object that contains a Client ClientCertificateRef references an object that contains a client certificate
Certificate and the associated private key. and its associated private key. It can reference standard Kubernetes resources,
i.e., Secret, or implementation-specific custom resources.
References to a resource in different namespace are invalid UNLESS there A ClientCertificateRef is considered invalid if:
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
ClientCertificateRef can reference to standard Kubernetes resources, i.e. * It refers to a resource that cannot be resolved (e.g., the referenced resource
Secret, or implementation-specific custom resources. does not exist) or is misconfigured (e.g., a Secret does not contain the keys
named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
and the Message of the Condition MUST indicate why the reference is invalid.
Support: Core * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
in the target namespace that allows the certificate to be attached.
If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the certificate
content (e.g., checking expiry or enforcing specific formats). In such cases,
an implementation-specific Reason and Message MUST be set.
Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
Support: Implementation-specific - Other resource kinds or Secrets with a
different type (e.g., `Opaque`).
properties: properties:
group: group:
default: "" default: ""
@@ -1002,27 +1015,49 @@ spec:
properties: properties:
caCertificateRefs: caCertificateRefs:
description: |- description: |-
CACertificateRefs contains one or more references to CACertificateRefs contains one or more references to Kubernetes
Kubernetes objects that contain TLS certificates of objects that contain a PEM-encoded TLS CA certificate bundle, which
the Certificate Authorities that can be used is used as a trust anchor to validate the certificates presented by
as a trust anchor to validate the certificates presented by the client. the client.
A single CA certificate reference to a Kubernetes ConfigMap A CACertificateRef is invalid if:
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap * It refers to a resource that cannot be resolved (e.g., the
with the CA certificate in a key named `ca.crt`. referenced resource does not exist) or is misconfigured (e.g., a
ConfigMap does not contain a key named `ca.crt`). In this case, the
Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
Support: Implementation-specific (More than one certificate in a ConfigMap * It refers to an unknown or unsupported kind of resource. In this
with different keys or more than one reference, or other kinds of resources). case, the Reason on all matching HTTPS listeners must be set to
`InvalidCACertificateKind` and the Message of the Condition must explain
which kind of resource is unknown or unsupported.
References to a resource in a different namespace are invalid UNLESS there * It refers to a resource in another namespace UNLESS there is a
is a ReferenceGrant in the target namespace that allows the certificate ReferenceGrant in the target namespace that allows the CA
to be attached. If a ReferenceGrant does not allow this reference, the certificate to be attached. If a ReferenceGrant does not allow this
"ResolvedRefs" condition MUST be set to False for this listener with the reference, the `ResolvedRefs` on all matching HTTPS listeners condition
"RefNotPermitted" reason. MUST be set with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the
certificate content (e.g., checking expiry or enforcing specific formats).
In such cases, an implementation-specific Reason and Message MUST be set.
In all cases, the implementation MUST ensure that the `ResolvedRefs`
condition is set to `status: False` on all targeted listeners (i.e.,
listeners serving HTTPS on a matching port). The condition MUST
include a Reason and Message that indicate the cause of the error. If
ALL CACertificateRefs are invalid, the implementation MUST also ensure
the `Accepted` condition on the listener is set to `status: False`, with
the Reason `NoValidCACertificate`.
Implementations MAY choose to support attaching multiple CA certificates
to a listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap, with the
CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items: items:
description: |- description: |-
ObjectReference identifies an API object including its namespace. ObjectReference identifies an API object including its namespace.
@@ -1144,27 +1179,49 @@ spec:
properties: properties:
caCertificateRefs: caCertificateRefs:
description: |- description: |-
CACertificateRefs contains one or more references to CACertificateRefs contains one or more references to Kubernetes
Kubernetes objects that contain TLS certificates of objects that contain a PEM-encoded TLS CA certificate bundle, which
the Certificate Authorities that can be used is used as a trust anchor to validate the certificates presented by
as a trust anchor to validate the certificates presented by the client. the client.
A single CA certificate reference to a Kubernetes ConfigMap A CACertificateRef is invalid if:
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap * It refers to a resource that cannot be resolved (e.g., the
with the CA certificate in a key named `ca.crt`. referenced resource does not exist) or is misconfigured (e.g., a
ConfigMap does not contain a key named `ca.crt`). In this case, the
Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
Support: Implementation-specific (More than one certificate in a ConfigMap * It refers to an unknown or unsupported kind of resource. In this
with different keys or more than one reference, or other kinds of resources). case, the Reason on all matching HTTPS listeners must be set to
`InvalidCACertificateKind` and the Message of the Condition must explain
which kind of resource is unknown or unsupported.
References to a resource in a different namespace are invalid UNLESS there * It refers to a resource in another namespace UNLESS there is a
is a ReferenceGrant in the target namespace that allows the certificate ReferenceGrant in the target namespace that allows the CA
to be attached. If a ReferenceGrant does not allow this reference, the certificate to be attached. If a ReferenceGrant does not allow this
"ResolvedRefs" condition MUST be set to False for this listener with the reference, the `ResolvedRefs` on all matching HTTPS listeners condition
"RefNotPermitted" reason. MUST be set with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the
certificate content (e.g., checking expiry or enforcing specific formats).
In such cases, an implementation-specific Reason and Message MUST be set.
In all cases, the implementation MUST ensure that the `ResolvedRefs`
condition is set to `status: False` on all targeted listeners (i.e.,
listeners serving HTTPS on a matching port). The condition MUST
include a Reason and Message that indicate the cause of the error. If
ALL CACertificateRefs are invalid, the implementation MUST also ensure
the `Accepted` condition on the listener is set to `status: False`, with
the Reason `NoValidCACertificate`.
Implementations MAY choose to support attaching multiple CA certificates
to a listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap, with the
CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items: items:
description: |- description: |-
ObjectReference identifies an API object including its namespace. ObjectReference identifies an API object including its namespace.
@@ -1333,6 +1390,20 @@ spec:
maxItems: 16 maxItems: 16
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
attachedListenerSets:
description: |-
AttachedListenerSets represents the total number of ListenerSets that have been
successfully attached to this Gateway.
