chore: Update manifests after change
This commit is contained in:
@@ -5,7 +5,7 @@ metadata:
|
||||
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
gateway.networking.k8s.io/bundle-version: v1.4.0
|
||||
gateway.networking.k8s.io/channel: standard
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
helm.sh/resource-policy: keep
|
||||
labels:
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
@@ -132,6 +132,108 @@ spec:
|
||||
rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ? self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value == a1.value) : true )'
|
||||
- message: Hostname values must be unique
|
||||
rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value == a1.value) : true )'
|
||||
allowedListeners:
|
||||
description: |-
|
||||
AllowedListeners defines which ListenerSets can be attached to this Gateway.
|
||||
While this feature is experimental, the default value is to allow no ListenerSets.
|
||||
properties:
|
||||
namespaces:
|
||||
default:
|
||||
from: None
|
||||
description: |-
|
||||
Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
|
||||
While this feature is experimental, the default value is to allow no ListenerSets.
|
||||
properties:
|
||||
from:
|
||||
default: None
|
||||
description: |-
|
||||
From indicates where ListenerSets can attach to this Gateway. Possible
|
||||
values are:
|
||||
|
||||
* Same: Only ListenerSets in the same namespace may be attached to this Gateway.
|
||||
* Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
|
||||
* All: ListenerSets in all namespaces may be attached to this Gateway.
|
||||
* None: Only listeners defined in the Gateway's spec are allowed
|
||||
|
||||
While this feature is experimental, the default value None
|
||||
enum:
|
||||
- All
|
||||
- Selector
|
||||
- Same
|
||||
- None
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
Selector must be specified when From is set to "Selector". In that case,
|
||||
only ListenerSets in Namespaces matching this Selector will be selected by this
|
||||
Gateway. This field is ignored for other values of "From".
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
type: object
|
||||
defaultScope:
|
||||
description: |-
|
||||
DefaultScope, when set, configures the Gateway as a default Gateway,
|
||||
meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
|
||||
attached to it, according to the scope configured here.
|
||||
|
||||
If unset (the default) or set to None, the Gateway will not act as a
|
||||
default Gateway; if set, the Gateway will claim any Route with a
|
||||
matching scope set in its UseDefaultGateway field, subject to the usual
|
||||
rules about which routes the Gateway can attach to.
|
||||
|
||||
Think carefully before using this functionality! While the normal rules
|
||||
about which Route can apply are still enforced, it is simply easier for
|
||||
the wrong Route to be accidentally attached to this Gateway in this
|
||||
configuration. If the Gateway operator is not also the operator in
|
||||
control of the scope (e.g. namespace) with tight controls and checks on
|
||||
what kind of workloads and Routes get added in that scope, we strongly
|
||||
recommend not using this just because it seems convenient, and instead
|
||||
stick to direct Route attachment.
|
||||
enum:
|
||||
- All
|
||||
- None
|
||||
type: string
|
||||
gatewayClassName:
|
||||
description: |-
|
||||
GatewayClassName used for this Gateway. This is the name of a
|
||||
@@ -803,6 +905,362 @@ spec:
|
||||
rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
|
||||
- message: Combination of port, protocol and hostname must be unique for each listener
|
||||
rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
|
||||
tls:
|
||||
description: |-
|
||||
TLS specifies frontend and backend tls configuration for entire gateway.
|
||||
|
||||
Support: Extended
|
||||
properties:
|
||||
backend:
|
||||
description: |-
|
||||
Backend describes TLS configuration for gateway when connecting
|
||||
to backends.
|
||||
|
||||
Note that this contains only details for the Gateway as a TLS client,
|
||||
and does _not_ imply behavior about how to choose which backend should
|
||||
get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
clientCertificateRef:
|
||||
description: |-
|
||||
ClientCertificateRef is a reference to an object that contains a Client
|
||||
Certificate and the associated private key.
|
||||
|
||||
References to a resource in different namespace are invalid UNLESS there
|
||||
is a ReferenceGrant in the target namespace that allows the certificate
|
||||
to be attached. If a ReferenceGrant does not allow this reference, the
|
||||
"ResolvedRefs" condition MUST be set to False for this listener with the
|
||||
"RefNotPermitted" reason.
|
||||
|
||||
ClientCertificateRef can reference to standard Kubernetes resources, i.e.
|
||||
Secret, or implementation-specific custom resources.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
group:
|
||||
default: ""
|
||||
description: |-
|
||||
Group is the group of the referent. For example, "gateway.networking.k8s.io".
|
||||
When unspecified or empty string, core API group is inferred.
|
||||
maxLength: 253
|
||||
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||
type: string
|
||||
kind:
|
||||
default: Secret
|
||||
description: Kind is kind of the referent. For example "Secret".
