1291 lines
75 KiB
Io
1291 lines
75 KiB
Io
---
|
|
# Source: traefik/charts/traefik/crds/gateway-standard-install.yaml
|
|
# Copyright 2025 The Kubernetes Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
#
|
|
# Gateway API Standard channel install
|
|
#
|
|
---
|
|
#
|
|
# config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml
|
|
#
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
|
|
gateway.networking.k8s.io/bundle-version: v1.4.0
|
|
gateway.networking.k8s.io/channel: standard
|
|
labels:
|
|
gateway.networking.k8s.io/policy: Direct
|
|
name: backendtlspolicies.gateway.networking.k8s.io
|
|
spec:
|
|
group: gateway.networking.k8s.io
|
|
names:
|
|
categories:
|
|
- gateway-api
|
|
kind: BackendTLSPolicy
|
|
listKind: BackendTLSPolicyList
|
|
plural: backendtlspolicies
|
|
shortNames:
|
|
- btlspolicy
|
|
singular: backendtlspolicy
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
BackendTLSPolicy provides a way to configure how a Gateway
|
|
connects to a Backend via TLS.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec defines the desired state of BackendTLSPolicy.
|
|
properties:
|
|
options:
|
|
additionalProperties:
|
|
description: |-
|
|
AnnotationValue is the value of an annotation in Gateway API. This is used
|
|
for validation of maps such as TLS options. This roughly matches Kubernetes
|
|
annotation validation, although the length validation in that case is based
|
|
on the entire size of the annotations struct.
|
|
maxLength: 4096
|
|
minLength: 0
|
|
type: string
|
|
description: |-
|
|
Options are a list of key/value pairs to enable extended TLS
|
|
configuration for each implementation. For example, configuring the
|
|
minimum TLS version or supported cipher suites.
|
|
|
|
A set of common keys MAY be defined by the API in the future. To avoid
|
|
any ambiguity, implementation-specific definitions MUST use
|
|
domain-prefixed names, such as `example.com/my-custom-option`.
|
|
Un-prefixed names are reserved for key names defined by Gateway API.
|
|
|
|
Support: Implementation-specific
|
|
maxProperties: 16
|
|
type: object
|
|
targetRefs:
|
|
description: |-
|
|
TargetRefs identifies an API object to apply the policy to.
|
|
Only Services have Extended support. Implementations MAY support
|
|
additional objects, with Implementation Specific support.
|
|
Note that this config applies to the entire referenced resource
|
|
by default, but this default may change in the future to provide
|
|
a more granular application of the policy.
|
|
|
|
TargetRefs must be _distinct_. This means either that:
|
|
|
|
* They select different targets. If this is the case, then targetRef
|
|
entries are distinct. In terms of fields, this means that the
|
|
multi-part key defined by `group`, `kind`, and `name` must
|
|
be unique across all targetRef entries in the BackendTLSPolicy.
|
|
* They select different sectionNames in the same target.
|
|
|
|
When more than one BackendTLSPolicy selects the same target and
|
|
sectionName, implementations MUST determine precedence using the
|
|
following criteria, continuing on ties:
|
|
|
|
* The older policy by creation timestamp takes precedence. For
|
|
example, a policy with a creation timestamp of "2021-07-15
|
|
01:02:03" MUST be given precedence over a policy with a
|
|
creation timestamp of "2021-07-15 01:02:04".
|
|
* The policy appearing first in alphabetical order by {name}.
|
|
For example, a policy named `bar` is given precedence over a
|
|
policy named `baz`.
|
|
|
|
For any BackendTLSPolicy that does not take precedence, the
|
|
implementation MUST ensure the `Accepted` Condition is set to
|
|
`status: False`, with Reason `Conflicted`.
|
|
|
|
Support: Extended for Kubernetes Service
|
|
|
|
Support: Implementation-specific for any other resource
|
|
items:
|
|
description: |-
|
|
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
|
|
direct policy to. This should be used as part of Policy resources that can
|
|
target single resources. For more information on how this policy attachment
|
|
mode works, and a sample Policy resource, refer to the policy attachment
|
|
documentation for Gateway API.
|
|
|
|
Note: This should only be used for direct policy attachment when references
|
|
to SectionName are actually needed. In all other cases,
|
|
LocalPolicyTargetReference should be used.
|
|
properties:
|
|
group:
|
|
description: Group is the group of the target resource.
|
|
maxLength: 253
|
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
kind:
|
|
description: Kind is kind of the target resource.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
type: string
|
|
name:
|
|
description: Name is the name of the target resource.