A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
- The ListenerSet is selected by the Gateway's AllowedListeners field
- The ListenerSet has a valid ParentRef selecting the Gateway
- The ListenerSet's status has the condition "Accepted: true"
Uses for this field include troubleshooting AttachedListenerSets attachment and
measuring blast radius/impact of changes to a Gateway.
format: int32
type: integer
conditions: conditions:
default: default:
- lastTransitionTime: "1970-01-01T00:00:00Z" - lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -1435,8 +1506,11 @@ spec:
attachment semantics can be found in the documentation on the various attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set successful attachment, i.e. the AttachedRoutes field count MUST be set
for Listeners with condition Accepted: false and MUST count successfully for Listeners, even if the Accepted condition of an individual Listener is set
attached Routes that may themselves have Accepted: false conditions. to "False". The AttachedRoutes number represents the number of Routes with
the Accepted condition set to "True" that have been attached to this Listener.
Routes with any other value for the Accepted condition MUST NOT be included
in this count.
Uses for this field include troubleshooting Route attachment and Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener. measuring blast radius/impact of changes to a Listener.
@@ -1511,7 +1585,7 @@ spec:
supportedKinds: supportedKinds:
description: |- description: |-
SupportedKinds is the list indicating the Kinds supported by this SupportedKinds is the list indicating the Kinds supported by this
listener. This MUST represent the kinds an implementation supports for listener. This MUST represent the kinds supported by an implementation for
that Listener configuration. that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT If kinds are specified in Spec that are not supported, they MUST NOT
@@ -1544,7 +1618,6 @@ spec:
- attachedRoutes - attachedRoutes
- conditions - conditions
- name - name
- supportedKinds
type: object type: object
maxItems: 64 maxItems: 64
type: array type: array
@@ -1671,14 +1744,14 @@ spec:
allowedListeners: allowedListeners:
description: |- description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway. AllowedListeners defines which ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets. The default value is to allow no ListenerSets.
properties: properties:
namespaces: namespaces:
default: default:
from: None from: None
description: |- description: |-
Namespaces defines which namespaces ListenerSets can be attached to this Gateway. Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets. The default value is to allow no ListenerSets.
properties: properties:
from: from:
default: None default: None
@@ -1691,7 +1764,7 @@ spec:
* All: ListenerSets in all namespaces may be attached to this Gateway. * All: ListenerSets in all namespaces may be attached to this Gateway.
* None: Only listeners defined in the Gateway's spec are allowed * None: Only listeners defined in the Gateway's spec are allowed
While this feature is experimental, the default value None The default value None
enum: enum:
- All - All
- Selector - Selector
@@ -2230,7 +2303,7 @@ spec:
the Gateway SHOULD return a 421. the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello) * If the current Listener (selected by SNI matching during ClientHello)
does not match the Host: does not match the Host:
* If another Listener does match the Host the Gateway SHOULD return a * If another Listener does match the Host, the Gateway SHOULD return a
421. 421.
* If no other Listener matches the Host, the Gateway MUST return a * If no other Listener matches the Host, the Gateway MUST return a
404. 404.
@@ -2435,6 +2508,8 @@ spec:
rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)' rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)'
- message: tls mode must be Terminate for protocol HTTPS - message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)'
- message: tls mode must be set for protocol TLS
rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP'] - message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)'
- message: Listener name must be unique within the Gateway - message: Listener name must be unique within the Gateway
@@ -2460,19 +2535,30 @@ spec:
properties: properties:
clientCertificateRef: clientCertificateRef:
description: |- description: |-
ClientCertificateRef is a reference to an object that contains a Client ClientCertificateRef references an object that contains a client certificate
Certificate and the associated private key. and its associated private key. It can reference standard Kubernetes resources,
i.e., Secret, or implementation-specific custom resources.
References to a resource in different namespace are invalid UNLESS there A ClientCertificateRef is considered invalid if:
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
ClientCertificateRef can reference to standard Kubernetes resources, i.e. * It refers to a resource that cannot be resolved (e.g., the referenced resource
Secret, or implementation-specific custom resources. does not exist) or is misconfigured (e.g., a Secret does not contain the keys
named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
and the Message of the Condition MUST indicate why the reference is invalid.
Support: Core * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
in the target namespace that allows the certificate to be attached.
If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the certificate
content (e.g., checking expiry or enforcing specific formats). In such cases,
an implementation-specific Reason and Message MUST be set.
Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
Support: Implementation-specific - Other resource kinds or Secrets with a
different type (e.g., `Opaque`).
properties: properties:
group: group:
default: "" default: ""
@@ -2538,27 +2624,49 @@ spec:
properties: properties:
caCertificateRefs: caCertificateRefs:
description: |- description: |-
CACertificateRefs contains one or more references to CACertificateRefs contains one or more references to Kubernetes
Kubernetes objects that contain TLS certificates of objects that contain a PEM-encoded TLS CA certificate bundle, which
the Certificate Authorities that can be used is used as a trust anchor to validate the certificates presented by
as a trust anchor to validate the certificates presented by the client. the client.
A single CA certificate reference to a Kubernetes ConfigMap A CACertificateRef is invalid if:
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap * It refers to a resource that cannot be resolved (e.g., the
with the CA certificate in a key named `ca.crt`. referenced resource does not exist) or is misconfigured (e.g., a
ConfigMap does not contain a key named `ca.crt`). In this case, the
Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
Support: Implementation-specific (More than one certificate in a ConfigMap * It refers to an unknown or unsupported kind of resource. In this
with different keys or more than one reference, or other kinds of resources). case, the Reason on all matching HTTPS listeners must be set to
`InvalidCACertificateKind` and the Message of the Condition must explain
which kind of resource is unknown or unsupported.
References to a resource in a different namespace are invalid UNLESS there * It refers to a resource in another namespace UNLESS there is a
is a ReferenceGrant in the target namespace that allows the certificate ReferenceGrant in the target namespace that allows the CA
to be attached. If a ReferenceGrant does not allow this reference, the certificate to be attached. If a ReferenceGrant does not allow this
"ResolvedRefs" condition MUST be set to False for this listener with the reference, the `ResolvedRefs` on all matching HTTPS listeners condition
"RefNotPermitted" reason. MUST be set with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the
certificate content (e.g., checking expiry or enforcing specific formats).
In such cases, an implementation-specific Reason and Message MUST be set.