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the referent.
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace is the namespace of the referenced object. When unspecified, the local
|
||||
namespace is inferred.
|
||||
|
||||
Note that when a namespace different than the local namespace is specified,
|
||||
a ReferenceGrant object is required in the referent namespace to allow that
|
||||
namespace's owner to accept the reference. See the ReferenceGrant
|
||||
documentation for details.
|
||||
|
||||
Support: Core
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
type: object
|
||||
frontend:
|
||||
description: |-
|
||||
Frontend describes TLS config when client connects to Gateway.
|
||||
Support: Core
|
||||
properties:
|
||||
default:
|
||||
description: |-
|
||||
Default specifies the default client certificate validation configuration
|
||||
for all Listeners handling HTTPS traffic, unless a per-port configuration
|
||||
is defined.
|
||||
|
||||
support: Core
|
||||
properties:
|
||||
validation:
|
||||
description: |-
|
||||
Validation holds configuration information for validating the frontend (client).
|
||||
Setting this field will result in mutual authentication when connecting to the gateway.
|
||||
In browsers this may result in a dialog appearing
|
||||
that requests a user to specify the client certificate.
|
||||
The maximum depth of a certificate chain accepted in verification is Implementation specific.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
caCertificateRefs:
|
||||
description: |-
|
||||
CACertificateRefs contains one or more references to
|
||||
Kubernetes objects that contain TLS certificates of
|
||||
the Certificate Authorities that can be used
|
||||
as a trust anchor to validate the certificates presented by the client.
|
||||
|
||||
A single CA certificate reference to a Kubernetes ConfigMap
|
||||
has "Core" support.
|
||||
Implementations MAY choose to support attaching multiple CA certificates to
|
||||
a Listener, but this behavior is implementation-specific.
|
||||
|
||||
Support: Core - A single reference to a Kubernetes ConfigMap
|
||||
with the CA certificate in a key named `ca.crt`.
|
||||
|
||||
Support: Implementation-specific (More than one certificate in a ConfigMap
|
||||
with different keys or more than one reference, or other kinds of resources).
|
||||
|
||||
References to a resource in a different namespace are invalid UNLESS there
|
||||
is a ReferenceGrant in the target namespace that allows the certificate
|
||||
to be attached. If a ReferenceGrant does not allow this reference, the
|
||||
"ResolvedRefs" condition MUST be set to False for this listener with the
|
||||
"RefNotPermitted" reason.
|
||||
items:
|
||||
description: |-
|
||||
ObjectReference identifies an API object including its namespace.
|
||||
|
||||
The API object must be valid in the cluster; the Group and Kind must
|
||||
be registered in the cluster for this reference to be valid.
|
||||
|
||||
References to objects with invalid Group and Kind are not valid, and must
|
||||
be rejected by the implementation, with appropriate Conditions set
|
||||
on the containing object.
|
||||
properties:
|
||||
group:
|
||||
description: |-
|
||||
Group is the group of the referent. For example, "gateway.networking.k8s.io".
|
||||
When set to the empty string, core API group is inferred.
|
||||
maxLength: 253
|
||||
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is kind of the referent. For example "ConfigMap" or "Service".
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the referent.