|
|
maxLength: 253
|
|
minLength: 1
|
|
type: string
|
|
sectionName:
|
|
description: |-
|
|
SectionName is the name of a section within the target resource. When
|
|
unspecified, this targetRef targets the entire resource. In the following
|
|
resources, SectionName is interpreted as the following:
|
|
|
|
* Gateway: Listener name
|
|
* HTTPRoute: HTTPRouteRule name
|
|
* Service: Port name
|
|
|
|
If a SectionName is specified, but does not exist on the targeted object,
|
|
the Policy must fail to attach, and the policy implementation should record
|
|
a `ResolvedRefs` or similar Condition in the Policy's status.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- name
|
|
type: object
|
|
maxItems: 16
|
|
minItems: 1
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
x-kubernetes-validations:
|
|
- message: sectionName must be specified when targetRefs includes 2 or more references to the same target
|
|
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) : true))'
|
|
- message: sectionName must be unique when targetRefs includes 2 or more references to the same target
|
|
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName))))
|
|
validation:
|
|
description: Validation contains backend TLS validation configuration.
|
|
properties:
|
|
caCertificateRefs:
|
|
description: |-
|
|
CACertificateRefs contains one or more references to Kubernetes objects that
|
|
contain a PEM-encoded TLS CA certificate bundle, which is used to
|
|
validate a TLS handshake between the Gateway and backend Pod.
|
|
|
|
If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
|
|
specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
|
|
not both. If CACertificateRefs is empty or unspecified, the configuration for
|
|
WellKnownCACertificates MUST be honored instead if supported by the implementation.
|
|
|
|
A CACertificateRef is invalid if:
|
|
|
|
* It refers to a resource that cannot be resolved (e.g., the referenced resource
|
|
does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
|
|
named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
|
|
and the Message of the Condition must indicate which reference is invalid and why.
|
|
|
|
* It refers to an unknown or unsupported kind of resource. In this case, the Reason
|
|
must be set to `InvalidKind` and the Message of the Condition must explain which
|
|
kind of resource is unknown or unsupported.
|
|
|
|
* It refers to a resource in another namespace. This may change in future
|
|
spec updates.
|
|
|
|
Implementations MAY choose to perform further validation of the certificate
|
|
content (e.g., checking expiry or enforcing specific formats). In such cases,
|
|
an implementation-specific Reason and Message must be set for the invalid reference.
|
|
|
|
In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
|
|
the BackendTLSPolicy is set to `status: False`, with a Reason and Message
|
|
that indicate the cause of the error. Connections using an invalid
|
|
CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
|
|
response. If ALL CACertificateRefs are invalid, the implementation MUST also
|
|
ensure the `Accepted` Condition on the BackendTLSPolicy is set to
|
|
`status: False`, with a Reason `NoValidCACertificate`.
|
|
|
|
A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
|
|
Implementations MAY choose to support attaching multiple certificates to
|
|
a backend, but this behavior is implementation-specific.
|
|
|
|
Support: Core - An optional single reference to a Kubernetes ConfigMap,
|
|
with the CA certificate in a key named `ca.crt`.
|
|
|
|
Support: Implementation-specific - More than one reference, other kinds
|
|
of resources, or a single reference that includes multiple certificates.
|
|
items:
|
|
description: |-
|
|
LocalObjectReference identifies an API object within the namespace of the
|
|
referrer.
|
|
The API object must be valid in the cluster; the Group and Kind must
|
|
be registered in the cluster for this reference to be valid.
|
|
|
|
References to objects with invalid Group and Kind are not valid, and must
|
|
be rejected by the implementation, with appropriate Conditions set
|
|
on the containing object.
|
|
properties:
|
|
group:
|
|
description: |-
|
|
Group is the group of the referent. For example, "gateway.networking.k8s.io".
|
|
When unspecified or empty string, core API group is inferred.
|
|
maxLength: 253
|
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
kind:
|
|
description: Kind is kind of the referent. For example "HTTPRoute" or "Service".
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
type: string
|
|
name:
|
|
description: Name is the name of the referent.
|
|
maxLength: 253
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- name
|
|
type: object
|
|
maxItems: 8
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
hostname:
|
|
description: |-
|
|
Hostname is used for two purposes in the connection between Gateways and
|
|
backends:
|
|
|
|
1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
|
|
2. Hostname MUST be used for authentication and MUST match the certificate
|
|
served by the matching backend, unless SubjectAltNames is specified.
|
|
3. If SubjectAltNames are specified, Hostname can be used for certificate selection
|
|
but MUST NOT be used for authentication. If you want to use the value
|
|
of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
subjectAltNames:
|
|
description: |-
|
|
SubjectAltNames contains one or more Subject Alternative Names.
|
|
When specified the certificate served from the backend MUST
|
|
have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
|
|
|
|
Support: Extended
|
|
items:
|
|
description: SubjectAltName represents Subject Alternative Name.
|
|
properties:
|
|
hostname:
|
|
description: |-
|
|
Hostname contains Subject Alternative Name specified in DNS name format.
|
|
Required when Type is set to Hostname, ignored otherwise.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
type:
|
|
description: |-
|
|
Type determines the format of the Subject Alternative Name. Always required.
