alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Activity

chore: Update manifests after change

Browse Source
This commit is contained in:
Gitea
2026-03-24 15:27:02 +00:00
parent c57dd2ed86
commit cd8cd8b606
14 changed files with 1785 additions and 371 deletions
Download Patch File Download Diff File Expand all files Collapse all files

358
clusters/cl01tl/manifests/traefik/CustomResourceDefinition-gateways.gateway.networking.k8s.io.yaml
View File

@@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/4530
app.kubernetes.io/managed-by: Helm
gateway.networking.k8s.io/bundle-version: v1.4.0
gateway.networking.k8s.io/bundle-version: v1.5.1
gateway.networking.k8s.io/channel: experimental
helm.sh/resource-policy: keep
labels:
@@ -135,14 +135,14 @@ spec:
allowedListeners:
description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets.
The default value is to allow no ListenerSets.
properties:
namespaces:
default:
from: None
description: |-
Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets.
The default value is to allow no ListenerSets.
properties:
from:
default: None
@@ -155,7 +155,7 @@ spec:
* All: ListenerSets in all namespaces may be attached to this Gateway.
* None: Only listeners defined in the Gateway's spec are allowed
While this feature is experimental, the default value None
The default value None
enum:
- All
- Selector
@@ -694,7 +694,7 @@ spec:
the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello)
does not match the Host:
* If another Listener does match the Host the Gateway SHOULD return a
* If another Listener does match the Host, the Gateway SHOULD return a
421.
* If no other Listener matches the Host, the Gateway MUST return a
404.
@@ -899,6 +899,8 @@ spec:
rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)'
- message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)'
- message: tls mode must be set for protocol TLS
rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)'
- message: Listener name must be unique within the Gateway
@@ -924,19 +926,30 @@ spec:
properties:
clientCertificateRef:
description: |-
ClientCertificateRef is a reference to an object that contains a Client
Certificate and the associated private key.
ClientCertificateRef references an object that contains a client certificate
and its associated private key. It can reference standard Kubernetes resources,
i.e., Secret, or implementation-specific custom resources.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
A ClientCertificateRef is considered invalid if:
ClientCertificateRef can reference to standard Kubernetes resources, i.e.
Secret, or implementation-specific custom resources.
* It refers to a resource that cannot be resolved (e.g., the referenced resource
does not exist) or is misconfigured (e.g., a Secret does not contain the keys
named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
and the Message of the Condition MUST indicate why the reference is invalid.
Support: Core
* It refers to a resource in another namespace UNLESS there is a ReferenceGrant
in the target namespace that allows the certificate to be attached.
If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the certificate
content (e.g., checking expiry or enforcing specific formats). In such cases,
an implementation-specific Reason and Message MUST be set.
Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
Support: Implementation-specific - Other resource kinds or Secrets with a
different type (e.g., `Opaque`).
properties:
group:
default: ""
@@ -1002,27 +1015,49 @@ spec:
properties:
caCertificateRefs:
description: |-
CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
CACertificateRefs contains one or more references to Kubernetes
objects that contain a PEM-encoded TLS CA certificate bundle, which
is used as a trust anchor to validate the certificates presented by
the client.
A single CA certificate reference to a Kubernetes ConfigMap
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
A CACertificateRef is invalid if:
Support: Core - A single reference to a Kubernetes ConfigMap
with the CA certificate in a key named `ca.crt`.
* It refers to a resource that cannot be resolved (e.g., the
referenced resource does not exist) or is misconfigured (e.g., a
ConfigMap does not contain a key named `ca.crt`). In this case, the
Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
Support: Implementation-specific (More than one certificate in a ConfigMap
with different keys or more than one reference, or other kinds of resources).
* It refers to an unknown or unsupported kind of resource. In this
case, the Reason on all matching HTTPS listeners must be set to
`InvalidCACertificateKind` and the Message of the Condition must explain
which kind of resource is unknown or unsupported.
References to a resource in a different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
* It refers to a resource in another namespace UNLESS there is a
ReferenceGrant in the target namespace that allows the CA
certificate to be attached. If a ReferenceGrant does not allow this
reference, the `ResolvedRefs` on all matching HTTPS listeners condition
MUST be set with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the
certificate content (e.g., checking expiry or enforcing specific formats).