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace is the namespace of the referenced object. When unspecified, the local
|
||||
namespace is inferred.
|
||||
|
||||
Note that when a namespace different than the local namespace is specified,
|
||||
a ReferenceGrant object is required in the referent namespace to allow that
|
||||
namespace's owner to accept the reference. See the ReferenceGrant
|
||||
documentation for details.
|
||||
|
||||
Support: Core
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||
type: string
|
||||
required:
|
||||
- group
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
maxItems: 8
|
||||
minItems: 1
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
mode:
|
||||
default: AllowValidOnly
|
||||
description: |-
|
||||
FrontendValidationMode defines the mode for validating the client certificate.
|
||||
There are two possible modes:
|
||||
|
||||
- AllowValidOnly: In this mode, the gateway will accept connections only if
|
||||
the client presents a valid certificate. This certificate must successfully
|
||||
pass validation against the CA certificates specified in `CACertificateRefs`.
|
||||
- AllowInsecureFallback: In this mode, the gateway will accept connections
|
||||
even if the client certificate is not presented or fails verification.
|
||||
|
||||
This approach delegates client authorization to the backend and introduce
|
||||
a significant security risk. It should be used in testing environments or
|
||||
on a temporary basis in non-testing environments.
|
||||
|
||||
Defaults to AllowValidOnly.
|
||||
|
||||
Support: Core
|
||||
enum:
|
||||
- AllowValidOnly
|
||||
- AllowInsecureFallback
|
||||
type: string
|
||||
required:
|
||||
- caCertificateRefs
|
||||
type: object
|
||||
type: object
|
||||
perPort:
|
||||
description: |-
|
||||
PerPort specifies tls configuration assigned per port.
|
||||
Per port configuration is optional. Once set this configuration overrides
|
||||
the default configuration for all Listeners handling HTTPS traffic
|
||||
that match this port.
|
||||
Each override port requires a unique TLS configuration.
|
||||
|
||||
support: Core
|
||||
items:
|
||||
properties:
|
||||
port:
|
||||
description: |-
|
||||
The Port indicates the Port Number to which the TLS configuration will be
|
||||
applied. This configuration will be applied to all Listeners handling HTTPS
|
||||
traffic that match this port.
|
||||
|
||||
Support: Core
|
||||
format: int32
|
||||
maximum: 65535
|
||||
minimum: 1
|
||||
type: integer
|
||||
tls:
|
||||
description: |-
|
||||
TLS store the configuration that will be applied to all Listeners handling
|
||||
HTTPS traffic and matching given port.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
validation:
|
||||
description: |-
|
||||
Validation holds configuration information for validating the frontend (client).
|
||||
Setting this field will result in mutual authentication when connecting to the gateway.
|
||||
In browsers this may result in a dialog appearing
|
||||
that requests a user to specify the client certificate.
|
||||
The maximum depth of a certificate chain accepted in verification is Implementation specific.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
caCertificateRefs:
|
||||
description: |-
|
||||
CACertificateRefs contains one or more references to
|
||||
Kubernetes objects that contain TLS certificates of
|
||||
the Certificate Authorities that can be used
|
||||
as a trust anchor to validate the certificates presented by the client.
|
||||
|
||||
A single CA certificate reference to a Kubernetes ConfigMap
|
||||
has "Core" support.
|
||||
Implementations MAY choose to support attaching multiple CA certificates to
|
||||
a Listener, but this behavior is implementation-specific.
|
||||
|
||||
Support: Core - A single reference to a Kubernetes ConfigMap
|
||||
with the CA certificate in a key named `ca.crt`.
|
||||
|
||||
Support: Implementation-specific (More than one certificate in a ConfigMap
|
||||
with different keys or more than one reference, or other kinds of resources).
|
||||
|
||||
References to a resource in a different namespace are invalid UNLESS there
|
||||
is a ReferenceGrant in the target namespace that allows the certificate
|
||||
to be attached. If a ReferenceGrant does not allow this reference, the
|
||||
"ResolvedRefs" condition MUST be set to False for this listener with the
|
||||
"RefNotPermitted" reason.
|
||||
items:
|
||||
description: |-
|
||||
ObjectReference identifies an API object including its namespace.
|
||||
|
||||
The API object must be valid in the cluster; the Group and Kind must
|
||||
be registered in the cluster for this reference to be valid.
|
||||
|
||||
References to objects with invalid Group and Kind are not valid, and must
|
||||
be rejected by the implementation, with appropriate Conditions set
|
||||
on the containing object.
|
||||
properties:
|
||||
group:
|
||||
description: |-
|
||||
Group is the group of the referent. For example, "gateway.networking.k8s.io".
|
||||
When set to the empty string, core API group is inferred.
|
||||
maxLength: 253
|
||||
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is kind of the referent. For example "ConfigMap" or "Service".