|
|
|
|
Support: Core
|
|
enum:
|
|
- Hostname
|
|
- URI
|
|
type: string
|
|
uri:
|
|
description: |-
|
|
URI contains Subject Alternative Name specified in a full URI format.
|
|
It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
|
|
Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
|
|
Required when Type is set to URI, ignored otherwise.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
|
|
type: string
|
|
required:
|
|
- type
|
|
type: object
|
|
x-kubernetes-validations:
|
|
- message: SubjectAltName element must contain Hostname, if Type is set to Hostname
|
|
rule: '!(self.type == "Hostname" && (!has(self.hostname) || self.hostname == ""))'
|
|
- message: SubjectAltName element must not contain Hostname, if Type is not set to Hostname
|
|
rule: '!(self.type != "Hostname" && has(self.hostname) && self.hostname != "")'
|
|
- message: SubjectAltName element must contain URI, if Type is set to URI
|
|
rule: '!(self.type == "URI" && (!has(self.uri) || self.uri == ""))'
|
|
- message: SubjectAltName element must not contain URI, if Type is not set to URI
|
|
rule: '!(self.type != "URI" && has(self.uri) && self.uri != "")'
|
|
maxItems: 5
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
wellKnownCACertificates:
|
|
description: |-
|
|
WellKnownCACertificates specifies whether system CA certificates may be used in
|
|
the TLS handshake between the gateway and backend pod.
|
|
|
|
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
|
|
must be specified with at least one entry for a valid configuration. Only one of
|
|
CACertificateRefs or WellKnownCACertificates may be specified, not both.
|
|
If an implementation does not support the WellKnownCACertificates field, or
|
|
the supplied value is not recognized, the implementation MUST ensure the
|
|
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
|
|
a Reason `Invalid`.
|
|
|
|
Support: Implementation-specific
|
|
enum:
|
|
- System
|
|
type: string
|
|
required:
|
|
- hostname
|
|
type: object
|
|
x-kubernetes-validations:
|
|
- message: must not contain both CACertificateRefs and WellKnownCACertificates
|
|
rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates != "")'
|
|
- message: must specify either CACertificateRefs or WellKnownCACertificates
|
|
rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates != "")
|
|
required:
|
|
- targetRefs
|
|
- validation
|
|
type: object
|
|
status:
|
|
description: Status defines the current state of BackendTLSPolicy.
|
|
properties:
|
|
ancestors:
|
|
description: |-
|
|
Ancestors is a list of ancestor resources (usually Gateways) that are
|
|
associated with the policy, and the status of the policy with respect to
|
|
each ancestor. When this policy attaches to a parent, the controller that
|
|
manages the parent and the ancestors MUST add an entry to this list when
|
|
the controller first sees the policy and SHOULD update the entry as
|
|
appropriate when the relevant ancestor is modified.
|
|
|
|
Note that choosing the relevant ancestor is left to the Policy designers;
|
|
an important part of Policy design is designing the right object level at
|
|
which to namespace this status.
|
|
|
|
Note also that implementations MUST ONLY populate ancestor status for
|
|
the Ancestor resources they are responsible for. Implementations MUST
|
|
use the ControllerName field to uniquely identify the entries in this list
|
|
that they are responsible for.
|
|
|
|
Note that to achieve this, the list of PolicyAncestorStatus structs
|
|
MUST be treated as a map with a composite key, made up of the AncestorRef
|
|
and ControllerName fields combined.
|
|
|
|
A maximum of 16 ancestors will be represented in this list. An empty list
|
|
means the Policy is not relevant for any ancestors.
|
|
|
|
If this slice is full, implementations MUST NOT add further entries.
|
|
Instead they MUST consider the policy unimplementable and signal that
|
|
on any related resources such as the ancestor that would be referenced
|
|
here. For example, if this list was full on BackendTLSPolicy, no
|
|
additional Gateways would be able to reference the Service targeted by
|
|
the BackendTLSPolicy.
|
|
items:
|
|
description: |-
|
|
PolicyAncestorStatus describes the status of a route with respect to an
|
|
associated Ancestor.
|
|
|
|
Ancestors refer to objects that are either the Target of a policy or above it
|
|
in terms of object hierarchy. For example, if a policy targets a Service, the
|
|
Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
|
|
the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
|
|
useful object to place Policy status on, so we recommend that implementations
|
|
SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
|
|
have a _very_ good reason otherwise.
|
|
|
|
In the context of policy attachment, the Ancestor is used to distinguish which
|
|
resource results in a distinct application of this policy. For example, if a policy
|
|
targets a Service, it may have a distinct result per attached Gateway.
|
|
|
|
Policies targeting the same resource may have different effects depending on the
|
|
ancestors of those resources. For example, different Gateways targeting the same
|
|
Service may have different capabilities, especially if they have different underlying
|
|
implementations.