In such cases, an implementation-specific Reason and Message MUST be set.
In all cases, the implementation MUST ensure that the `ResolvedRefs`
condition is set to `status: False` on all targeted listeners (i.e.,
listeners serving HTTPS on a matching port). The condition MUST
include a Reason and Message that indicate the cause of the error. If
ALL CACertificateRefs are invalid, the implementation MUST also ensure
the `Accepted` condition on the listener is set to `status: False`, with
the Reason `NoValidCACertificate`.
Implementations MAY choose to support attaching multiple CA certificates
to a listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap, with the
CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -1144,27 +1179,49 @@ spec:
properties:
caCertificateRefs:
description: |-
CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
CACertificateRefs contains one or more references to Kubernetes
objects that contain a PEM-encoded TLS CA certificate bundle, which
is used as a trust anchor to validate the certificates presented by
the client.
A single CA certificate reference to a Kubernetes ConfigMap
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
A CACertificateRef is invalid if:
Support: Core - A single reference to a Kubernetes ConfigMap
with the CA certificate in a key named `ca.crt`.
* It refers to a resource that cannot be resolved (e.g., the
referenced resource does not exist) or is misconfigured (e.g., a
ConfigMap does not contain a key named `ca.crt`). In this case, the
Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
Support: Implementation-specific (More than one certificate in a ConfigMap
with different keys or more than one reference, or other kinds of resources).
* It refers to an unknown or unsupported kind of resource. In this
case, the Reason on all matching HTTPS listeners must be set to
`InvalidCACertificateKind` and the Message of the Condition must explain
which kind of resource is unknown or unsupported.
References to a resource in a different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
* It refers to a resource in another namespace UNLESS there is a
ReferenceGrant in the target namespace that allows the CA
certificate to be attached. If a ReferenceGrant does not allow this
reference, the `ResolvedRefs` on all matching HTTPS listeners condition
MUST be set with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the
certificate content (e.g., checking expiry or enforcing specific formats).
In such cases, an implementation-specific Reason and Message MUST be set.
In all cases, the implementation MUST ensure that the `ResolvedRefs`
condition is set to `status: False` on all targeted listeners (i.e.,
listeners serving HTTPS on a matching port). The condition MUST
include a Reason and Message that indicate the cause of the error. If
ALL CACertificateRefs are invalid, the implementation MUST also ensure
the `Accepted` condition on the listener is set to `status: False`, with
the Reason `NoValidCACertificate`.
Implementations MAY choose to support attaching multiple CA certificates
to a listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap, with the
CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -1333,6 +1390,20 @@ spec:
maxItems: 16
type: array
x-kubernetes-list-type: atomic
attachedListenerSets:
description: |-
AttachedListenerSets represents the total number of ListenerSets that have been
successfully attached to this Gateway.
A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
- The ListenerSet is selected by the Gateway's AllowedListeners field
- The ListenerSet has a valid ParentRef selecting the Gateway
- The ListenerSet's status has the condition "Accepted: true"
Uses for this field include troubleshooting AttachedListenerSets attachment and
measuring blast radius/impact of changes to a Gateway.
format: int32
type: integer
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -1435,8 +1506,11 @@ spec:
attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set
for Listeners with condition Accepted: false and MUST count successfully
attached Routes that may themselves have Accepted: false conditions.
for Listeners, even if the Accepted condition of an individual Listener is set
to "False". The AttachedRoutes number represents the number of Routes with
the Accepted condition set to "True" that have been attached to this Listener.
Routes with any other value for the Accepted condition MUST NOT be included
in this count.
Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener.
@@ -1511,7 +1585,7 @@ spec:
supportedKinds:
description: |-
SupportedKinds is the list indicating the Kinds supported by this
listener. This MUST represent the kinds an implementation supports for
listener. This MUST represent the kinds supported by an implementation for
that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT
@@ -1544,7 +1618,6 @@ spec:
- attachedRoutes
- conditions
- name
- supportedKinds
type: object
maxItems: 64
type: array
@@ -1671,14 +1744,14 @@ spec:
allowedListeners:
description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets.
The default value is to allow no ListenerSets.
properties:
namespaces:
default:
from: None
description: |-
Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no ListenerSets.