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the referent.
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace is the namespace of the referenced object. When unspecified, the local
|
||||
namespace is inferred.
|
||||
|
||||
Note that when a namespace different than the local namespace is specified,
|
||||
a ReferenceGrant object is required in the referent namespace to allow that
|
||||
namespace's owner to accept the reference. See the ReferenceGrant
|
||||
documentation for details.
|
||||
|
||||
Support: Core
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||
type: string
|
||||
required:
|
||||
- group
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
maxItems: 8
|
||||
minItems: 1
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
mode:
|
||||
default: AllowValidOnly
|
||||
description: |-
|
||||
FrontendValidationMode defines the mode for validating the client certificate.
|
||||
There are two possible modes:
|
||||
|
||||
- AllowValidOnly: In this mode, the gateway will accept connections only if
|
||||
the client presents a valid certificate. This certificate must successfully
|
||||
pass validation against the CA certificates specified in `CACertificateRefs`.
|
||||
- AllowInsecureFallback: In this mode, the gateway will accept connections
|
||||
even if the client certificate is not presented or fails verification.
|
||||
|
||||
This approach delegates client authorization to the backend and introduce
|
||||
a significant security risk. It should be used in testing environments or
|
||||
on a temporary basis in non-testing environments.
|
||||
|
||||
Defaults to AllowValidOnly.
|
||||
|
||||
Support: Core
|
||||
enum:
|
||||
- AllowValidOnly
|
||||
- AllowInsecureFallback
|
||||
type: string
|
||||
required:
|
||||
- caCertificateRefs
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- port
|
||||
- tls
|
||||
type: object
|
||||
maxItems: 64
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- port
|
||||
x-kubernetes-list-type: map
|
||||
x-kubernetes-validations:
|
||||
- message: Port for TLS configuration must be unique within the Gateway
|
||||
rule: self.all(t1, self.exists_one(t2, t1.port == t2.port))
|
||||
required:
|
||||
- default
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- gatewayClassName
|
||||
- listeners
|
||||
@@ -1210,6 +1668,108 @@ spec:
|
||||
rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ? self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value == a1.value) : true )'
|
||||
- message: Hostname values must be unique
|
||||
rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value == a1.value) : true )'
|
||||
allowedListeners:
|
||||
description: |-
|
||||
AllowedListeners defines which ListenerSets can be attached to this Gateway.
|
||||
While this feature is experimental, the default value is to allow no ListenerSets.
|
||||
properties:
|
||||
namespaces:
|
||||
default:
|
||||
from: None
|
||||
description: |-
|
||||
Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
|
||||
While this feature is experimental, the default value is to allow no ListenerSets.
|
||||
properties:
|
||||
from:
|
||||
default: None
|
||||
description: |-
|
||||
From indicates where ListenerSets can attach to this Gateway. Possible
|
||||
values are:
|
||||
|
||||
* Same: Only ListenerSets in the same namespace may be attached to this Gateway.
|
||||
* Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
|
||||
* All: ListenerSets in all namespaces may be attached to this Gateway.
|
||||
* None: Only listeners defined in the Gateway's spec are allowed
|
||||
|
||||
While this feature is experimental, the default value None
|
||||
enum:
|
||||
- All
|
||||
- Selector
|
||||
- Same
|
||||
- None
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
Selector must be specified when From is set to "Selector". In that case,
|
||||
only ListenerSets in Namespaces matching this Selector will be selected by this
|
||||
Gateway. This field is ignored for other values of "From".