In all cases, the implementation MUST ensure that the `ResolvedRefs`
condition is set to `status: False` on all targeted listeners (i.e.,
listeners serving HTTPS on a matching port). The condition MUST
include a Reason and Message that indicate the cause of the error. If
ALL CACertificateRefs are invalid, the implementation MUST also ensure
the `Accepted` condition on the listener is set to `status: False`, with
the Reason `NoValidCACertificate`.
Implementations MAY choose to support attaching multiple CA certificates
to a listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap, with the
CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items: items:
description: |- description: |-
ObjectReference identifies an API object including its namespace. ObjectReference identifies an API object including its namespace.
@@ -2680,27 +2788,49 @@ spec:
properties: properties:
caCertificateRefs: caCertificateRefs:
description: |- description: |-
CACertificateRefs contains one or more references to CACertificateRefs contains one or more references to Kubernetes
Kubernetes objects that contain TLS certificates of objects that contain a PEM-encoded TLS CA certificate bundle, which
the Certificate Authorities that can be used is used as a trust anchor to validate the certificates presented by
as a trust anchor to validate the certificates presented by the client. the client.
A single CA certificate reference to a Kubernetes ConfigMap A CACertificateRef is invalid if:
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap * It refers to a resource that cannot be resolved (e.g., the
with the CA certificate in a key named `ca.crt`. referenced resource does not exist) or is misconfigured (e.g., a
ConfigMap does not contain a key named `ca.crt`). In this case, the
Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
Support: Implementation-specific (More than one certificate in a ConfigMap * It refers to an unknown or unsupported kind of resource. In this
with different keys or more than one reference, or other kinds of resources). case, the Reason on all matching HTTPS listeners must be set to
`InvalidCACertificateKind` and the Message of the Condition must explain
which kind of resource is unknown or unsupported.
References to a resource in a different namespace are invalid UNLESS there * It refers to a resource in another namespace UNLESS there is a
is a ReferenceGrant in the target namespace that allows the certificate ReferenceGrant in the target namespace that allows the CA
to be attached. If a ReferenceGrant does not allow this reference, the certificate to be attached. If a ReferenceGrant does not allow this
"ResolvedRefs" condition MUST be set to False for this listener with the reference, the `ResolvedRefs` on all matching HTTPS listeners condition
"RefNotPermitted" reason. MUST be set with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the
certificate content (e.g., checking expiry or enforcing specific formats).
In such cases, an implementation-specific Reason and Message MUST be set.
In all cases, the implementation MUST ensure that the `ResolvedRefs`
condition is set to `status: False` on all targeted listeners (i.e.,
listeners serving HTTPS on a matching port). The condition MUST
include a Reason and Message that indicate the cause of the error. If
ALL CACertificateRefs are invalid, the implementation MUST also ensure
the `Accepted` condition on the listener is set to `status: False`, with
the Reason `NoValidCACertificate`.
Implementations MAY choose to support attaching multiple CA certificates
to a listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap, with the
CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items: items:
description: |- description: |-
ObjectReference identifies an API object including its namespace. ObjectReference identifies an API object including its namespace.
@@ -2869,6 +2999,20 @@ spec:
maxItems: 16 maxItems: 16
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
attachedListenerSets:
description: |-
AttachedListenerSets represents the total number of ListenerSets that have been
successfully attached to this Gateway.
A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
- The ListenerSet is selected by the Gateway's AllowedListeners field
- The ListenerSet has a valid ParentRef selecting the Gateway
- The ListenerSet's status has the condition "Accepted: true"
Uses for this field include troubleshooting AttachedListenerSets attachment and
measuring blast radius/impact of changes to a Gateway.
format: int32
type: integer
conditions: conditions:
default: default:
- lastTransitionTime: "1970-01-01T00:00:00Z" - lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -2971,8 +3115,11 @@ spec:
attachment semantics can be found in the documentation on the various attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set successful attachment, i.e. the AttachedRoutes field count MUST be set
for Listeners with condition Accepted: false and MUST count successfully for Listeners, even if the Accepted condition of an individual Listener is set
attached Routes that may themselves have Accepted: false conditions. to "False". The AttachedRoutes number represents the number of Routes with
the Accepted condition set to "True" that have been attached to this Listener.
Routes with any other value for the Accepted condition MUST NOT be included
in this count.
Uses for this field include troubleshooting Route attachment and Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener. measuring blast radius/impact of changes to a Listener.
@@ -3047,7 +3194,7 @@ spec:
supportedKinds: supportedKinds:
description: |- description: |-
SupportedKinds is the list indicating the Kinds supported by this SupportedKinds is the list indicating the Kinds supported by this
listener. This MUST represent the kinds an implementation supports for listener. This MUST represent the kinds supported by an implementation for
that Listener configuration. that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT If kinds are specified in Spec that are not supported, they MUST NOT
@@ -3080,7 +3227,6 @@ spec:
- attachedRoutes - attachedRoutes
- conditions - conditions
- name - name
- supportedKinds
type: object type: object
maxItems: 64 maxItems: 64
type: array type: array

70
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-grpcroutes.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
@@ -528,9 +528,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string type: string
value: value:
description: Value is the value of HTTP Header to be matched. description: |-
Value is the value of HTTP Header to be matched.
Must consist of printable US-ASCII characters, optionally separated
by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096 maxLength: 4096
minLength: 1 minLength: 1
pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string type: string
required: required:
- name - name
@@ -600,9 +605,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string type: string
value: value:
description: Value is the value of HTTP Header to be matched. description: |-
Value is the value of HTTP Header to be matched.
Must consist of printable US-ASCII characters, optionally separated
by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096 maxLength: 4096
minLength: 1 minLength: 1
pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string type: string
required: required:
- name - name
@@ -802,9 +812,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string type: string
value: value:
description: Value is the value of HTTP Header to be matched. description: |-
Value is the value of HTTP Header to be matched.
Must consist of printable US-ASCII characters, optionally separated
by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096 maxLength: 4096
minLength: 1 minLength: 1
pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string type: string
required: required:
- name - name
@@ -874,9 +889,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string type: string
value: value:
description: Value is the value of HTTP Header to be matched. description: |-
Value is the value of HTTP Header to be matched.
Must consist of printable US-ASCII characters, optionally separated
by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096 maxLength: 4096
minLength: 1 minLength: 1
pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string type: string
required: required:
- name - name
@@ -1149,9 +1169,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string type: string
value: value:
description: Value is the value of HTTP Header to be matched. description: |-
Value is the value of HTTP Header to be matched.