The default value is to allow no ListenerSets.
properties:
from:
default: None
@@ -1691,7 +1764,7 @@ spec:
* All: ListenerSets in all namespaces may be attached to this Gateway.
* None: Only listeners defined in the Gateway's spec are allowed
While this feature is experimental, the default value None
The default value None
enum:
- All
- Selector
@@ -2230,7 +2303,7 @@ spec:
the Gateway SHOULD return a 421.
* If the current Listener (selected by SNI matching during ClientHello)
does not match the Host:
* If another Listener does match the Host the Gateway SHOULD return a
* If another Listener does match the Host, the Gateway SHOULD return a
421.
* If no other Listener matches the Host, the Gateway MUST return a
404.
@@ -2435,6 +2508,8 @@ spec:
rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? !has(l.tls) : true)'
- message: tls mode must be Terminate for protocol HTTPS
rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode == '''' || l.tls.mode == ''Terminate'') : true)'
- message: tls mode must be set for protocol TLS
rule: 'self.all(l, (l.protocol == ''TLS'' ? has(l.tls) && has(l.tls.mode) && l.tls.mode != '''' : true))'
- message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) || l.hostname == '''') : true)'
- message: Listener name must be unique within the Gateway
@@ -2460,19 +2535,30 @@ spec:
properties:
clientCertificateRef:
description: |-
ClientCertificateRef is a reference to an object that contains a Client
Certificate and the associated private key.
ClientCertificateRef references an object that contains a client certificate
and its associated private key. It can reference standard Kubernetes resources,
i.e., Secret, or implementation-specific custom resources.
References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
A ClientCertificateRef is considered invalid if:
ClientCertificateRef can reference to standard Kubernetes resources, i.e.
Secret, or implementation-specific custom resources.
* It refers to a resource that cannot be resolved (e.g., the referenced resource
does not exist) or is misconfigured (e.g., a Secret does not contain the keys
named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
and the Message of the Condition MUST indicate why the reference is invalid.
Support: Core
* It refers to a resource in another namespace UNLESS there is a ReferenceGrant
in the target namespace that allows the certificate to be attached.
If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the certificate
content (e.g., checking expiry or enforcing specific formats). In such cases,
an implementation-specific Reason and Message MUST be set.
Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
Support: Implementation-specific - Other resource kinds or Secrets with a
different type (e.g., `Opaque`).
properties:
group:
default: ""
@@ -2538,27 +2624,49 @@ spec:
properties:
caCertificateRefs:
description: |-
CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
CACertificateRefs contains one or more references to Kubernetes
objects that contain a PEM-encoded TLS CA certificate bundle, which
is used as a trust anchor to validate the certificates presented by
the client.
A single CA certificate reference to a Kubernetes ConfigMap
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
A CACertificateRef is invalid if:
Support: Core - A single reference to a Kubernetes ConfigMap
with the CA certificate in a key named `ca.crt`.
* It refers to a resource that cannot be resolved (e.g., the
referenced resource does not exist) or is misconfigured (e.g., a
ConfigMap does not contain a key named `ca.crt`). In this case, the
Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
Support: Implementation-specific (More than one certificate in a ConfigMap
with different keys or more than one reference, or other kinds of resources).
* It refers to an unknown or unsupported kind of resource. In this
case, the Reason on all matching HTTPS listeners must be set to
`InvalidCACertificateKind` and the Message of the Condition must explain
which kind of resource is unknown or unsupported.
References to a resource in a different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
* It refers to a resource in another namespace UNLESS there is a
ReferenceGrant in the target namespace that allows the CA
certificate to be attached. If a ReferenceGrant does not allow this
reference, the `ResolvedRefs` on all matching HTTPS listeners condition
MUST be set with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the
certificate content (e.g., checking expiry or enforcing specific formats).
In such cases, an implementation-specific Reason and Message MUST be set.
In all cases, the implementation MUST ensure that the `ResolvedRefs`
condition is set to `status: False` on all targeted listeners (i.e.,
listeners serving HTTPS on a matching port). The condition MUST
include a Reason and Message that indicate the cause of the error. If
ALL CACertificateRefs are invalid, the implementation MUST also ensure
the `Accepted` condition on the listener is set to `status: False`, with
the Reason `NoValidCACertificate`.
Implementations MAY choose to support attaching multiple CA certificates
to a listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap, with the
CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -2680,27 +2788,49 @@ spec:
properties:
caCertificateRefs:
description: |-
CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.