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
type: object
|
||||
defaultScope:
|
||||
description: |-
|
||||
DefaultScope, when set, configures the Gateway as a default Gateway,
|
||||
meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
|
||||
attached to it, according to the scope configured here.
|
||||
|
||||
If unset (the default) or set to None, the Gateway will not act as a
|
||||
default Gateway; if set, the Gateway will claim any Route with a
|
||||
matching scope set in its UseDefaultGateway field, subject to the usual
|
||||
rules about which routes the Gateway can attach to.
|
||||
|
||||
Think carefully before using this functionality! While the normal rules
|
||||
about which Route can apply are still enforced, it is simply easier for
|
||||
the wrong Route to be accidentally attached to this Gateway in this
|
||||
configuration. If the Gateway operator is not also the operator in
|
||||
control of the scope (e.g. namespace) with tight controls and checks on
|
||||
what kind of workloads and Routes get added in that scope, we strongly
|
||||
recommend not using this just because it seems convenient, and instead
|
||||
stick to direct Route attachment.
|
||||
enum:
|
||||
- All
|
||||
- None
|
||||
type: string
|
||||
gatewayClassName:
|
||||
description: |-
|
||||
GatewayClassName used for this Gateway. This is the name of a
|
||||
@@ -1881,6 +2441,362 @@ spec:
|
||||
rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
|
||||
- message: Combination of port, protocol and hostname must be unique for each listener
|
||||
rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
|
||||
tls:
|
||||
description: |-
|
||||
TLS specifies frontend and backend tls configuration for entire gateway.
|
||||
|
||||
Support: Extended
|
||||
properties:
|
||||
backend:
|
||||
description: |-
|
||||
Backend describes TLS configuration for gateway when connecting
|
||||
to backends.
|
||||
|
||||
Note that this contains only details for the Gateway as a TLS client,
|
||||
and does _not_ imply behavior about how to choose which backend should
|
||||
get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
clientCertificateRef:
|
||||
description: |-
|
||||
ClientCertificateRef is a reference to an object that contains a Client
|
||||
Certificate and the associated private key.
|
||||
|
||||
References to a resource in different namespace are invalid UNLESS there
|
||||
is a ReferenceGrant in the target namespace that allows the certificate
|
||||
to be attached. If a ReferenceGrant does not allow this reference, the
|
||||
"ResolvedRefs" condition MUST be set to False for this listener with the
|
||||
"RefNotPermitted" reason.
|
||||
|
||||
ClientCertificateRef can reference to standard Kubernetes resources, i.e.
|
||||
Secret, or implementation-specific custom resources.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
group:
|
||||
default: ""
|
||||
description: |-
|
||||
Group is the group of the referent. For example, "gateway.networking.k8s.io".
|
||||
When unspecified or empty string, core API group is inferred.
|
||||
maxLength: 253
|
||||
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||
type: string
|
||||
kind:
|
||||
default: Secret
|
||||
description: Kind is kind of the referent. For example "Secret".
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the referent.
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace is the namespace of the referenced object. When unspecified, the local
|
||||
namespace is inferred.
|
||||
|
||||
Note that when a namespace different than the local namespace is specified,
|
||||
a ReferenceGrant object is required in the referent namespace to allow that
|
||||
namespace's owner to accept the reference. See the ReferenceGrant
|
||||
documentation for details.
|
||||
|
||||
Support: Core
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
type: object
|
||||
frontend:
|
||||
description: |-
|
||||
Frontend describes TLS config when client connects to Gateway.
|
||||
Support: Core
|
||||
properties:
|
||||
default:
|
||||
description: |-
|
||||
Default specifies the default client certificate validation configuration
|
||||
for all Listeners handling HTTPS traffic, unless a per-port configuration
|
||||
is defined.
|
||||
|
||||
support: Core
|
||||
properties:
|
||||
validation:
|
||||
description: |-
|
||||
Validation holds configuration information for validating the frontend (client).
|
||||
Setting this field will result in mutual authentication when connecting to the gateway.
|
||||
In browsers this may result in a dialog appearing
|
||||
that requests a user to specify the client certificate.
|
||||
The maximum depth of a certificate chain accepted in verification is Implementation specific.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
caCertificateRefs:
|
||||
description: |-
|
||||
CACertificateRefs contains one or more references to
|
||||
Kubernetes objects that contain TLS certificates of
|
||||
the Certificate Authorities that can be used
|
||||
as a trust anchor to validate the certificates presented by the client.
|
||||
|
||||
A single CA certificate reference to a Kubernetes ConfigMap
|
||||
has "Core" support.
|
||||
Implementations MAY choose to support attaching multiple CA certificates to
|
||||
a Listener, but this behavior is implementation-specific.
|
||||
|
||||
Support: Core - A single reference to a Kubernetes ConfigMap
|
||||
with the CA certificate in a key named `ca.crt`.