Must consist of printable US-ASCII characters, optionally separated
by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096 maxLength: 4096
minLength: 1 minLength: 1
pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string type: string
required: required:
- name - name
@@ -1221,9 +1246,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string type: string
value: value:
description: Value is the value of HTTP Header to be matched. description: |-
Value is the value of HTTP Header to be matched.
Must consist of printable US-ASCII characters, optionally separated
by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096 maxLength: 4096
minLength: 1 minLength: 1
pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string type: string
required: required:
- name - name
@@ -1423,9 +1453,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string type: string
value: value:
description: Value is the value of HTTP Header to be matched. description: |-
Value is the value of HTTP Header to be matched.
Must consist of printable US-ASCII characters, optionally separated
by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096 maxLength: 4096
minLength: 1 minLength: 1
pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string type: string
required: required:
- name - name
@@ -1495,9 +1530,14 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string type: string
value: value:
description: Value is the value of HTTP Header to be matched. description: |-
Value is the value of HTTP Header to be matched.
Must consist of printable US-ASCII characters, optionally separated
by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
maxLength: 4096 maxLength: 4096
minLength: 1 minLength: 1
pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string type: string
required: required:
- name - name
@@ -1634,8 +1674,8 @@ spec:
- method: - method:
type: Exact type: Exact
service: "foo" service: "foo"
headers: - headers:
- name: "version" name: "version"
value "v1" value "v1"
``` ```
@@ -1812,7 +1852,7 @@ spec:
default: Cookie default: Cookie
description: |- description: |-
Type defines the type of session persistence such as through Type defines the type of session persistence such as through
the use a header or cookie. Defaults to cookie based session the use of a header or cookie. Defaults to cookie based session
persistence. persistence.
Support: Core for "Cookie" type Support: Core for "Cookie" type
@@ -1826,6 +1866,8 @@ spec:
x-kubernetes-validations: x-kubernetes-validations:
- message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
- message: cookieConfig can only be set with type Cookie
rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
type: object type: object
maxItems: 16 maxItems: 16
type: array type: array
@@ -1898,7 +1940,7 @@ spec:
* The Route refers to a nonexistent parent. * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support. * The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to. * The Route is in a namespace to which the controller does not have access.
items: items:
description: Condition contains details for one aspect of the current state of this API Resource. description: Condition contains details for one aspect of the current state of this API Resource.
properties: properties:

476
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-httproutes.gateway.networking.k8s.io.yaml
View File

File diff suppressed because it is too large Load Diff

61
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xlistenersets.gateway.networking.x-k8s.io.yaml → clusters/cl01tl/manifests/traefik/CustomResourceDefinition-listenersets.gateway.networking.k8s.io.yaml
View File

@@ -2,25 +2,25 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
name: xlistenersets.gateway.networking.x-k8s.io name: listenersets.gateway.networking.k8s.io
spec: spec:
group: gateway.networking.x-k8s.io group: gateway.networking.k8s.io
names: names:
categories: categories:
- gateway-api - gateway-api
kind: XListenerSet kind: ListenerSet
listKind: XListenerSetList listKind: ListenerSetList
plural: xlistenersets plural: listenersets
shortNames: shortNames:
- lset - lset
singular: xlistenerset singular: listenerset
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
@@ -33,11 +33,11 @@ spec:
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
name: v1alpha1 name: v1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: |- description: |-
XListenerSet defines a set of additional listeners to attach to an existing Gateway. ListenerSet defines a set of additional listeners to attach to an existing Gateway.
This resource provides a mechanism to merge multiple listeners into a single Gateway. This resource provides a mechanism to merge multiple listeners into a single Gateway.
The parent Gateway must explicitly allow ListenerSet attachment through its The parent Gateway must explicitly allow ListenerSet attachment through its
@@ -59,11 +59,12 @@ spec:
- A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
Gateway Integration: Gateway Integration:
- The parent Gateway's status will include an "AttachedListenerSets" condition - The parent Gateway's status will include "AttachedListenerSets"
- This condition will be: which is the count of ListenerSets that have successfully attached to a Gateway
- True: when AllowedListeners is set and at least one child ListenerSet is attached A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
- False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - The ListenerSet is selected by the Gateway's AllowedListeners field
- Unknown: when no AllowedListeners config is present - The ListenerSet has a valid ParentRef selecting the Gateway
- The ListenerSet's status has the condition "Accepted: true"
properties: properties:
apiVersion: apiVersion:
description: |- description: |-
@@ -297,18 +298,12 @@ spec:
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string type: string
port: port:
default: 0
description: |- description: |-
Port is the network port. Multiple listeners may use the Port is the network port. Multiple listeners may use the
same port, subject to the Listener compatibility rules. same port, subject to the Listener compatibility rules.
If the port is not set or specified as zero, the implementation will assign
a unique port. If the implementation does not support dynamic port
assignment, it MUST set `Accepted` condition to `False` with the
`UnsupportedPort` reason.
format: int32 format: int32
maximum: 65535 maximum: 65535
minimum: 0 minimum: 1
type: integer type: integer
protocol: protocol:
description: Protocol specifies the network protocol this listener expects to receive. description: Protocol specifies the network protocol this listener expects to receive.
@@ -456,6 +451,7 @@ spec:
rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) > 0 || size(self.options) > 0 : true' rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) > 0 || size(self.options) > 0 : true'
required: required:
- name - name
- port
- protocol - protocol
type: object type: object
maxItems: 64 maxItems: 64
@@ -469,6 +465,8 @@ spec:
rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)' rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)'
- message: tls mode must be Terminate for protocol HTTPS - message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)' rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)'
- message: tls mode must be set for protocol TLS
rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP'] - message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)' rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)'
- message: Listener name must be unique within the Gateway - message: Listener name must be unique within the Gateway
@@ -626,10 +624,13 @@ spec:
AND the Route has a valid ParentRef selecting the whole Gateway AND the Route has a valid ParentRef selecting the whole Gateway
resource or a specific Listener as a parent resource (more detail on resource or a specific Listener as a parent resource (more detail on
attachment semantics can be found in the documentation on the various attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact Route kinds ParentRefs fields). Listener status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set successful attachment, i.e. the AttachedRoutes field count MUST be set
for Listeners with condition Accepted: false and MUST count successfully for Listeners, even if the Accepted condition of an individual Listener is set
attached Routes that may themselves have Accepted: false conditions. to "False". The AttachedRoutes number represents the number of Routes with
the Accepted condition set to "True" that have been attached to this Listener.