|
|
|
|
For example, in BackendTLSPolicy, the Policy attaches to a Service that is
|
|
used as a backend in a HTTPRoute that is itself attached to a Gateway.
|
|
In this case, the relevant object for status is the Gateway, and that is the
|
|
ancestor object referred to in this status.
|
|
|
|
Note that a parent is also an ancestor, so for objects where the parent is the
|
|
relevant object for status, this struct SHOULD still be used.
|
|
|
|
This struct is intended to be used in a slice that's effectively a map,
|
|
with a composite key made up of the AncestorRef and the ControllerName.
|
|
properties:
|
|
ancestorRef:
|
|
description: |-
|
|
AncestorRef corresponds with a ParentRef in the spec that this
|
|
PolicyAncestorStatus struct describes the status of.
|
|
properties:
|
|
group:
|
|
default: gateway.networking.k8s.io
|
|
description: |-
|
|
Group is the group of the referent.
|
|
When unspecified, "gateway.networking.k8s.io" is inferred.
|
|
To set the core API group (such as for a "Service" kind referent),
|
|
Group must be explicitly set to "" (empty string).
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
kind:
|
|
default: Gateway
|
|
description: |-
|
|
Kind is kind of the referent.
|
|
|
|
There are two kinds of parent resources with "Core" support:
|
|
|
|
* Gateway (Gateway conformance profile)
|
|
* Service (Mesh conformance profile, ClusterIP Services only)
|
|
|
|
Support for other resources is Implementation-Specific.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the referent.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace is the namespace of the referent. When unspecified, this refers
|
|
to the local namespace of the Route.
|
|
|
|
Note that there are specific rules for ParentRefs which cross namespace
|
|
boundaries. Cross-namespace references are only valid if they are explicitly
|
|
allowed by something in the namespace they are referring to. For example:
|
|
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
|
|
generic way to enable any other kind of cross-namespace reference.
|
|
|
|
Support: Core
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
port:
|
|
description: |-
|
|
Port is the network port this Route targets. It can be interpreted
|
|
differently based on the type of parent resource.
|
|
|
|
When the parent resource is a Gateway, this targets all listeners
|
|
listening on the specified port that also support this kind of Route(and
|
|
select this Route). It's not recommended to set `Port` unless the
|
|
networking behaviors specified in a Route must apply to a specific port
|
|
as opposed to a listener(s) whose port(s) may be changed. When both Port
|
|
and SectionName are specified, the name and port of the selected listener
|
|
must match both specified values.
|
|
|
|
Implementations MAY choose to support other parent resources.
|
|
Implementations supporting other types of parent resources MUST clearly
|
|
document how/if Port is interpreted.
|
|
|
|
For the purpose of status, an attachment is considered successful as
|
|
long as the parent resource accepts it partially. For example, Gateway
|
|
listeners can restrict which Routes can attach to them by Route kind,
|
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
|
|
from the referencing Route, the Route MUST be considered successfully
|
|
attached. If no Gateway listeners accept attachment from this Route,
|
|
the Route MUST be considered detached from the Gateway.
|
|
|
|
Support: Extended
|
|
format: int32
|
|
maximum: 65535
|
|
minimum: 1
|
|
type: integer
|
|
sectionName:
|
|
description: |-
|
|
SectionName is the name of a section within the target resource. In the
|
|
following resources, SectionName is interpreted as the following:
|
|
|
|
* Gateway: Listener name. When both Port (experimental) and SectionName
|
|
are specified, the name and port of the selected listener must match
|
|
both specified values.
|
|
* Service: Port name. When both Port (experimental) and SectionName
|
|
are specified, the name and port of the selected listener must match
|
|
both specified values.
|
|
|
|
Implementations MAY choose to support attaching Routes to other resources.
|
|
If that is the case, they MUST clearly document how SectionName is
|
|
interpreted.
|
|
|
|
When unspecified (empty string), this will reference the entire resource.
|
|
For the purpose of status, an attachment is considered successful if at
|
|
least one section in the parent resource accepts it. For example, Gateway
|
|
listeners can restrict which Routes can attach to them by Route kind,
|
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
|
|
the referencing Route, the Route MUST be considered successfully
|
|
attached. If no Gateway listeners accept attachment from this Route, the
|
|
Route MUST be considered detached from the Gateway.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
conditions:
|
|
description: Conditions describes the status of the Policy with respect to the given Ancestor.
|
|
items:
|
|
description: Condition contains details for one aspect of the current state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
maxItems: 8
|
|
minItems: 1
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
controllerName:
|
|
description: |-
|
|
ControllerName is a domain/path string that indicates the name of the
|
|
controller that wrote this status. This corresponds with the
|
|
controllerName field on GatewayClass.
|
|
|
|
Example: "example.net/gateway-controller".