|
||||
|
||||
Support: Implementation-specific (More than one certificate in a ConfigMap
|
||||
with different keys or more than one reference, or other kinds of resources).
|
||||
|
||||
References to a resource in a different namespace are invalid UNLESS there
|
||||
is a ReferenceGrant in the target namespace that allows the certificate
|
||||
to be attached. If a ReferenceGrant does not allow this reference, the
|
||||
"ResolvedRefs" condition MUST be set to False for this listener with the
|
||||
"RefNotPermitted" reason.
|
||||
items:
|
||||
description: |-
|
||||
ObjectReference identifies an API object including its namespace.
|
||||
|
||||
The API object must be valid in the cluster; the Group and Kind must
|
||||
be registered in the cluster for this reference to be valid.
|
||||
|
||||
References to objects with invalid Group and Kind are not valid, and must
|
||||
be rejected by the implementation, with appropriate Conditions set
|
||||
on the containing object.
|
||||
properties:
|
||||
group:
|
||||
description: |-
|
||||
Group is the group of the referent. For example, "gateway.networking.k8s.io".
|
||||
When set to the empty string, core API group is inferred.
|
||||
maxLength: 253
|
||||
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is kind of the referent. For example "ConfigMap" or "Service".
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the referent.
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace is the namespace of the referenced object. When unspecified, the local
|
||||
namespace is inferred.
|
||||
|
||||
Note that when a namespace different than the local namespace is specified,
|
||||
a ReferenceGrant object is required in the referent namespace to allow that
|
||||
namespace's owner to accept the reference. See the ReferenceGrant
|
||||
documentation for details.
|
||||
|
||||
Support: Core
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||
type: string
|
||||
required:
|
||||
- group
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
maxItems: 8
|
||||
minItems: 1
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
mode:
|
||||
default: AllowValidOnly
|
||||
description: |-
|
||||
FrontendValidationMode defines the mode for validating the client certificate.
|
||||
There are two possible modes:
|
||||
|
||||
- AllowValidOnly: In this mode, the gateway will accept connections only if
|
||||
the client presents a valid certificate. This certificate must successfully
|
||||
pass validation against the CA certificates specified in `CACertificateRefs`.
|
||||
- AllowInsecureFallback: In this mode, the gateway will accept connections
|
||||
even if the client certificate is not presented or fails verification.
|
||||
|
||||
This approach delegates client authorization to the backend and introduce
|
||||
a significant security risk. It should be used in testing environments or
|
||||
on a temporary basis in non-testing environments.
|
||||
|
||||
Defaults to AllowValidOnly.
|
||||
|
||||
Support: Core
|
||||
enum:
|
||||
- AllowValidOnly
|
||||
- AllowInsecureFallback
|
||||
type: string
|
||||
required:
|
||||
- caCertificateRefs
|
||||
type: object
|
||||
type: object
|
||||
perPort:
|
||||
description: |-
|
||||
PerPort specifies tls configuration assigned per port.
|
||||
Per port configuration is optional. Once set this configuration overrides
|
||||
the default configuration for all Listeners handling HTTPS traffic
|
||||
that match this port.
|
||||
Each override port requires a unique TLS configuration.
|
||||
|
||||
support: Core
|
||||
items:
|
||||
properties:
|
||||
port:
|
||||
description: |-
|
||||
The Port indicates the Port Number to which the TLS configuration will be
|
||||
applied. This configuration will be applied to all Listeners handling HTTPS
|
||||
traffic that match this port.
|
||||
|
||||
Support: Core
|
||||
format: int32
|
||||
maximum: 65535
|
||||
minimum: 1
|
||||
type: integer
|
||||
tls:
|
||||
description: |-
|
||||
TLS store the configuration that will be applied to all Listeners handling
|
||||
HTTPS traffic and matching given port.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
validation:
|
||||
description: |-
|
||||
Validation holds configuration information for validating the frontend (client).
|
||||
Setting this field will result in mutual authentication when connecting to the gateway.
|
||||
In browsers this may result in a dialog appearing
|
||||
that requests a user to specify the client certificate.
|
||||
The maximum depth of a certificate chain accepted in verification is Implementation specific.