Routes with any other value for the Accepted condition MUST NOT be included
in this count.
Uses for this field include troubleshooting Route attachment and Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener. measuring blast radius/impact of changes to a Listener.
@@ -701,16 +702,10 @@ spec:
minLength: 1 minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string type: string
port:
description: Port is the network port the listener is configured to listen on.
format: int32
maximum: 65535
minimum: 1
type: integer
supportedKinds: supportedKinds:
description: |- description: |-
SupportedKinds is the list indicating the Kinds supported by this SupportedKinds is the list indicating the Kinds supported by this
listener. This MUST represent the kinds an implementation supports for listener. This MUST represent the kinds supported by an implementation for
that Listener configuration. that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT If kinds are specified in Spec that are not supported, they MUST NOT
@@ -743,8 +738,6 @@ spec:
- attachedRoutes - attachedRoutes
- conditions - conditions
- name - name
- port
- supportedKinds
type: object type: object
maxItems: 64 maxItems: 64
type: array type: array

166
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-referencegrants.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
@@ -23,6 +23,168 @@ spec:
singular: referencegrant singular: referencegrant
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: |-
ReferenceGrant identifies kinds of resources in other namespaces that are
trusted to reference the specified kinds of resources in the same namespace
as the policy.
Each ReferenceGrant can be used to represent a unique trust relationship.
Additional Reference Grants can be used to add to the set of trusted
sources of inbound references for the namespace they are defined within.
All cross-namespace references in Gateway API (with the exception of cross-namespace
Gateway-route attachment) require a ReferenceGrant.
ReferenceGrant is a form of runtime verification allowing users to assert
which cross-namespace object references are permitted. Implementations that
support ReferenceGrant MUST NOT permit cross-namespace references which have
no grant, and MUST respond to the removal of a grant by revoking the access
that the grant allowed.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of ReferenceGrant.
properties:
from:
description: |-
From describes the trusted namespaces and kinds that can reference the
resources described in "To". Each entry in this list MUST be considered
to be an additional place that references can be valid from, or to put
this another way, entries MUST be combined using OR.
Support: Core
items:
description: ReferenceGrantFrom describes trusted namespaces and kinds.
properties:
group:
description: |-
Group is the group of the referent.
When empty, the Kubernetes core API group is inferred.
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: |-
Kind is the kind of the referent. Although implementations may support
additional resources, the following types are part of the "Core"
support level for this field.
When used to permit a SecretObjectReference:
* Gateway
When used to permit a BackendObjectReference:
* GRPCRoute
* HTTPRoute
* TCPRoute
* TLSRoute
* UDPRoute
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
namespace:
description: |-
Namespace is the namespace of the referent.
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- namespace
type: object
maxItems: 16
minItems: 1
type: array
x-kubernetes-list-type: atomic
to:
description: |-
To describes the resources that may be referenced by the resources
described in "From". Each entry in this list MUST be considered to be an
additional place that references can be valid to, or to put this another
way, entries MUST be combined using OR.
Support: Core
items:
description: |-
ReferenceGrantTo describes what Kinds are allowed as targets of the
references.
properties:
group:
description: |-
Group is the group of the referent.
When empty, the Kubernetes core API group is inferred.
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: |-
Kind is the kind of the referent. Although implementations may support
additional resources, the following types are part of the "Core"
support level for this field:
* Secret when used to permit a SecretObjectReference
* Service when used to permit a BackendObjectReference
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: |-
Name is the name of the referent. When unspecified, this policy
refers to all resources of the specified Group and Kind in the local
namespace.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
type: object
maxItems: 16
minItems: 1
type: array
x-kubernetes-list-type: atomic
required:
- from
- to
type: object
type: object
served: true
storage: false
subresources: {}
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age

6
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tcproutes.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
@@ -496,7 +496,7 @@ spec:
* The Route refers to a nonexistent parent. * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support. * The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to. * The Route is in a namespace to which the controller does not have access.
items: items:
description: Condition contains details for one aspect of the current state of this API Resource. description: Condition contains details for one aspect of the current state of this API Resource.
properties: properties:

822
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-tlsroutes.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
@@ -25,7 +25,7 @@ spec:
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
name: v1alpha2 name: v1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: |- description: |-
@@ -35,6 +35,754 @@ spec:
If you need to forward traffic to a single target for a TLS listener, you If you need to forward traffic to a single target for a TLS listener, you
could choose to use a TCPRoute with a TLS listener. could choose to use a TCPRoute with a TLS listener.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of TLSRoute.
properties:
hostnames:
description: |-
Hostnames defines a set of SNI hostnames that should match against the
SNI attribute of TLS ClientHello message in TLS handshake. This matches
the RFC 1123 definition of a hostname with 2 notable exceptions:
1. IPs are not allowed in SNI hostnames per RFC 6066.
2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
label must appear by itself as the first label.
items:
description: |-
Hostname is the fully qualified domain name of a network host. This matches
the RFC 1123 definition of a hostname with 2 notable exceptions:
1. IPs are not allowed.
2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
label must appear by itself as the first label.
Hostname can be "precise" which is a domain name without the terminating
dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
domain name prefixed with a single wildcard label (e.g. `*.example.com`).
Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
alphanumeric characters or '-', and must start and end with an alphanumeric
character. No other punctuation is allowed.
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
maxItems: 16
minItems: 1
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: Hostnames cannot contain an IP
rule: self.all(h, !isIP(h))
- message: Hostnames must be valid based on RFC-1123
rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') : true)'
- message: Wildcards on hostnames must be the first label, and the rest of hostname must be valid based on RFC-1123
rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) : true)'
parentRefs:
description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
to be attached to. Note that the referenced parent resource needs to
allow this for the attachment to be complete. For Gateways, that means
the Gateway needs to allow attachment from Routes of this kind and
namespace. For Services, that means the Service must either be in the same
namespace for a "producer" route, or the mesh implementation must support
and allow "consumer" routes for the referenced Service. ReferenceGrant is
not applicable for governing ParentRefs to Services - it is not possible to
create a "producer" route for a Service in a different namespace from the
Route.