|
|
|
|
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
|
|
valid Kubernetes names
|
|
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
|
|
|
|
Controllers MUST populate this field when writing status. Controllers should ensure that
|
|
entries to status populated with their ControllerName are cleaned up when they are no
|
|
longer necessary.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
|
|
type: string
|
|
required:
|
|
- ancestorRef
|
|
- conditions
|
|
- controllerName
|
|
type: object
|
|
maxItems: 16
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- ancestors
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
- deprecated: true
|
|
deprecationWarning: The v1alpha3 version of BackendTLSPolicy has been deprecated and will be removed in a future release of the API. Please upgrade to v1.
|
|
name: v1alpha3
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
BackendTLSPolicy provides a way to configure how a Gateway
|
|
connects to a Backend via TLS.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec defines the desired state of BackendTLSPolicy.
|
|
properties:
|
|
options:
|
|
additionalProperties:
|
|
description: |-
|
|
AnnotationValue is the value of an annotation in Gateway API. This is used
|
|
for validation of maps such as TLS options. This roughly matches Kubernetes
|
|
annotation validation, although the length validation in that case is based
|
|
on the entire size of the annotations struct.
|
|
maxLength: 4096
|
|
minLength: 0
|
|
type: string
|
|
description: |-
|
|
Options are a list of key/value pairs to enable extended TLS
|
|
configuration for each implementation. For example, configuring the
|
|
minimum TLS version or supported cipher suites.
|
|
|
|
A set of common keys MAY be defined by the API in the future. To avoid
|
|
any ambiguity, implementation-specific definitions MUST use
|
|
domain-prefixed names, such as `example.com/my-custom-option`.
|
|
Un-prefixed names are reserved for key names defined by Gateway API.
|
|
|
|
Support: Implementation-specific
|
|
maxProperties: 16
|
|
type: object
|
|
targetRefs:
|
|
description: |-
|
|
TargetRefs identifies an API object to apply the policy to.
|
|
Only Services have Extended support. Implementations MAY support
|
|
additional objects, with Implementation Specific support.
|
|
Note that this config applies to the entire referenced resource
|
|
by default, but this default may change in the future to provide
|
|
a more granular application of the policy.
|
|
|
|
TargetRefs must be _distinct_. This means either that:
|
|
|
|
* They select different targets. If this is the case, then targetRef
|
|
entries are distinct. In terms of fields, this means that the
|
|
multi-part key defined by `group`, `kind`, and `name` must
|
|
be unique across all targetRef entries in the BackendTLSPolicy.
|
|
* They select different sectionNames in the same target.
|
|
|
|
When more than one BackendTLSPolicy selects the same target and
|
|
sectionName, implementations MUST determine precedence using the
|
|
following criteria, continuing on ties:
|
|
|
|
* The older policy by creation timestamp takes precedence. For
|
|
example, a policy with a creation timestamp of "2021-07-15
|
|
01:02:03" MUST be given precedence over a policy with a
|
|
creation timestamp of "2021-07-15 01:02:04".
|
|
* The policy appearing first in alphabetical order by {name}.
|
|
For example, a policy named `bar` is given precedence over a
|
|
policy named `baz`.
|
|
|
|
For any BackendTLSPolicy that does not take precedence, the
|
|
implementation MUST ensure the `Accepted` Condition is set to
|
|
`status: False`, with Reason `Conflicted`.
|
|
|
|
Support: Extended for Kubernetes Service
|
|
|
|
Support: Implementation-specific for any other resource
|
|
items:
|
|
description: |-
|
|
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
|
|
direct policy to. This should be used as part of Policy resources that can
|
|
target single resources. For more information on how this policy attachment
|
|
mode works, and a sample Policy resource, refer to the policy attachment
|
|
documentation for Gateway API.
|
|
|
|
Note: This should only be used for direct policy attachment when references
|
|
to SectionName are actually needed. In all other cases,
|
|
LocalPolicyTargetReference should be used.
|
|
properties:
|
|
group:
|
|
description: Group is the group of the target resource.
|
|
maxLength: 253
|
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
kind:
|
|
description: Kind is kind of the target resource.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
type: string
|
|
name:
|
|
description: Name is the name of the target resource.
|
|
maxLength: 253
|
|
minLength: 1
|
|
type: string
|
|
sectionName:
|
|
description: |-
|
|
SectionName is the name of a section within the target resource. When
|
|
unspecified, this targetRef targets the entire resource. In the following
|
|
resources, SectionName is interpreted as the following:
|
|
|
|
* Gateway: Listener name
|
|
* HTTPRoute: HTTPRouteRule name
|
|
* Service: Port name
|
|
|
|
If a SectionName is specified, but does not exist on the targeted object,
|
|
the Policy must fail to attach, and the policy implementation should record
|
|
a `ResolvedRefs` or similar Condition in the Policy's status.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- name
|
|
type: object
|
|
maxItems: 16
|
|
minItems: 1
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
x-kubernetes-validations:
|
|
- message: sectionName must be specified when targetRefs includes 2 or more references to the same target
|
|
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) : true))'
|
|
- message: sectionName must be unique when targetRefs includes 2 or more references to the same target
|
|
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName))))
|
|
validation:
|
|
description: Validation contains backend TLS validation configuration.