|
||||
|
||||
Support: Core
|
||||
properties:
|
||||
caCertificateRefs:
|
||||
description: |-
|
||||
CACertificateRefs contains one or more references to
|
||||
Kubernetes objects that contain TLS certificates of
|
||||
the Certificate Authorities that can be used
|
||||
as a trust anchor to validate the certificates presented by the client.
|
||||
|
||||
A single CA certificate reference to a Kubernetes ConfigMap
|
||||
has "Core" support.
|
||||
Implementations MAY choose to support attaching multiple CA certificates to
|
||||
a Listener, but this behavior is implementation-specific.
|
||||
|
||||
Support: Core - A single reference to a Kubernetes ConfigMap
|
||||
with the CA certificate in a key named `ca.crt`.
|
||||
|
||||
Support: Implementation-specific (More than one certificate in a ConfigMap
|
||||
with different keys or more than one reference, or other kinds of resources).
|
||||
|
||||
References to a resource in a different namespace are invalid UNLESS there
|
||||
is a ReferenceGrant in the target namespace that allows the certificate
|
||||
to be attached. If a ReferenceGrant does not allow this reference, the
|
||||
"ResolvedRefs" condition MUST be set to False for this listener with the
|
||||
"RefNotPermitted" reason.
|
||||
items:
|
||||
description: |-
|
||||
ObjectReference identifies an API object including its namespace.
|
||||
|
||||
The API object must be valid in the cluster; the Group and Kind must
|
||||
be registered in the cluster for this reference to be valid.
|
||||
|
||||
References to objects with invalid Group and Kind are not valid, and must
|
||||
be rejected by the implementation, with appropriate Conditions set
|
||||
on the containing object.
|
||||
properties:
|
||||
group:
|
||||
description: |-
|
||||
Group is the group of the referent. For example, "gateway.networking.k8s.io".
|
||||
When set to the empty string, core API group is inferred.
|
||||
maxLength: 253
|
||||
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||
type: string
|
||||
kind:
|
||||
description: Kind is kind of the referent. For example "ConfigMap" or "Service".
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the referent.
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace is the namespace of the referenced object. When unspecified, the local
|
||||
namespace is inferred.
|
||||
|
||||
Note that when a namespace different than the local namespace is specified,
|
||||
a ReferenceGrant object is required in the referent namespace to allow that
|
||||
namespace's owner to accept the reference. See the ReferenceGrant
|
||||
documentation for details.
|
||||
|
||||
Support: Core
|
||||
maxLength: 63
|
||||
minLength: 1
|
||||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||
type: string
|
||||
required:
|
||||
- group
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
maxItems: 8
|
||||
minItems: 1
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
mode:
|
||||
default: AllowValidOnly
|
||||
description: |-
|
||||
FrontendValidationMode defines the mode for validating the client certificate.
|
||||
There are two possible modes:
|
||||
|
||||
- AllowValidOnly: In this mode, the gateway will accept connections only if
|
||||
the client presents a valid certificate. This certificate must successfully
|
||||
pass validation against the CA certificates specified in `CACertificateRefs`.
|
||||
- AllowInsecureFallback: In this mode, the gateway will accept connections
|
||||
even if the client certificate is not presented or fails verification.
|
||||
|
||||
This approach delegates client authorization to the backend and introduce
|
||||
a significant security risk. It should be used in testing environments or
|
||||
on a temporary basis in non-testing environments.
|
||||
|
||||
Defaults to AllowValidOnly.
|
||||
|
||||
Support: Core
|
||||
enum:
|
||||
- AllowValidOnly
|
||||
- AllowInsecureFallback
|
||||
type: string
|
||||
required:
|
||||
- caCertificateRefs
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- port
|
||||
- tls
|
||||
type: object
|
||||
maxItems: 64
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- port
|
||||
x-kubernetes-list-type: map
|
||||
x-kubernetes-validations:
|
||||
- message: Port for TLS configuration must be unique within the Gateway
|
||||
rule: self.all(t1, self.exists_one(t2, t1.port == t2.port))
|
||||
required:
|
||||
- default
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- gatewayClassName
|
||||
- listeners
|
||||
|
||||
Reference in New Issue
Block a user