There are two kinds of parent resources with "Core" support:
* Gateway (Gateway conformance profile)
* Service (Mesh conformance profile, ClusterIP Services only)
This API may be extended in the future to support additional kinds of parent
resources.
ParentRefs must be _distinct_. This means either that:
* They select different objects. If this is the case, then parentRef
entries are distinct. In terms of fields, this means that the
multi-part key defined by `group`, `kind`, `namespace`, and `name` must
be unique across all parentRef entries in the Route.
* They do not select different objects, but for each optional field used,
each ParentRef that selects the same object must set the same set of
optional fields to different values. If one ParentRef sets a
combination of optional fields, all must set the same combination.
Some examples:
* If one ParentRef sets `sectionName`, all ParentRefs referencing the
same object must also set `sectionName`.
* If one ParentRef sets `port`, all ParentRefs referencing the same
object must also set `port`.
* If one ParentRef sets `sectionName` and `port`, all ParentRefs
referencing the same object must also set `sectionName` and `port`.
It is possible to separately reference multiple distinct objects that may
be collapsed by an implementation. For example, some implementations may
choose to merge compatible Gateway Listeners together. If that is the
case, the list of routes attached to those resources should also be
merged.
Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example,
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable other kinds of cross-namespace reference.
ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
items:
description: |-
ParentReference identifies an API object (usually a Gateway) that can be considered
a parent of this resource (usually a route). There are two kinds of parent resources
with "Core" support:
* Gateway (Gateway conformance profile)
* Service (Mesh conformance profile, ClusterIP Services only)
This API may be extended in the future to support additional kinds of parent
resources.
The API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid.
properties:
group:
default: gateway.networking.k8s.io
description: |-
Group is the group of the referent.
When unspecified, "gateway.networking.k8s.io" is inferred.
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: |-
Kind is kind of the referent.
There are two kinds of parent resources with "Core" support:
* Gateway (Gateway conformance profile)
* Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: |-
Name is the name of the referent.
Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: |-
Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to a specific port
as opposed to a listener(s) whose port(s) may be changed. When both Port
and SectionName are specified, the name and port of the selected listener
must match both specified values.
When the parent resource is a Service, this targets a specific port in the
Service spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified values.
Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: |-
SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
* Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
* Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: sectionName or port must be specified when parentRefs includes 2 or more references to the same parent
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) || p2.port == 0)): true))'
- message: sectionName or port must be unique when parentRefs includes 2 or more references to the same parent
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port))))
rules:
description: Rules are a list of actions.
items:
description: TLSRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: |-
BackendRefs defines the backend(s) where matching requests should be
sent. If unspecified or invalid (refers to a nonexistent resource or
a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this
backend, by rejecting the connection. Request rejections must respect
weight; if an invalid backend is requested to have 80% of requests, then
80% of requests must be rejected instead.
Support: Core for Kubernetes Service
Support: Extended for Kubernetes ServiceImport
Support: Implementation-specific for any other resource
Support for weight: Extended
items:
description: |-
BackendRef defines how a Route should forward a request to a Kubernetes
resource.
Note that when a namespace different than the local namespace is specified, a
ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
When the BackendRef points to a Kubernetes Service, implementations SHOULD
honor the appProtocol field if it is set for the target Service Port.
Implementations supporting appProtocol SHOULD recognize the Kubernetes
Standard Application Protocols defined in KEP-3726.
If a Service appProtocol isn't specified, an implementation MAY infer the
backend protocol through its own means. Implementations MAY infer the
protocol from the Route type referring to the backend Service.
If a Route is not able to send traffic to the backend using the specified
protocol then the backend is considered invalid. Implementations MUST set the
"ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
Note that when the BackendTLSPolicy object is enabled by the implementation,
there are some extra rules about validity to consider here. See the fields
where this struct is used for more information about the exact behavior.
properties:
group:
default: ""
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: |-
Kind is the Kubernetes resource kind of the referent. For example
"Service".
Defaults to "Service" when not specified.
ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.
Support: Core (Services with a type other than ExternalName)
Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.
Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: |-
Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: |-
Weight specifies the proportion of requests forwarded to the referenced
backend. This is computed as weight/(sum of all weights in this
BackendRefs list). For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision an
implementation supports. Weight is not a percentage and the sum of
weights does not need to equal 100.
If only one backend is specified and it has a weight greater than 0, 100%
of the traffic is forwarded to that backend. If weight is set to 0, no
traffic should be forwarded for this entry. If unspecified, weight
defaults to 1.
Support for this field varies based on the context where used.
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
x-kubernetes-validations:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true'
maxItems: 16
minItems: 1
type: array
x-kubernetes-list-type: atomic
name:
description: Name is the name of the route rule. This name MUST be unique within a Route if it is set.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- backendRefs
type: object
maxItems: 1
minItems: 1
type: array
x-kubernetes-list-type: atomic
useDefaultGateways:
description: |-
UseDefaultGateways indicates the default Gateway scope to use for this
Route. If unset (the default) or set to None, the Route will not be
attached to any default Gateway; if set, it will be attached to any
default Gateway supporting the named scope, subject to the usual rules
about which Routes a Gateway is allowed to claim.
Think carefully before using this functionality! The set of default
Gateways supporting the requested scope can change over time without
any notice to the Route author, and in many situations it will not be
appropriate to request a default Gateway for a given Route -- for
example, a Route with specific security requirements should almost
certainly not use a default Gateway.
enum:
- All
- None
type: string
required:
- hostnames
- rules
type: object
status:
description: Status defines the current state of TLSRoute.
properties:
parents:
description: |-
Parents is a list of parent resources (usually Gateways) that are
associated with the route, and the status of the route with respect to
each parent. When this route attaches to a parent, the controller that
manages the parent must add an entry to this list when the controller
first sees the route and should update the entry as appropriate when the
route or gateway is modified.
Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this API
can only populate Route status for the Gateways/parent resources they are
responsible for.
A maximum of 32 Gateways will be represented in this list. An empty list
means the route has not been attached to any Gateway.
items:
description: |-
RouteParentStatus describes the status of a route with respect to an
associated Parent.
properties:
conditions:
description: |-
Conditions describes the status of the route with respect to the Gateway.
Note that the route's availability is also subject to the Gateway's own
status conditions and listener status.