|
|
properties:
|
|
caCertificateRefs:
|
|
description: |-
|
|
CACertificateRefs contains one or more references to Kubernetes objects that
|
|
contain a PEM-encoded TLS CA certificate bundle, which is used to
|
|
validate a TLS handshake between the Gateway and backend Pod.
|
|
|
|
If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
|
|
specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
|
|
not both. If CACertificateRefs is empty or unspecified, the configuration for
|
|
WellKnownCACertificates MUST be honored instead if supported by the implementation.
|
|
|
|
A CACertificateRef is invalid if:
|
|
|
|
* It refers to a resource that cannot be resolved (e.g., the referenced resource
|
|
does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
|
|
named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
|
|
and the Message of the Condition must indicate which reference is invalid and why.
|
|
|
|
* It refers to an unknown or unsupported kind of resource. In this case, the Reason
|
|
must be set to `InvalidKind` and the Message of the Condition must explain which
|
|
kind of resource is unknown or unsupported.
|
|
|
|
* It refers to a resource in another namespace. This may change in future
|
|
spec updates.
|
|
|
|
Implementations MAY choose to perform further validation of the certificate
|
|
content (e.g., checking expiry or enforcing specific formats). In such cases,
|
|
an implementation-specific Reason and Message must be set for the invalid reference.
|
|
|
|
In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
|
|
the BackendTLSPolicy is set to `status: False`, with a Reason and Message
|
|
that indicate the cause of the error. Connections using an invalid
|
|
CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
|
|
response. If ALL CACertificateRefs are invalid, the implementation MUST also
|
|
ensure the `Accepted` Condition on the BackendTLSPolicy is set to
|
|
`status: False`, with a Reason `NoValidCACertificate`.
|
|
|
|
A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
|
|
Implementations MAY choose to support attaching multiple certificates to
|
|
a backend, but this behavior is implementation-specific.
|
|
|
|
Support: Core - An optional single reference to a Kubernetes ConfigMap,
|
|
with the CA certificate in a key named `ca.crt`.
|
|
|
|
Support: Implementation-specific - More than one reference, other kinds
|
|
of resources, or a single reference that includes multiple certificates.
|
|
items:
|
|
description: |-
|
|
LocalObjectReference identifies an API object within the namespace of the
|
|
referrer.
|
|
The API object must be valid in the cluster; the Group and Kind must
|
|
be registered in the cluster for this reference to be valid.
|
|
|
|
References to objects with invalid Group and Kind are not valid, and must
|
|
be rejected by the implementation, with appropriate Conditions set
|
|
on the containing object.
|
|
properties:
|
|
group:
|
|
description: |-
|
|
Group is the group of the referent. For example, "gateway.networking.k8s.io".
|
|
When unspecified or empty string, core API group is inferred.
|
|
maxLength: 253
|
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
kind:
|
|
description: Kind is kind of the referent. For example "HTTPRoute" or "Service".
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
type: string
|
|
name:
|
|
description: Name is the name of the referent.
|
|
maxLength: 253
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- name
|
|
type: object
|
|
maxItems: 8
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
hostname:
|
|
description: |-
|
|
Hostname is used for two purposes in the connection between Gateways and
|
|
backends:
|
|
|
|
1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
|
|
2. Hostname MUST be used for authentication and MUST match the certificate
|
|
served by the matching backend, unless SubjectAltNames is specified.
|
|
3. If SubjectAltNames are specified, Hostname can be used for certificate selection
|
|
but MUST NOT be used for authentication. If you want to use the value
|
|
of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
subjectAltNames:
|
|
description: |-
|
|
SubjectAltNames contains one or more Subject Alternative Names.
|
|
When specified the certificate served from the backend MUST
|
|
have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
|
|
|
|
Support: Extended
|
|
items:
|
|
description: SubjectAltName represents Subject Alternative Name.
|
|
properties:
|
|
hostname:
|
|
description: |-
|
|
Hostname contains Subject Alternative Name specified in DNS name format.
|
|
Required when Type is set to Hostname, ignored otherwise.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
type:
|
|
description: |-
|
|
Type determines the format of the Subject Alternative Name. Always required.
|
|
|
|
Support: Core
|
|
enum:
|
|
- Hostname
|
|
- URI
|
|
type: string
|
|
uri:
|
|
description: |-
|
|
URI contains Subject Alternative Name specified in a full URI format.