CACertificateRefs contains one or more references to Kubernetes
objects that contain a PEM-encoded TLS CA certificate bundle, which
is used as a trust anchor to validate the certificates presented by
the client.
A single CA certificate reference to a Kubernetes ConfigMap
has "Core" support.
Implementations MAY choose to support attaching multiple CA certificates to
a Listener, but this behavior is implementation-specific.
A CACertificateRef is invalid if:
Support: Core - A single reference to a Kubernetes ConfigMap
with the CA certificate in a key named `ca.crt`.
* It refers to a resource that cannot be resolved (e.g., the
referenced resource does not exist) or is misconfigured (e.g., a
ConfigMap does not contain a key named `ca.crt`). In this case, the
Reason on all matching HTTPS listeners must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
Support: Implementation-specific (More than one certificate in a ConfigMap
with different keys or more than one reference, or other kinds of resources).
* It refers to an unknown or unsupported kind of resource. In this
case, the Reason on all matching HTTPS listeners must be set to
`InvalidCACertificateKind` and the Message of the Condition must explain
which kind of resource is unknown or unsupported.
References to a resource in a different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. If a ReferenceGrant does not allow this reference, the
"ResolvedRefs" condition MUST be set to False for this listener with the
"RefNotPermitted" reason.
* It refers to a resource in another namespace UNLESS there is a
ReferenceGrant in the target namespace that allows the CA
certificate to be attached. If a ReferenceGrant does not allow this
reference, the `ResolvedRefs` on all matching HTTPS listeners condition
MUST be set with the Reason `RefNotPermitted`.
Implementations MAY choose to perform further validation of the
certificate content (e.g., checking expiry or enforcing specific formats).
In such cases, an implementation-specific Reason and Message MUST be set.
In all cases, the implementation MUST ensure that the `ResolvedRefs`
condition is set to `status: False` on all targeted listeners (i.e.,
listeners serving HTTPS on a matching port). The condition MUST
include a Reason and Message that indicate the cause of the error. If
ALL CACertificateRefs are invalid, the implementation MUST also ensure
the `Accepted` condition on the listener is set to `status: False`, with
the Reason `NoValidCACertificate`.
Implementations MAY choose to support attaching multiple CA certificates
to a listener, but this behavior is implementation-specific.
Support: Core - A single reference to a Kubernetes ConfigMap, with the
CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items:
description: |-
ObjectReference identifies an API object including its namespace.
@@ -2869,6 +2999,20 @@ spec:
maxItems: 16
type: array
x-kubernetes-list-type: atomic
attachedListenerSets:
description: |-
AttachedListenerSets represents the total number of ListenerSets that have been
successfully attached to this Gateway.
A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
- The ListenerSet is selected by the Gateway's AllowedListeners field
- The ListenerSet has a valid ParentRef selecting the Gateway
- The ListenerSet's status has the condition "Accepted: true"
Uses for this field include troubleshooting AttachedListenerSets attachment and
measuring blast radius/impact of changes to a Gateway.
format: int32
type: integer
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -2971,8 +3115,11 @@ spec:
attachment semantics can be found in the documentation on the various
Route kinds ParentRefs fields). Listener or Route status does not impact
successful attachment, i.e. the AttachedRoutes field count MUST be set
for Listeners with condition Accepted: false and MUST count successfully
attached Routes that may themselves have Accepted: false conditions.
for Listeners, even if the Accepted condition of an individual Listener is set
to "False". The AttachedRoutes number represents the number of Routes with
the Accepted condition set to "True" that have been attached to this Listener.
Routes with any other value for the Accepted condition MUST NOT be included
in this count.
Uses for this field include troubleshooting Route attachment and
measuring blast radius/impact of changes to a Listener.
@@ -3047,7 +3194,7 @@ spec:
supportedKinds:
description: |-
SupportedKinds is the list indicating the Kinds supported by this
listener. This MUST represent the kinds an implementation supports for
listener. This MUST represent the kinds supported by an implementation for
that Listener configuration.
If kinds are specified in Spec that are not supported, they MUST NOT
@@ -3080,7 +3227,6 @@ spec:
- attachedRoutes
- conditions
- name
- supportedKinds
type: object
maxItems: 64
type: array