If the Route's ParentRef specifies an existing Gateway that supports
Routes of this kind AND that Gateway's controller has sufficient access,
then that Gateway's controller MUST set the "Accepted" condition on the
Route, to indicate whether the route has been accepted or rejected by the
Gateway, and why.
A Route MUST be considered "Accepted" if at least one of the Route's
rules is implemented by the Gateway.
There are a number of cases where the "Accepted" condition may not be set
due to lack of controller visibility, that includes when:
* The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support.
* The Route is in a namespace to which the controller does not have access.
items:
description: Condition contains details for one aspect of the current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: |-
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
controllerName field on GatewayClass.
Example: "example.net/gateway-controller".
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
valid Kubernetes names
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
Controllers MUST populate this field when writing status. Controllers should ensure that
entries to status populated with their ControllerName are cleaned up when they are no
longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: |-
ParentRef corresponds with a ParentRef in the spec that this
RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: |-
Group is the group of the referent.
When unspecified, "gateway.networking.k8s.io" is inferred.
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: |-
Kind is kind of the referent.
There are two kinds of parent resources with "Core" support:
* Gateway (Gateway conformance profile)
* Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: |-
Name is the name of the referent.
Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
ParentRefs from a Route to a Service in the same namespace are "producer"
routes, which apply default routing rules to inbound connections from
any namespace to the Service.
ParentRefs from a Route to a Service in a different namespace are
"consumer" routes, and these routing rules are only applied to outbound
connections originating from the same namespace as the Route, for which
the intended destination of the connections are a Service targeted as a
ParentRef of the Route.
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: |-
Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to a specific port
as opposed to a listener(s) whose port(s) may be changed. When both Port
and SectionName are specified, the name and port of the selected listener
must match both specified values.
When the parent resource is a Service, this targets a specific port in the
Service spec. When both Port (experimental) and SectionName are specified,
the name and port of the selected port must match both specified values.
Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: |-
SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
* Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
* Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- conditions
- controllerName
- parentRef
type: object
maxItems: 32
type: array
x-kubernetes-list-type: atomic
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
deprecated: true
deprecationWarning: The v1alpha2 version of TLSRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1.
name: v1alpha2
schema:
openAPIV3Schema:
description: |-
The TLSRoute resource is similar to TCPRoute, but can be configured
to match against TLS-specific metadata. This allows more flexibility
in matching streams for a given TLS listener.
properties: properties:
apiVersion: apiVersion:
description: |- description: |-
@@ -344,10 +1092,9 @@ spec:
a Service with no endpoints), the rule performs no forwarding; if no a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this underlying implementation must actively reject request attempts to this
backend, by rejecting the connection or returning a 500 status code. backend, by rejecting the connection. Request rejections must respect
Request rejections must respect weight; if an invalid backend is weight; if an invalid backend is requested to have 80% of requests, then
requested to have 80% of requests, then 80% of requests must be rejected 80% of requests must be rejected instead.
instead.
Support: Core for Kubernetes Service Support: Core for Kubernetes Service
@@ -477,10 +1224,7 @@ spec:
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
name: name:
description: |- description: Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended
maxLength: 253 maxLength: 253
minLength: 1 minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -560,7 +1304,7 @@ spec:
* The Route refers to a nonexistent parent. * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support. * The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to. * The Route is in a namespace to which the controller does not have access.
items: items:
description: Condition contains details for one aspect of the current state of this API Resource. description: Condition contains details for one aspect of the current state of this API Resource.
properties: properties:
@@ -798,6 +1542,8 @@ spec:
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
deprecated: true
deprecationWarning: The v1alpha3 version of TLSRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1.
name: v1alpha3 name: v1alpha3
schema: schema:
openAPIV3Schema: openAPIV3Schema:
@@ -838,32 +1584,6 @@ spec:
1. IPs are not allowed in SNI hostnames per RFC 6066. 1. IPs are not allowed in SNI hostnames per RFC 6066.
2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
label must appear by itself as the first label. label must appear by itself as the first label.
If a hostname is specified by both the Listener and TLSRoute, there
must be at least one intersecting hostname for the TLSRoute to be
attached to the Listener. For example:
* A Listener with `test.example.com` as the hostname matches TLSRoutes
that have specified at least one of `test.example.com` or
`*.example.com`.
* A Listener with `*.example.com` as the hostname matches TLSRoutes
that have specified at least one hostname that matches the Listener
hostname. For example, `test.example.com` and `*.example.com` would both
match. On the other hand, `example.com` and `test.example.net` would not
match.
If both the Listener and TLSRoute have specified hostnames, any
TLSRoute hostnames that do not match the Listener hostname MUST be
ignored. For example, if a Listener specified `*.example.com`, and the
TLSRoute specified `test.example.com` and `test.example.net`,
`test.example.net` must not be considered for a match.
If both the Listener and TLSRoute have specified hostnames, and none
match with the criteria above, then the TLSRoute is not accepted. The
implementation must raise an 'Accepted' Condition with a status of
`False` in the corresponding RouteParentStatus.
Support: Core
items: items:
description: |- description: |-
Hostname is the fully qualified domain name of a network host. This matches Hostname is the fully qualified domain name of a network host. This matches
@@ -888,6 +1608,13 @@ spec:
minItems: 1 minItems: 1
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: Hostnames cannot contain an IP
rule: self.all(h, !isIP(h))
- message: Hostnames must be valid based on RFC-1123
rule: 'self.all(h, !h.contains(''*'') ? h.matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'') : true)'
- message: Wildcards on hostnames must be the first label, and the rest of hostname must be valid based on RFC-1123
rule: 'self.all(h, h.contains(''*'') ? (h.startsWith(''*.'') && h.substring(2).matches(''^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'')) : true)'
parentRefs: parentRefs:
description: |- description: |-
ParentRefs references the resources (usually Gateways) that a Route wants ParentRefs references the resources (usually Gateways) that a Route wants
@@ -1118,10 +1845,9 @@ spec:
a Service with no endpoints), the rule performs no forwarding; if no a Service with no endpoints), the rule performs no forwarding; if no
filters are specified that would result in a response being sent, the filters are specified that would result in a response being sent, the
underlying implementation must actively reject request attempts to this underlying implementation must actively reject request attempts to this
backend, by rejecting the connection or returning a 500 status code. backend, by rejecting the connection. Request rejections must respect
Request rejections must respect weight; if an invalid backend is weight; if an invalid backend is requested to have 80% of requests, then
requested to have 80% of requests, then 80% of requests must be rejected 80% of requests must be rejected instead.
instead.