|
|
It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
|
|
Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
|
|
Required when Type is set to URI, ignored otherwise.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
|
|
type: string
|
|
required:
|
|
- type
|
|
type: object
|
|
x-kubernetes-validations:
|
|
- message: SubjectAltName element must contain Hostname, if Type is set to Hostname
|
|
rule: '!(self.type == "Hostname" && (!has(self.hostname) || self.hostname == ""))'
|
|
- message: SubjectAltName element must not contain Hostname, if Type is not set to Hostname
|
|
rule: '!(self.type != "Hostname" && has(self.hostname) && self.hostname != "")'
|
|
- message: SubjectAltName element must contain URI, if Type is set to URI
|
|
rule: '!(self.type == "URI" && (!has(self.uri) || self.uri == ""))'
|
|
- message: SubjectAltName element must not contain URI, if Type is not set to URI
|
|
rule: '!(self.type != "URI" && has(self.uri) && self.uri != "")'
|
|
maxItems: 5
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
wellKnownCACertificates:
|
|
description: |-
|
|
WellKnownCACertificates specifies whether system CA certificates may be used in
|
|
the TLS handshake between the gateway and backend pod.
|
|
|
|
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
|
|
must be specified with at least one entry for a valid configuration. Only one of
|
|
CACertificateRefs or WellKnownCACertificates may be specified, not both.
|
|
If an implementation does not support the WellKnownCACertificates field, or
|
|
the supplied value is not recognized, the implementation MUST ensure the
|
|
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
|
|
a Reason `Invalid`.
|
|
|
|
Support: Implementation-specific
|
|
enum:
|
|
- System
|
|
type: string
|
|
required:
|
|
- hostname
|
|
type: object
|
|
x-kubernetes-validations:
|
|
- message: must not contain both CACertificateRefs and WellKnownCACertificates
|
|
rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates != "")'
|
|
- message: must specify either CACertificateRefs or WellKnownCACertificates
|
|
rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates != "")
|
|
required:
|
|
- targetRefs
|
|
- validation
|
|
type: object
|
|
status:
|
|
description: Status defines the current state of BackendTLSPolicy.
|
|
properties:
|
|
ancestors:
|
|
description: |-
|
|
Ancestors is a list of ancestor resources (usually Gateways) that are
|
|
associated with the policy, and the status of the policy with respect to
|
|
each ancestor. When this policy attaches to a parent, the controller that
|
|
manages the parent and the ancestors MUST add an entry to this list when
|
|
the controller first sees the policy and SHOULD update the entry as
|
|
appropriate when the relevant ancestor is modified.
|
|
|
|
Note that choosing the relevant ancestor is left to the Policy designers;
|
|
an important part of Policy design is designing the right object level at
|
|
which to namespace this status.
|
|
|
|
Note also that implementations MUST ONLY populate ancestor status for
|
|
the Ancestor resources they are responsible for. Implementations MUST
|
|
use the ControllerName field to uniquely identify the entries in this list
|
|
that they are responsible for.
|
|
|
|
Note that to achieve this, the list of PolicyAncestorStatus structs
|
|
MUST be treated as a map with a composite key, made up of the AncestorRef
|
|
and ControllerName fields combined.
|
|
|
|
A maximum of 16 ancestors will be represented in this list. An empty list
|
|
means the Policy is not relevant for any ancestors.
|
|
|
|
If this slice is full, implementations MUST NOT add further entries.
|
|
Instead they MUST consider the policy unimplementable and signal that
|
|
on any related resources such as the ancestor that would be referenced
|
|
here. For example, if this list was full on BackendTLSPolicy, no
|
|
additional Gateways would be able to reference the Service targeted by
|
|
the BackendTLSPolicy.
|
|
items:
|
|
description: |-
|
|
PolicyAncestorStatus describes the status of a route with respect to an
|
|
associated Ancestor.
|
|
|
|
Ancestors refer to objects that are either the Target of a policy or above it
|
|
in terms of object hierarchy. For example, if a policy targets a Service, the
|
|
Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
|
|
the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
|
|
useful object to place Policy status on, so we recommend that implementations
|
|
SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
|
|
have a _very_ good reason otherwise.
|
|
|
|
In the context of policy attachment, the Ancestor is used to distinguish which
|
|
resource results in a distinct application of this policy. For example, if a policy
|
|
targets a Service, it may have a distinct result per attached Gateway.
|
|
|
|
Policies targeting the same resource may have different effects depending on the
|
|
ancestors of those resources. For example, different Gateways targeting the same
|
|
Service may have different capabilities, especially if they have different underlying
|
|
implementations.
|
|
|
|
For example, in BackendTLSPolicy, the Policy attaches to a Service that is
|
|
used as a backend in a HTTPRoute that is itself attached to a Gateway.
|
|
In this case, the relevant object for status is the Gateway, and that is the
|
|
ancestor object referred to in this status.
|
|
|
|
Note that a parent is also an ancestor, so for objects where the parent is the
|
|
relevant object for status, this struct SHOULD still be used.
|
|
|
|
This struct is intended to be used in a slice that's effectively a map,
|
|
with a composite key made up of the AncestorRef and the ControllerName.
|
|
properties:
|
|
ancestorRef:
|
|
description: |-
|
|
AncestorRef corresponds with a ParentRef in the spec that this
|
|
PolicyAncestorStatus struct describes the status of.
|
|
properties:
|
|
group:
|
|
default: gateway.networking.k8s.io
|
|
description: |-
|
|
Group is the group of the referent.
|
|
When unspecified, "gateway.networking.k8s.io" is inferred.
|
|
To set the core API group (such as for a "Service" kind referent),
|
|
Group must be explicitly set to "" (empty string).
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
kind:
|
|
default: Gateway
|
|
description: |-
|
|
Kind is kind of the referent.
|
|
|
|
There are two kinds of parent resources with "Core" support:
|
|
|
|
* Gateway (Gateway conformance profile)
|
|
* Service (Mesh conformance profile, ClusterIP Services only)
|
|
|
|
Support for other resources is Implementation-Specific.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the referent.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace is the namespace of the referent. When unspecified, this refers
|
|
to the local namespace of the Route.
|
|
|
|
Note that there are specific rules for ParentRefs which cross namespace
|
|
boundaries. Cross-namespace references are only valid if they are explicitly
|
|
allowed by something in the namespace they are referring to. For example:
|
|
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
|
|
generic way to enable any other kind of cross-namespace reference.
|
|
|
|
Support: Core
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
port:
|
|
description: |-
|
|
Port is the network port this Route targets. It can be interpreted
|
|
differently based on the type of parent resource.
|
|
|
|
When the parent resource is a Gateway, this targets all listeners
|
|
listening on the specified port that also support this kind of Route(and
|
|
select this Route). It's not recommended to set `Port` unless the
|
|
networking behaviors specified in a Route must apply to a specific port
|
|
as opposed to a listener(s) whose port(s) may be changed. When both Port
|
|
and SectionName are specified, the name and port of the selected listener
|
|
must match both specified values.
|
|
|
|
Implementations MAY choose to support other parent resources.
|
|
Implementations supporting other types of parent resources MUST clearly
|
|
document how/if Port is interpreted.
|
|
|
|
For the purpose of status, an attachment is considered successful as
|
|
long as the parent resource accepts it partially. For example, Gateway
|
|
listeners can restrict which Routes can attach to them by Route kind,
|
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
|
|
from the referencing Route, the Route MUST be considered successfully
|
|
attached. If no Gateway listeners accept attachment from this Route,
|
|
the Route MUST be considered detached from the Gateway.
|
|
|
|
Support: Extended
|
|
format: int32
|
|
maximum: 65535
|
|
minimum: 1
|
|
type: integer
|
|
sectionName:
|
|
description: |-
|
|
SectionName is the name of a section within the target resource. In the
|
|
following resources, SectionName is interpreted as the following:
|
|
|
|
* Gateway: Listener name. When both Port (experimental) and SectionName
|
|
are specified, the name and port of the selected listener must match
|
|
both specified values.
|
|
* Service: Port name. When both Port (experimental) and SectionName
|
|
are specified, the name and port of the selected listener must match
|
|
both specified values.
|
|
|
|
Implementations MAY choose to support attaching Routes to other resources.
|
|
If that is the case, they MUST clearly document how SectionName is
|
|
interpreted.
|
|
|
|
When unspecified (empty string), this will reference the entire resource.
|
|
For the purpose of status, an attachment is considered successful if at
|
|
least one section in the parent resource accepts it. For example, Gateway
|
|
listeners can restrict which Routes can attach to them by Route kind,
|
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
|
|
the referencing Route, the Route MUST be considered successfully
|
|
attached. If no Gateway listeners accept attachment from this Route, the
|
|
Route MUST be considered detached from the Gateway.
|
|
|
|
Support: Core
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
conditions:
|
|
description: Conditions describes the status of the Policy with respect to the given Ancestor.
|
|
items:
|
|
description: Condition contains details for one aspect of the current state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
maxItems: 8
|
|
minItems: 1
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
controllerName:
|
|
description: |-
|
|
ControllerName is a domain/path string that indicates the name of the
|
|
controller that wrote this status. This corresponds with the
|
|
controllerName field on GatewayClass.
|
|
|
|
Example: "example.net/gateway-controller".
|
|
|
|
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
|
|
valid Kubernetes names
|
|
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
|
|
|
|
Controllers MUST populate this field when writing status. Controllers should ensure that
|
|
entries to status populated with their ControllerName are cleaned up when they are no
|
|
longer necessary.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
|
|
type: string
|
|
required:
|
|
- ancestorRef
|
|
- conditions
|
|
- controllerName
|
|
type: object
|
|
maxItems: 16
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- ancestors
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: false
|
|
storage: false
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: null
|
|
storedVersions: null
|