Support: Core for Kubernetes Service Support: Core for Kubernetes Service
@@ -1251,10 +1977,7 @@ spec:
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
name: name:
description: |- description: Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Name is the name of the route rule. This name MUST be unique within a Route if it is set.
Support: Extended
maxLength: 253 maxLength: 253
minLength: 1 minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -1266,9 +1989,6 @@ spec:
minItems: 1 minItems: 1
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: Rule name must be unique within the route
rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) && l1.name == l2.name))
useDefaultGateways: useDefaultGateways:
description: |- description: |-
UseDefaultGateways indicates the default Gateway scope to use for this UseDefaultGateways indicates the default Gateway scope to use for this
@@ -1335,7 +2055,7 @@ spec:
* The Route refers to a nonexistent parent. * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support. * The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to. * The Route is in a namespace to which the controller does not have access.
items: items:
description: Condition contains details for one aspect of the current state of this API Resource. description: Condition contains details for one aspect of the current state of this API Resource.
properties: properties:
@@ -1566,7 +2286,7 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: true storage: false
subresources: subresources:
status: {} status: {}
status: status:

6
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-udproutes.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
@@ -496,7 +496,7 @@ spec:
* The Route refers to a nonexistent parent. * The Route refers to a nonexistent parent.
* The Route is of a type that the controller does not support. * The Route is of a type that the controller does not support.
* The Route is in a namespace the controller does not have access to. * The Route is in a namespace to which the controller does not have access.
items: items:
description: Condition contains details for one aspect of the current state of this API Resource. description: Condition contains details for one aspect of the current state of this API Resource.
properties: properties:

14
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xbackendtrafficpolicies.gateway.networking.x-k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
@@ -103,7 +103,7 @@ spec:
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string type: string
x-kubernetes-validations: x-kubernetes-validations:
- message: interval can not be greater than one hour or less than one second - message: interval cannot be greater than one hour or less than one second
rule: '!(duration(self) < duration(''1s'') || duration(self) > duration(''1h''))' rule: '!(duration(self) < duration(''1s'') || duration(self) > duration(''1h''))'
percent: percent:
default: 20 default: 20
@@ -151,7 +151,7 @@ spec:
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string type: string
x-kubernetes-validations: x-kubernetes-validations:
- message: interval can not be greater than one hour - message: interval cannot be greater than one hour
rule: '!(duration(self) == duration(''0s'') || duration(self) > duration(''1h''))' rule: '!(duration(self) == duration(''0s'') || duration(self) > duration(''1h''))'
type: object type: object
type: object type: object
@@ -228,7 +228,7 @@ spec:
default: Cookie default: Cookie
description: |- description: |-
Type defines the type of session persistence such as through Type defines the type of session persistence such as through
the use a header or cookie. Defaults to cookie based session the use of a header or cookie. Defaults to cookie based session
persistence. persistence.
Support: Core for "Cookie" type Support: Core for "Cookie" type
@@ -242,6 +242,8 @@ spec:
x-kubernetes-validations: x-kubernetes-validations:
- message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent
rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
- message: cookieConfig can only be set with type Cookie
rule: '!has(self.cookieConfig) || self.type == ''Cookie'''
targetRefs: targetRefs:
description: |- description: |-
TargetRefs identifies API object(s) to apply this policy to. TargetRefs identifies API object(s) to apply this policy to.
@@ -249,7 +251,7 @@ spec:
ServiceImport, or any implementation-specific backendRef) are the only ServiceImport, or any implementation-specific backendRef) are the only
valid API target references. valid API target references.
Currently, a TargetRef can not be scoped to a specific port on a Currently, a TargetRef cannot be scoped to a specific port on a
Service. Service.
items: items:
description: |- description: |-

4
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-xmeshes.gateway.networking.x-k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0 gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:

31
clusters/cl01tl/manifests/traefik/ValidatingAdmissionPolicy-safe-upgrades.gateway.networking.k8s.io.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
annotations:
app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.5.0-dev
gateway.networking.k8s.io/channel: standard
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/managed-by: Helm
name: safe-upgrades.gateway.networking.k8s.io
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups:
- apiextensions.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- '*'
validations:
- expression: object.spec.group != 'gateway.networking.k8s.io' || oldObject == null || ( has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && object.metadata.annotations['gateway.networking.k8s.io/channel'] == 'standard' ) || ( oldObject != null && has(oldObject.metadata.annotations) && oldObject.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/channel') && oldObject.metadata.annotations['gateway.networking.k8s.io/channel'] == 'experimental' )
message: Installing experimental CRDs on top of standard channel CRDs is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install experimental CRDs on top of standard channel CRDs.
reason: Invalid
- expression: object.spec.group != 'gateway.networking.k8s.io' || (has(object.metadata.annotations) && object.metadata.annotations.exists(k, k == 'gateway.networking.k8s.io/bundle-version') && !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v1.[0-4].\\d+') && !matches(object.metadata.annotations['gateway.networking.k8s.io/bundle-version'], 'v0'))
message: Installing CRDs with version before v1.5.0 is prohibited by default. Uninstall ValidatingAdmissionPolicy safe-upgrades.gateway.networking.k8s.io to install older versions.
reason: Invalid

26
clusters/cl01tl/manifests/traefik/ValidatingAdmissionPolicyBinding-safe-upgrades.gateway.networking.k8s.io.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
annotations:
app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.5.0-dev
gateway.networking.k8s.io/channel: standard
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/managed-by: Helm
name: safe-upgrades.gateway.networking.k8s.io
spec:
matchResources:
resourceRules:
- apiGroups:
- apiextensions.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- customresourcedefinitions
policyName: safe-upgrades.gateway.networking.k8s.io
validationActions:
- Deny

2
clusters/cl01tl/manifests/unpoller/Deployment-unpoller.yaml
View File

@@ -64,7 +64,7 @@ spec:
envFrom: envFrom:
- secretRef: - secretRef:
name: unpoller-unifi-secret name: unpoller-unifi-secret
image: ghcr.io/unpoller/unpoller:v2.37.0 image: ghcr.io/unpoller/unpoller:v2.38.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: main name: main
resources: resources: